143448428SQuentin Monnet.. SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) 243448428SQuentin Monnet 35ccda64dSRoman Gushchin================ 45ccda64dSRoman Gushchinbpftool-cgroup 55ccda64dSRoman Gushchin================ 65ccda64dSRoman Gushchin------------------------------------------------------------------------------- 75ccda64dSRoman Gushchintool for inspection and simple manipulation of eBPF progs 85ccda64dSRoman Gushchin------------------------------------------------------------------------------- 95ccda64dSRoman Gushchin 105ccda64dSRoman Gushchin:Manual section: 8 115ccda64dSRoman Gushchin 12b6231815SQuentin Monnet.. include:: substitutions.rst 13b6231815SQuentin Monnet 145ccda64dSRoman GushchinSYNOPSIS 155ccda64dSRoman Gushchin======== 165ccda64dSRoman Gushchin 175ccda64dSRoman Gushchin **bpftool** [*OPTIONS*] **cgroup** *COMMAND* 185ccda64dSRoman Gushchin 19b6231815SQuentin Monnet *OPTIONS* := { |COMMON_OPTIONS| | { **-f** | **--bpffs** } } 205ccda64dSRoman Gushchin 215ccda64dSRoman Gushchin *COMMANDS* := 227d31a0a1SRoman Gushchin { **show** | **list** | **tree** | **attach** | **detach** | **help** } 235ccda64dSRoman Gushchin 24a5f2d082SPrashant BholeCGROUP COMMANDS 25a5f2d082SPrashant Bhole=============== 265ccda64dSRoman Gushchin 27c8caa0bbSQuentin Monnet| **bpftool** **cgroup** { **show** | **list** } *CGROUP* [**effective**] 28a98bf573SJakub Kicinski| **bpftool** **cgroup tree** [*CGROUP_ROOT*] [**effective**] 295ccda64dSRoman Gushchin| **bpftool** **cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* [*ATTACH_FLAGS*] 305ccda64dSRoman Gushchin| **bpftool** **cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG* 315ccda64dSRoman Gushchin| **bpftool** **cgroup help** 325ccda64dSRoman Gushchin| 335ccda64dSRoman Gushchin| *PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* } 34*1ba5ad36SDaniel Müller| *ATTACH_TYPE* := { **cgroup_inet_ingress** | **cgroup_inet_egress** | 35*1ba5ad36SDaniel Müller| **cgroup_inet_sock_create** | **cgroup_sock_ops** | 36*1ba5ad36SDaniel Müller| **cgroup_device** | **cgroup_inet4_bind** | **cgroup_inet6_bind** | 37*1ba5ad36SDaniel Müller| **cgroup_inet4_post_bind** | **cgroup_inet6_post_bind** | 38*1ba5ad36SDaniel Müller| **cgroup_inet4_connect** | **cgroup_inet6_connect** | 39*1ba5ad36SDaniel Müller| **cgroup_inet4_getpeername** | **cgroup_inet6_getpeername** | 40*1ba5ad36SDaniel Müller| **cgroup_inet4_getsockname** | **cgroup_inet6_getsockname** | 41*1ba5ad36SDaniel Müller| **cgroup_udp4_sendmsg** | **cgroup_udp6_sendmsg** | 42*1ba5ad36SDaniel Müller| **cgroup_udp4_recvmsg** | **cgroup_udp6_recvmsg** | 43*1ba5ad36SDaniel Müller| **cgroup_sysctl** | **cgroup_getsockopt** | **cgroup_setsockopt** | 44*1ba5ad36SDaniel Müller| **cgroup_inet_sock_release** } 45a827a164SQuentin Monnet| *ATTACH_FLAGS* := { **multi** | **override** } 465ccda64dSRoman Gushchin 475ccda64dSRoman GushchinDESCRIPTION 485ccda64dSRoman Gushchin=========== 49a98bf573SJakub Kicinski **bpftool cgroup { show | list }** *CGROUP* [**effective**] 505ccda64dSRoman Gushchin List all programs attached to the cgroup *CGROUP*. 