mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-19 21:56:48 +07:00
7723628101
== Problem description == It's useful to be able to identify cgroup associated with skb in TC so that a policy can be applied to this skb, and existing bpf_skb_cgroup_id helper can help with this. Though in real life cgroup hierarchy and hierarchy to apply a policy to don't map 1:1. It's often the case that there is a container and corresponding cgroup, but there are many more sub-cgroups inside container, e.g. because it's delegated to containerized application to control resources for its subsystems, or to separate application inside container from infra that belongs to containerization system (e.g. sshd). At the same time it may be useful to apply a policy to container as a whole. If multiple containers like this are run on a host (what is often the case) and many of them have sub-cgroups, it may not be possible to apply per-container policy in TC with existing helpers such as bpf_skb_under_cgroup or bpf_skb_cgroup_id: * bpf_skb_cgroup_id will return id of immediate cgroup associated with skb, i.e. if it's a sub-cgroup inside container, it can't be used to identify container's cgroup; * bpf_skb_under_cgroup can work only with one cgroup and doesn't scale, i.e. if there are N containers on a host and a policy has to be applied to M of them (0 <= M <= N), it'd require M calls to bpf_skb_under_cgroup, and, if M changes, it'd require to rebuild & load new BPF program. == Solution == The patch introduces new helper bpf_skb_ancestor_cgroup_id that can be used to get id of cgroup v2 that is an ancestor of cgroup associated with skb at specified level of cgroup hierarchy. That way admin can place all containers on one level of cgroup hierarchy (what is a good practice in general and already used in many configurations) and identify specific cgroup on this level no matter what sub-cgroup skb is associated with. E.g. if there is a cgroup hierarchy: root/ root/container1/ root/container1/app11/ root/container1/app11/sub-app-a/ root/container1/app12/ root/container2/ root/container2/app21/ root/container2/app22/ root/container2/app22/sub-app-b/ , then having skb associated with root/container1/app11/sub-app-a/ it's possible to get ancestor at level 1, what is container1 and apply policy for this container, or apply another policy if it's container2. Policies can be kept e.g. in a hash map where key is a container cgroup id and value is an action. Levels where container cgroups are created are usually known in advance whether cgroup hierarchy inside container may be hard to predict especially in case when its creation is delegated to containerized application. == Implementation details == The helper gets ancestor by walking parents up to specified level. Another option would be to get different kind of "id" from cgroup->ancestor_ids[level] and use it with idr_find() to get struct cgroup for ancestor. But that would require radix lookup what doesn't seem to be better (at least it's not obviously better). Format of return value of the new helper is same as that of bpf_skb_cgroup_id. Signed-off-by: Andrey Ignatov <rdna@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
