diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-02-20 19:28:24 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-02-21 16:43:36 +0100 |
| commit | aa2b6f1d2b019de044f88851499acfef49350090 (patch) | |
| tree | 8181305386c8dfae3174337730b65c9246ad2e50 /src/core/unit.h | |
| parent | bpf-program: make bpf_program_load_kernel() idempotent (diff) | |
| download | systemd-aa2b6f1d2b019de044f88851499acfef49350090.tar.xz systemd-aa2b6f1d2b019de044f88851499acfef49350090.zip | |
bpf: rework how we keep track and attach cgroup bpf programs
So, the kernel's management of cgroup/BPF programs is a bit misdesigned:
if you attach a BPF program to a cgroup and close the fd for it it will
stay pinned to the cgroup with no chance of ever removing it again (or
otherwise getting ahold of it again), because the fd is used for
selecting which BPF program to detach. The only way to get rid of the
program again is to destroy the cgroup itself.
This is particularly bad for root the cgroup (and in fact any other
cgroup that we cannot realistically remove during runtime, such as
/system.slice, /init.scope or /system.slice/dbus.service) as getting rid
of the program only works by rebooting the system.
To counter this let's closely keep track to which cgroup a BPF program
is attached and let's implicitly detach the BPF program when we are
about to close the BPF fd.
This hence changes the bpf_program_cgroup_attach() function to track
where we attached the program and changes bpf_program_cgroup_detach() to
use this information. Moreover bpf_program_unref() will now implicitly
call bpf_program_cgroup_detach().
In order to simplify things, bpf_program_cgroup_attach() will now
implicitly invoke bpf_program_load_kernel() when necessary, simplifying
the caller's side.
Finally, this adds proper reference counting to BPF programs. This
is useful for working with two BPF programs in parallel: the BPF program
we are preparing for installation and the BPF program we so far
installed, shortening the window when we detach the old one and reattach
the new one.
Diffstat (limited to 'src/core/unit.h')
| -rw-r--r-- | src/core/unit.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core/unit.h b/src/core/unit.h index 5cab2211bb..e903bf8ad7 100644 --- a/src/core/unit.h +++ b/src/core/unit.h @@ -287,8 +287,8 @@ struct Unit { int ipv4_deny_map_fd; int ipv6_deny_map_fd; - BPFProgram *ip_bpf_ingress; - BPFProgram *ip_bpf_egress; + BPFProgram *ip_bpf_ingress, *ip_bpf_ingress_installed; + BPFProgram *ip_bpf_egress, *ip_bpf_egress_installed; uint64_t ip_accounting_extra[_CGROUP_IP_ACCOUNTING_METRIC_MAX]; |