515ccda64dSRoman Gushchin 525ccda64dSRoman Gushchin Output will start with program ID followed by attach type, 535ccda64dSRoman Gushchin attach flags and program name. 545ccda64dSRoman Gushchin 55a98bf573SJakub Kicinski If **effective** is specified retrieve effective programs that 56a98bf573SJakub Kicinski will execute for events within a cgroup. This includes 57a98bf573SJakub Kicinski inherited along with attached ones. 58a98bf573SJakub Kicinski 59a98bf573SJakub Kicinski **bpftool cgroup tree** [*CGROUP_ROOT*] [**effective**] 607d31a0a1SRoman Gushchin Iterate over all cgroups in *CGROUP_ROOT* and list all 617d31a0a1SRoman Gushchin attached programs. If *CGROUP_ROOT* is not specified, 627d31a0a1SRoman Gushchin bpftool uses cgroup v2 mountpoint. 637d31a0a1SRoman Gushchin 647d31a0a1SRoman Gushchin The output is similar to the output of cgroup show/list 657d31a0a1SRoman Gushchin commands: it starts with absolute cgroup path, followed by 667d31a0a1SRoman Gushchin program ID, attach type, attach flags and program name. 677d31a0a1SRoman Gushchin 68a98bf573SJakub Kicinski If **effective** is specified retrieve effective programs that 69a98bf573SJakub Kicinski will execute for events within a cgroup. This includes 70a98bf573SJakub Kicinski inherited along with attached ones. 71a98bf573SJakub Kicinski 725ccda64dSRoman Gushchin **bpftool cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* [*ATTACH_FLAGS*] 735ccda64dSRoman Gushchin Attach program *PROG* to the cgroup *CGROUP* with attach type 745ccda64dSRoman Gushchin *ATTACH_TYPE* and optional *ATTACH_FLAGS*. 755ccda64dSRoman Gushchin 765ccda64dSRoman Gushchin *ATTACH_FLAGS* can be one of: **override** if a sub-cgroup installs 775ccda64dSRoman Gushchin some bpf program, the program in this cgroup yields to sub-cgroup 785ccda64dSRoman Gushchin program; **multi** if a sub-cgroup installs some bpf program, 795ccda64dSRoman Gushchin that cgroup program gets run in addition to the program in this 805ccda64dSRoman Gushchin cgroup. 815ccda64dSRoman Gushchin 825ccda64dSRoman Gushchin Only one program is allowed to be attached to a cgroup with 835ccda64dSRoman Gushchin no attach flags or the **override** flag. Attaching another 845ccda64dSRoman Gushchin program will release old program and attach the new one. 855ccda64dSRoman Gushchin 865ccda64dSRoman Gushchin Multiple programs are allowed to be attached to a cgroup with 875ccda64dSRoman Gushchin **multi**. They are executed in FIFO order (those that were 885ccda64dSRoman Gushchin attached first, run first). 895ccda64dSRoman Gushchin 905ccda64dSRoman Gushchin Non-default *ATTACH_FLAGS* are supported by kernel version 4.14 915ccda64dSRoman Gushchin and later. 925ccda64dSRoman Gushchin 935ccda64dSRoman Gushchin *ATTACH_TYPE* can be on of: 945ccda64dSRoman Gushchin **ingress** ingress path of the inet socket (since 4.10); 955ccda64dSRoman Gushchin **egress** egress path of the inet socket (since 4.10); 965ccda64dSRoman Gushchin **sock_create** opening of an inet socket (since 4.10); 975ccda64dSRoman Gushchin **sock_ops** various socket operations (since 4.12); 98393de512SAndrey Ignatov **device** device access (since 4.15); 99393de512SAndrey Ignatov **bind4** call to bind(2) for an inet4 socket (since 4.17); 100393de512SAndrey Ignatov **bind6** call to bind(2) for an inet6 socket (since 4.17); 101393de512SAndrey Ignatov **post_bind4** return from bind(2) for an inet4 socket (since 4.17); 102393de512SAndrey Ignatov **post_bind6** return from bind(2) for an inet6 socket (since 