From: Daniel Borkmann <daniel@iogearbox.net>
To: Martin KaFai Lau <kafai@fb.com>
Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, Alexei Starovoitov <ast@fb.com>,
Tejun Heo <tj@kernel.org>,
kernel-team@fb.com
Subject: Re: [PATCH net-next v2 2/4] cgroup: bpf: Add BPF_MAP_TYPE_CGROUP_ARRAY
Date: Thu, 23 Jun 2016 23:50:08 +0200 [thread overview]
Message-ID: <576C5990.9000300@iogearbox.net> (raw)
In-Reply-To: <20160623212616.GA90834@kafai-mba.DHCP.thefacebook.com>
On 06/23/2016 11:26 PM, Martin KaFai Lau wrote:
> On Thu, Jun 23, 2016 at 11:42:31AM +0200, Daniel Borkmann wrote:
>> Hi Martin,
>>
>> [ sorry to jump late in here, on pto currently ]
> Thanks for reviewing.
>
>> Could you describe a bit more with regards to pinning maps and how this
>> should interact with cgroups? The two specialized array maps we have (tail
>> calls, perf events) have fairly complicated semantics for when to clean up
>> map slots (see commits c9da161c6517ba1, 3b1efb196eee45b2f0c4).
>>
>> How is this managed with cgroups? Once a cgroup fd is placed into a map and
>> the user removes the cgroup, will this be prevented due to 'being busy', or
>> will the cgroup live further as long as a program is running with a cgroup
>> map entry (but the cgroup itself is not visible from user space in any way
>> anymore)?
> Having a cgroup ptr stored in the bpf_map will not stop the user from
> removing the cgroup (by rmdir /mnt/cgroup2/tc/test_cgrp).
Right.
> The cgroup ptr stored in the bpf_map holds a refcnt which answer the
> second part.
Yep, clear.
> The situation is similar to the netfilter usecase in
> commit 38c4597e4bf ("netfilter: implement xt_cgroup cgroup2 path match")
>
>> I presume it's a valid use case to pin a cgroup map, put fds into it and
>> remove the pinned file expecting to continue to match on it, right? So
>> lifetime is really until last prog using a cgroup map somewhere gets removed
>> (even if not accessible from user space anymore, meaning no prog has fd and
>> pinned file was removed).
> Yes.
>
> We are still hatching out how to set this up in production. However, the
> situation is similar to removing the pinned file.
I presume you mean removing the last BPF program holding a reference on
the cgroup array map. (Any user space visibility like struct files given
from the anon inode and pinnings are tracked via uref, btw, which is
needed to break possible complex dependencies among tail called programs.)
But dropping cgroup ref at latest when the last map ref is dropped as you
currently do seems fine. It makes cgroup array maps effectively no different
from plain regular array maps.
> We probably will not use tc and pin a bpf_map to do that. Instead,
> one process will setup eveything (e.g. create the cgroup, pouplate the
> cgroup map, load the bpf to egress) and then go away.
Yep, that seems a valid case as well, both use cases (pinned and non-pinned)
should be fine with your code then.
Thanks,
Daniel
next prev parent reply other threads:[~2016-06-23 21:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 21:17 [PATCH net-next v2 0/4] cgroup: bpf: cgroup2 membership test on skb Martin KaFai Lau
2016-06-22 21:17 ` [PATCH net-next v2 1/4] cgroup: Add cgroup_get_from_fd Martin KaFai Lau
2016-06-23 21:11 ` Tejun Heo
[not found] ` <1466630252-3822277-1-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-22 21:17 ` [PATCH net-next v2 2/4] cgroup: bpf: Add BPF_MAP_TYPE_CGROUP_ARRAY Martin KaFai Lau
[not found] ` <1466630252-3822277-3-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-23 9:42 ` Daniel Borkmann
[not found] ` <576BAF07.4020302-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-06-23 21:13 ` Tejun Heo
[not found] ` <20160623211326.GK3262-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-06-23 21:33 ` Daniel Borkmann
2016-06-23 21:26 ` Martin KaFai Lau
2016-06-23 21:50 ` Daniel Borkmann [this message]
2016-06-23 22:10 ` Martin KaFai Lau
2016-06-22 21:17 ` [PATCH net-next v2 3/4] cgroup: bpf: Add bpf_skb_in_cgroup_proto Martin KaFai Lau
[not found] ` <1466630252-3822277-4-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-23 9:53 ` Daniel Borkmann
[not found] ` <576BB1AE.5080605-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-06-23 16:54 ` Martin KaFai Lau
[not found] ` <20160623165449.GC82305-ik1955jzaFFGY1KPJGhogQ@public.gmane.org>
2016-06-23 20:07 ` Daniel Borkmann
2016-06-23 21:41 ` Martin KaFai Lau
2016-06-29 14:36 ` kbuild test robot
2016-06-22 21:17 ` [PATCH net-next v2 4/4] cgroup: bpf: Add an example to do cgroup checking in BPF Martin KaFai Lau
[not found] ` <1466630252-3822277-5-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-23 9:58 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=576C5990.9000300@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@fb.com \
--cc=cgroups@vger.kernel.org \
--cc=kafai@fb.com \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).