Custom cgroupBPF programs in systemd ASG 2019 Julia
Custom cgroup-BPF programs in systemd ASG 2019 Julia Kartseva 20. 09. 2019
1) BPF into 2) Present state of BPF in systemd Agenda 3) High level goals and milestones of this work 4) libbpf: motivation, limitations, future work 5) Discussion topics: object file vs. restricted C 2
![BPF programs in systemd: present src/core/bpf-firewall. [ch] src/core/bpf-devices. [ch] • • BPF assembly instructions](http://slidetodoc.com/presentation_image/4b1702c1c2440ac99dd37fff19a30496/image-3.jpg "BPF programs in systemd: present src/core/bpf-firewall. [ch] src/core/bpf-devices. [ch] • • BPF assembly instructions")
BPF programs in systemd: present src/core/bpf-firewall. [ch] src/core/bpf-devices. [ch] • • BPF assembly instructions Kernel sources copy-paste • include/uapi/linux/bpf. h • libbpf helpers copy-paste Limited custom bpf program support in bpf-firewall was added in PR 2419 • • IP(Ingress|Egress)Filter. Path option • Programs are attached to bpffs • BPF_PROG_TYPE_CGROUP_SKB only • Hardcoded BPF_F_ALLOW_MULTI flag 3
BPF programs in systemd: goals To improve user experience • • User-defined BPF programs are easy to introduce, maintain and deploy To improve systemd developer experience • • BPF infra is transparent for non-BPF developers • Less implementation details, e. g. hardcoded kernel version if-else blocks • New features come out-of-the-box 4
BPF programs in systemd: milestones Iteration #0: past • • bpf_insn and limited custom BPF progs support Iteration #1: WIP • • bpf_insn and extended custom BPF progs support • PR 13496 - BPFFS is still in use - Various cgroup BPF program types are supported - Attach flags are exposed to a user Iterations #2… : future • • libbpf • Pre-built object file vs. restricted C program 5
BPF programs in systemd: libbpf motivation To get some help from libbpf helpers • • bpf_object__load • bpf_object__open_buffer To have new features with new libbpf package • • BTF support [1] To dodge kernel awareness and other implementation details • • CO-RE initiative [2][3] 6
BPF programs in systemd: libbpf present limitations git submodule: PR 12151 • Didn’t went through • Exposed libbpf testability concerns A tested libbpf package: WIP • • Fedora, Debian distros have libbpf packaged from kernel sources • Travis CI is added to libbpf 7
BPF programs in systemd: libbpf further work Testability • QUMU to test backward compatibility w/ older kernels • Tests ported from kernel-sources tools/testing/selftests/bpf are run on every PR Packaging • • Switch from libbpf package built from kernel sources to github mirror • Fedora RPM from GH mirror is on it’s way • Help from Debian maintainers is wanted 8
BPF programs in systemd: object file vs. restricted C source code Object file • • Built manually from C program • Stored in BE and LE in systemd repo • Need to be kept in sync with C code Restricted C code • • BREAKING NEWS: BPF support is added to gcc [4] • C programs are stored in systemd repo • meson build rules to compile BPF programs into hexdump placeholder - No runtime clang dependency for cgroup BPF programs 9
![BPF programs in systemd: references [1] Enhancing the Linux kernel with BTF type information,](http://slidetodoc.com/presentation_image/4b1702c1c2440ac99dd37fff19a30496/image-10.jpg "BPF programs in systemd: references [1] Enhancing the Linux kernel with BTF type information,")
BPF programs in systemd: references [1] Enhancing the Linux kernel with BTF type information, Andrii Nakryiko • https: //facebookmicrosites. github. io/bpf/blog/2018/11/14/btf-enhancement. html • [2] Binary portability for BPF programs, Jonathan Corbet https: //lwn. net/Articles/773198/ • [3] Bringing BPF dev experience to the next level, Andrii Nakryiko https: //linuxplumbersconf. org/event/4/contributions/448/attachments/345/575/bpf-usability. pdf • [4] e. BPF support in the GNU Toolchain, Jose E. Marches https: //linuxplumbersconf. org/event/4/contributions/400/attachments/350/580/LPC-2019 toolchains-bpf-gcc. pdf 10
Questions? 11
- Slides: 11