4.17); 103393de512SAndrey Ignatov **connect4** call to connect(2) for an inet4 socket (since 4.17); 10413a370b9SAndrey Ignatov **connect6** call to connect(2) for an inet6 socket (since 4.17); 10513a370b9SAndrey Ignatov **sendmsg4** call to sendto(2), sendmsg(2), sendmmsg(2) for an 10613a370b9SAndrey Ignatov unconnected udp4 socket (since 4.18); 10713a370b9SAndrey Ignatov **sendmsg6** call to sendto(2), sendmsg(2), sendmmsg(2) for an 108f25377eeSAndrey Ignatov unconnected udp6 socket (since 4.18); 109000aa125SDaniel Borkmann **recvmsg4** call to recvfrom(2), recvmsg(2), recvmmsg(2) for 110000aa125SDaniel Borkmann an unconnected udp4 socket (since 5.2); 111000aa125SDaniel Borkmann **recvmsg6** call to recvfrom(2), recvmsg(2), recvmmsg(2) for 112000aa125SDaniel Borkmann an unconnected udp6 socket (since 5.2); 113f6d08d9dSStanislav Fomichev **sysctl** sysctl access (since 5.2); 114f6d08d9dSStanislav Fomichev **getsockopt** call to getsockopt (since 5.3); 11505ee19c1SDaniel Borkmann **setsockopt** call to setsockopt (since 5.3); 11605ee19c1SDaniel Borkmann **getpeername4** call to getpeername(2) for an inet4 socket (since 5.8); 11705ee19c1SDaniel Borkmann **getpeername6** call to getpeername(2) for an inet6 socket (since 5.8); 11805ee19c1SDaniel Borkmann **getsockname4** call to getsockname(2) for an inet4 socket (since 5.8); 11905ee19c1SDaniel Borkmann **getsockname6** call to getsockname(2) for an inet6 socket (since 5.8). 120a8deba85SLiu Jian **sock_release** closing an userspace inet socket (since 5.9). 1215ccda64dSRoman Gushchin 1225ccda64dSRoman Gushchin **bpftool cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG* 1235ccda64dSRoman Gushchin Detach *PROG* from the cgroup *CGROUP* and attach type 1245ccda64dSRoman Gushchin *ATTACH_TYPE*. 1255ccda64dSRoman Gushchin 1265ccda64dSRoman Gushchin **bpftool prog help** 1275ccda64dSRoman Gushchin Print short help message. 1285ccda64dSRoman Gushchin 1295ccda64dSRoman GushchinOPTIONS 1305ccda64dSRoman Gushchin======= 131f28ef96dSQuentin Monnet .. include:: common_options.rst 1325ccda64dSRoman Gushchin 1335ccda64dSRoman Gushchin -f, --bpffs 1345ccda64dSRoman Gushchin Show file names of pinned programs. 1355ccda64dSRoman Gushchin 1365ccda64dSRoman GushchinEXAMPLES 1375ccda64dSRoman Gushchin======== 1385ccda64dSRoman Gushchin| 1395ccda64dSRoman Gushchin| **# mount -t bpf none /sys/fs/bpf/** 1405ccda64dSRoman Gushchin| **# mkdir /sys/fs/cgroup/test.slice** 1415ccda64dSRoman Gushchin| **# bpftool prog load ./device_cgroup.o /sys/fs/bpf/prog** 1425ccda64dSRoman Gushchin| **# bpftool cgroup attach /sys/fs/cgroup/test.slice/ device id 1 allow_multi** 1435ccda64dSRoman Gushchin 1445ccda64dSRoman Gushchin**# bpftool cgroup list /sys/fs/cgroup/test.slice/** 1455ccda64dSRoman Gushchin 1465ccda64dSRoman Gushchin:: 1475ccda64dSRoman Gushchin 1485ccda64dSRoman Gushchin ID AttachType AttachFlags Name 1495ccda64dSRoman Gushchin 1 device allow_multi bpf_prog1 1505ccda64dSRoman Gushchin 1515ccda64dSRoman Gushchin| 1525ccda64dSRoman Gushchin| **# bpftool cgroup detach /sys/fs/cgroup/test.slice/ device id 1** 1535ccda64dSRoman Gushchin| **# bpftool cgroup list /sys/fs/cgroup/test.slice/** 1545ccda64dSRoman Gushchin 1555ccda64dSRoman Gushchin:: 1565ccda64dSRoman Gushchin 1575ccda64dSRoman Gushchin ID AttachType AttachFlags Name 158