||
|---|---|---|
| .. | ||
| android | ||
| byteorder | ||
| caif | ||
| can | ||
| cifs | ||
| dvb | ||
| genwqe | ||
| hdlc | ||
| hsi | ||
| iio | ||
| isdn | ||
| mmc | ||
| netfilter | ||
| netfilter_arp | ||
| netfilter_bridge | ||
| netfilter_ipv4 | ||
| netfilter_ipv6 | ||
| nfsd | ||
| raid | ||
| sched | ||
| spi | ||
| sunrpc | ||
| tc_act | ||
| tc_ematch | ||
| usb | ||
| wimax | ||
| a.out.h | ||
| acct.h | ||
| adb.h | ||
| adfs_fs.h | ||
| affs_hardblocks.h | ||
| agpgart.h | ||
| aio_abi.h | ||
| am437x-vpfe.h | ||
| apm_bios.h | ||
| arcfb.h | ||
| arm_sdei.h | ||
| aspeed-lpc-ctrl.h | ||
| atalk.h | ||
| atm_eni.h | ||
| atm_he.h | ||
| atm_idt77105.h | ||
| atm_nicstar.h | ||
| atm_tcp.h | ||
| atm_zatm.h | ||
| atm.h | ||
| atmapi.h | ||
| atmarp.h | ||
| atmbr2684.h | ||
| atmclip.h | ||
| atmdev.h | ||
| atmioc.h | ||
| atmlec.h | ||
| atmmpc.h | ||
| atmppp.h | ||
| atmsap.h | ||
| atmsvc.h | ||
| audit.h | ||
| auto_dev-ioctl.h | ||
| auto_fs4.h | ||
| auto_fs.h | ||
| auxvec.h | ||
| ax25.h | ||
| b1lli.h | ||
| batadv_packet.h | ||
| batman_adv.h | ||
| baycom.h | ||
| bcache.h | ||
| bcm933xx_hcs.h | ||
| bfs_fs.h | ||
| binfmts.h | ||
| blkpg.h | ||
| blktrace_api.h | ||
| blkzoned.h | ||
| bpf_common.h | ||
| bpf_perf_event.h | ||
| bpf.h | ||
| bpfilter.h | ||
| bpqether.h | ||
| bsg.h | ||
| bt-bmc.h | ||
| btf.h | ||
| btrfs_tree.h | ||
| btrfs.h | ||
| can.h | ||
| capability.h | ||
| capi.h | ||
| cciss_defs.h | ||
| cciss_ioctl.h | ||
| cdrom.h | ||
| cec-funcs.h | ||
| cec.h | ||
| cgroupstats.h | ||
| chio.h | ||
| cm4000_cs.h | ||
| cn_proc.h | ||
| coda_psdev.h | ||
| coda.h | ||
| coff.h | ||
| connector.h | ||
| const.h | ||
| coresight-stm.h | ||
| cramfs_fs.h | ||
| cryptouser.h | ||
| cuda.h | ||
| cyclades.h | ||
| cycx_cfm.h | ||
| dcbnl.h | ||
| dccp.h | ||
| devlink.h | ||
| dlm_device.h | ||
| dlm_netlink.h | ||
| dlm_plock.h | ||
| dlm.h | ||
| dlmconstants.h | ||
| dm-ioctl.h | ||
| dm-log-userspace.h | ||
| dma-buf.h | ||
| dn.h | ||
| dqblk_xfs.h | ||
| edd.h | ||
| efs_fs_sb.h | ||
| elf-em.h | ||
| elf-fdpic.h | ||
| elf.h | ||
| elfcore.h | ||
| errno.h | ||
| errqueue.h | ||
| erspan.h | ||
| ethtool.h | ||
| eventpoll.h | ||
| fadvise.h | ||
| falloc.h | ||
| fanotify.h | ||
| fb.h | ||
| fcntl.h | ||
| fd.h | ||
| fdreg.h | ||
| fib_rules.h | ||
| fiemap.h | ||
| filter.h | ||
| firewire-cdev.h | ||
| firewire-constants.h | ||
| flat.h | ||
| fou.h | ||
| fs.h | ||
| fsl_hypervisor.h | ||
| fsmap.h | ||
| fuse.h | ||
| futex.h | ||
| gameport.h | ||
| gen_stats.h | ||
| genetlink.h | ||
| gfs2_ondisk.h | ||
| gigaset_dev.h | ||
| gpio.h | ||
| gsmmux.h | ||
| gtp.h | ||
| hash_info.h | ||
| hdlc.h | ||
| hdlcdrv.h | ||
| hdreg.h | ||
| hid.h | ||
| hiddev.h | ||
| hidraw.h | ||
| hpet.h | ||
| hsr_netlink.h | ||
| hw_breakpoint.h | ||
| hyperv.h | ||
| hysdn_if.h | ||
| i2c-dev.h | ||
