bpftool/Documentation/bpftool-cgroup.rst

0001 .. SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
0002
0003 ================
0004 bpftool-cgroup
0005 ================
0006 -------------------------------------------------------------------------------
0007 tool for inspection and simple manipulation of eBPF progs
0008 -------------------------------------------------------------------------------
0009
0010 :Manual section: 8
0011
0012 .. include:: substitutions.rst
0013
0014 SYNOPSIS
0015 ========
0016
0017         **bpftool** [*OPTIONS*] **cgroup** *COMMAND*
0018
0019         *OPTIONS* := { |COMMON_OPTIONS| | { **-f** | **--bpffs** } }
0020
0021         *COMMANDS* :=
0022         { **show** | **list** | **tree** | **attach** | **detach** | **help** }
0023
0024 CGROUP COMMANDS
0025 ===============
0026
0027 |       **bpftool** **cgroup** { **show** | **list** } *CGROUP* [**effective**]
0028 |       **bpftool** **cgroup tree** [*CGROUP_ROOT*] [**effective**]
0029 |       **bpftool** **cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* [*ATTACH_FLAGS*]
0030 |       **bpftool** **cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
0031 |       **bpftool** **cgroup help**
0032 |
0033 |       *PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* }
0034 |       *ATTACH_TYPE* := { **cgroup_inet_ingress** | **cgroup_inet_egress** |
0035 |               **cgroup_inet_sock_create** | **cgroup_sock_ops** |
0036 |               **cgroup_device** | **cgroup_inet4_bind** | **cgroup_inet6_bind** |
0037 |               **cgroup_inet4_post_bind** | **cgroup_inet6_post_bind** |
0038 |               **cgroup_inet4_connect** | **cgroup_inet6_connect** |
0039 |               **cgroup_inet4_getpeername** | **cgroup_inet6_getpeername** |
0040 |               **cgroup_inet4_getsockname** | **cgroup_inet6_getsockname** |
0041 |               **cgroup_udp4_sendmsg** | **cgroup_udp6_sendmsg** |
0042 |               **cgroup_udp4_recvmsg** | **cgroup_udp6_recvmsg** |
0043 |               **cgroup_sysctl** | **cgroup_getsockopt** | **cgroup_setsockopt** |
0044 |               **cgroup_inet_sock_release** }
0045 |       *ATTACH_FLAGS* := { **multi** | **override** }
0046
0047 DESCRIPTION
0048 ===========
0049         **bpftool cgroup { show | list }** *CGROUP* [**effective**]
0050                   List all programs attached to the cgroup *CGROUP*.
0051
0052                   Output will start with program ID followed by attach type,
0053                   attach flags and program name.
0054
0055                   If **effective** is specified retrieve effective programs that
0056                   will execute for events within a cgroup. This includes
0057                   inherited along with attached ones.
0058
0059         **bpftool cgroup tree** [*CGROUP_ROOT*] [**effective**]
0060                   Iterate over all cgroups in *CGROUP_ROOT* and list all
0061                   attached programs. If *CGROUP_ROOT* is not specified,
0062                   bpftool uses cgroup v2 mountpoint.
0063
0064                   The output is similar to the output of cgroup show/list
0065                   commands: it starts with absolute cgroup path, followed by
0066                   program ID, attach type, attach flags and program name.
0067
0068                   If **effective** is specified retrieve effective programs that
0069                   will execute for events within a cgroup. This includes
0070                   inherited along with attached ones.
0071
0072         **bpftool cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* [*ATTACH_FLAGS*]
0073                   Attach program *PROG* to the cgroup *CGROUP* with attach type
0074                   *ATTACH_TYPE* and optional *ATTACH_FLAGS*.
0075
0076                   *ATTACH_FLAGS* can be one of: **override** if a sub-cgroup installs
0077                   some bpf program, the program in this cgroup yields to sub-cgroup
0078                   program; **multi** if a sub-cgroup installs some bpf program,
0079                   that cgroup program gets run in addition to the program in this
0080                   cgroup.