| i2c.h | ||
| i2o-dev.h | ||
| i8k.h | ||
| icmp.h | ||
| icmpv6.h | ||
| if_addr.h | ||
| if_addrlabel.h | ||
| if_alg.h | ||
| if_arcnet.h | ||
| if_arp.h | ||
| if_bonding.h | ||
| if_bridge.h | ||
| if_cablemodem.h | ||
| if_eql.h | ||
| if_ether.h | ||
| if_fc.h | ||
| if_fddi.h | ||
| if_frad.h | ||
| if_hippi.h | ||
| if_infiniband.h | ||
| if_link.h | ||
| if_ltalk.h | ||
| if_macsec.h | ||
| if_packet.h | ||
| if_phonet.h | ||
| if_plip.h | ||
| if_ppp.h | ||
| if_pppol2tp.h | ||
| if_pppox.h | ||
| if_slip.h | ||
| if_team.h | ||
| if_tun.h | ||
| if_tunnel.h | ||
| if_vlan.h | ||
| if_x25.h | ||
| if_xdp.h | ||
| if.h | ||
| ife.h | ||
| igmp.h | ||
| ila.h | ||
| in6.h | ||
| in_route.h | ||
| in.h | ||
| inet_diag.h | ||
| inotify.h | ||
| input-event-codes.h | ||
| input.h | ||
| ioctl.h | ||
| ip6_tunnel.h | ||
| ip_vs.h | ||
| ip.h | ||
| ipc.h | ||
| ipmi_bmc.h | ||
| ipmi_msgdefs.h | ||
| ipmi.h | ||
| ipsec.h | ||
| ipv6_route.h | ||
| ipv6.h | ||
| ipx.h | ||
| irqnr.h | ||
| isdn_divertif.h | ||
| isdn_ppp.h | ||
| isdn.h | ||
| isdnif.h | ||
| iso_fs.h | ||
| ivtv.h | ||
| ivtvfb.h | ||
| jffs2.h | ||
| joystick.h | ||
| Kbuild | ||
| kcm.h | ||
| kcmp.h | ||
| kcov.h | ||
| kd.h | ||
| kdev_t.h | ||
| kernel-page-flags.h | ||
| kernel.h | ||
| kernelcapi.h | ||
| kexec.h | ||
| keyboard.h | ||
| keyctl.h | ||
| kfd_ioctl.h | ||
| kvm_para.h | ||
| kvm.h | ||
| l2tp.h | ||
| libc-compat.h | ||
| lightnvm.h | ||
| limits.h | ||
| lirc.h | ||
| llc.h | ||
| loop.h | ||
| lp.h | ||
| lwtunnel.h | ||
| magic.h | ||
| major.h | ||
| map_to_7segment.h | ||
| matroxfb.h | ||
| max2175.h | ||
| mdio.h | ||
| media-bus-format.h | ||
| media.h | ||
| mei.h | ||
| membarrier.h | ||
| memfd.h | ||
| mempolicy.h | ||
| meye.h | ||
| mic_common.h | ||
| mic_ioctl.h | ||
| mii.h | ||
| minix_fs.h | ||
| mman.h | ||
| mmtimer.h | ||
| module.h | ||
| mpls_iptunnel.h | ||
| mpls.h | ||
| mqueue.h | ||
| mroute6.h | ||
| mroute.h | ||
| msdos_fs.h | ||
| msg.h | ||
| mtio.h | ||
| n_r3964.h | ||
| nbd-netlink.h | ||
| nbd.h | ||
| ncsi.h | ||
| ndctl.h | ||
| neighbour.h | ||
| net_dropmon.h | ||
| net_namespace.h | ||
| net_tstamp.h | ||
| net.h | ||
| netconf.h | ||
| netdevice.h | ||
| netfilter_arp.h | ||
| netfilter_bridge.h | ||
| netfilter_decnet.h | ||
| netfilter_ipv4.h | ||
| netfilter_ipv6.h | ||
| netfilter.h | ||
| netlink_diag.h | ||
| netlink.h | ||
| netrom.h | ||
| nfc.h | ||
| nfs2.h | ||
| nfs3.h | ||
| nfs4_mount.h | ||
| nfs4.h | ||
| nfs_fs.h | ||
| nfs_idmap.h | ||
| nfs_mount.h | ||
| nfs.h | ||
| nfsacl.h | ||
| nilfs2_api.h | ||
| nilfs2_ondisk.h | ||
| nl80211.h | ||
| nsfs.h | ||
| nubus.h | ||
| nvme_ioctl.h | ||
| nvram.h | ||
| omap3isp.h | ||
| omapfb.h | ||
| oom.h | ||
| openvswitch.h | ||
| packet_diag.h | ||
| param.h | ||
| parport.h | ||
| patchkey.h | ||
| pci_regs.h | ||
| pci.h | ||
| pcitest.h | ||
| perf_event.h | ||
| personality.h | ||
| pfkeyv2.h | ||
| pg.h | ||
| phantom.h | ||
| phonet.h | ||
| pkt_cls.h | ||
| pkt_sched.h | ||
| pktcdvd.h | ||
| pmu.h | ||
| poll.h | ||
| posix_acl_xattr.h | ||
| posix_acl.h | ||
| posix_types.h | ||
| ppdev.h | ||
| ppp_defs.h | ||
| ppp-comp.h | ||
| ppp-ioctl.h | ||
| pps.h | ||
| pr.h | ||
| prctl.h | ||
| psample.h | ||
| psci.h | ||
| psp-sev.h | ||
| ptp_clock.h | ||
| ptrace.h | ||
| qemu_fw_cfg.h | ||
| qnx4_fs.h | ||
| qnxtypes.h | ||
| qrtr.h | ||
| quota.h | ||
| radeonfb.h | ||
| random.h | ||
| raw.h | ||
| rds.h | ||
| reboot.h | ||
| reiserfs_fs.h | ||
| reiserfs_xattr.h | ||
| resource.h | ||
| rfkill.h | ||
| rio_cm_cdev.h | ||
| rio_mport_cdev.h | ||
| romfs_fs.h | ||
| rose.h | ||
| route.h | ||
| rpmsg.h | ||
| rseq.h | ||
| rtc.h | ||
| rtnetlink.h | ||
| rxrpc.h | ||
| scc.h | ||
| sched.h | ||
| scif_ioctl.h | ||
| screen_info.h | ||
| sctp.h | ||
| sdla.h | ||
| seccomp.h | ||
| securebits.h | ||
| sed-opal.h | ||
| seg6_genl.h | ||
| seg6_hmac.h | ||
| seg6_iptunnel.h | ||
| seg6_local.h | ||
| seg6.h | ||
| selinux_netlink.h | ||
| sem.h | ||
| serial_core.h | ||
| serial_reg.h | ||
| serial.h | ||
| serio.h | ||
| shm.h | ||
| signal.h | ||
| signalfd.h | ||
| smc_diag.h | ||
| smc.h | ||
| smiapp.h | ||
| snmp.h | ||
| sock_diag.h | ||
| socket.h | ||
| sockios.h | ||
| sonet.h | ||
| sonypi.h | ||
| sound.h | ||
| soundcard.h | ||
| stat.h | ||
| stddef.h | ||
| stm.h | ||
| string.h | ||
| suspend_ioctls.h | ||
| swab.h | ||
| switchtec_ioctl.h | ||
| sync_file.h | ||
| synclink.h | ||
| sysctl.h | ||
| sysinfo.h | ||
| target_core_user.h | ||
| taskstats.h | ||
| tcp_metrics.h | ||
| tcp.h | ||
| tee.h | ||
| termios.h | ||
| thermal.h | ||
| time.h | ||
| timerfd.h | ||
| times.h | ||
| timex.h | ||
| tiocl.h | ||
| tipc_config.h | ||
| tipc_netlink.h | ||
| tipc_sockets_diag.h | ||
| tipc.h | ||
| tls.h | ||
| toshiba.h | ||
| tty_flags.h | ||
| tty.h | ||
| types.h | ||
| udf_fs_i.h | ||
| udp.h | ||
| uhid.h | ||
| uinput.h | ||
| uio.h | ||
| uleds.h | ||
| ultrasound.h | ||
| un.h | ||
| unistd.h | ||
| unix_diag.h | ||
| usbdevice_fs.h | ||
| usbip.h | ||
| userfaultfd.h | ||
| userio.h | ||
| utime.h | ||
| utsname.h | ||
| uuid.h | ||
| uvcvideo.h | ||
| v4l2-common.h | ||
| v4l2-controls.h | ||
| v4l2-dv-timings.h | ||
| v4l2-mediabus.h | ||
| v4l2-subdev.h | ||
| vbox_err.h | ||
| vbox_vmmdev_types.h | ||
| vboxguest.h | ||
| veth.h | ||
| vfio_ccw.h | ||
| vfio.h | ||
| vhost.h | ||
| videodev2.h | ||
| virtio_9p.h | ||
| virtio_balloon.h | ||
| virtio_blk.h | ||
| virtio_config.h | ||
| virtio_console.h | ||
| virtio_crypto.h | ||
| virtio_gpu.h | ||
| virtio_ids.h | ||
| virtio_input.h | ||
| virtio_mmio.h | ||
| virtio_net.h | ||
| virtio_pci.h | ||
| virtio_ring.h | ||
| virtio_rng.h | ||
| virtio_scsi.h | ||
| virtio_types.h | ||
| virtio_vsock.h | ||
| vm_sockets_diag.h | ||
| vm_sockets.h | ||
| vmcore.h | ||
| vsockmon.h | ||
| vt.h | ||
| vtpm_proxy.h | ||
| wait.h | ||
| wanrouter.h | ||
| watchdog.h | ||
| wimax.h | ||
| wireless.h | ||
| wmi.h | ||
| x25.h | ||
| xattr.h | ||
| xfrm.h | ||
| xilinx-v4l2-controls.h | ||
| zorro_ids.h | ||
| zorro.h | ||