0081
0082                   Only one program is allowed to be attached to a cgroup with
0083                   no attach flags or the **override** flag. Attaching another
0084                   program will release old program and attach the new one.
0085
0086                   Multiple programs are allowed to be attached to a cgroup with
0087                   **multi**. They are executed in FIFO order (those that were
0088                   attached first, run first).
0089
0090                   Non-default *ATTACH_FLAGS* are supported by kernel version 4.14
0091                   and later.
0092
0093                   *ATTACH_TYPE* can be on of:
0094                   **ingress** ingress path of the inet socket (since 4.10);
0095                   **egress** egress path of the inet socket (since 4.10);
0096                   **sock_create** opening of an inet socket (since 4.10);
0097                   **sock_ops** various socket operations (since 4.12);
0098                   **device** device access (since 4.15);
0099                   **bind4** call to bind(2) for an inet4 socket (since 4.17);
0100                   **bind6** call to bind(2) for an inet6 socket (since 4.17);
0101                   **post_bind4** return from bind(2) for an inet4 socket (since 4.17);
0102                   **post_bind6** return from bind(2) for an inet6 socket (since 4.17);
0103                   **connect4** call to connect(2) for an inet4 socket (since 4.17);
0104                   **connect6** call to connect(2) for an inet6 socket (since 4.17);
0105                   **sendmsg4** call to sendto(2), sendmsg(2), sendmmsg(2) for an
0106                   unconnected udp4 socket (since 4.18);
0107                   **sendmsg6** call to sendto(2), sendmsg(2), sendmmsg(2) for an
0108                   unconnected udp6 socket (since 4.18);
0109                   **recvmsg4** call to recvfrom(2), recvmsg(2), recvmmsg(2) for
0110                   an unconnected udp4 socket (since 5.2);
0111                   **recvmsg6** call to recvfrom(2), recvmsg(2), recvmmsg(2) for
0112                   an unconnected udp6 socket (since 5.2);
0113                   **sysctl** sysctl access (since 5.2);
0114                   **getsockopt** call to getsockopt (since 5.3);
0115                   **setsockopt** call to setsockopt (since 5.3);
0116                   **getpeername4** call to getpeername(2) for an inet4 socket (since 5.8);
0117                   **getpeername6** call to getpeername(2) for an inet6 socket (since 5.8);
0118                   **getsockname4** call to getsockname(2) for an inet4 socket (since 5.8);
0119                   **getsockname6** call to getsockname(2) for an inet6 socket (since 5.8).
0120                   **sock_release** closing an userspace inet socket (since 5.9).
0121
0122         **bpftool cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
0123                   Detach *PROG* from the cgroup *CGROUP* and attach type
0124                   *ATTACH_TYPE*.
0125
0126         **bpftool prog help**
0127                   Print short help message.
0128
0129 OPTIONS
0130 =======
0131         .. include:: common_options.rst
0132
0133         -f, --bpffs
0134                   Show file names of pinned programs.
0135
0136 EXAMPLES
0137 ========
0138 |
0139 | **# mount -t bpf none /sys/fs/bpf/**
0140 | **# mkdir /sys/fs/cgroup/test.slice**
0141 | **# bpftool prog load ./device_cgroup.o /sys/fs/bpf/prog**
0142 | **# bpftool cgroup attach /sys/fs/cgroup/test.slice/ device id 1 allow_multi**
0143
0144 **# bpftool cgroup list /sys/fs/cgroup/test.slice/**
0145
0146 ::
0147
0148     ID       AttachType      AttachFlags     Name
0149     1        device          allow_multi     bpf_prog1
0150
0151 |
0152 | **# bpftool cgroup detach /sys/fs/cgroup/test.slice/ device id 1**
0153 | **# bpftool cgroup list /sys/fs/cgroup/test.slice/**
0154
0155 ::
0156
0157     ID       AttachType      AttachFlags     Name