Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-09 Thread Roman Gushchin 
On Fri, Dec 08, 2017 at 03:39:43PM +, Quentin Monnet wrote:
> 2017-12-08 14:12 UTC+ ~ Roman Gushchin 
> > On Fri, Dec 08, 2017 at 10:34:16AM +, Quentin Monnet wrote:
> >> 2017-12-07 18:39 UTC+ ~ Roman Gushchin 
> >>> This patch adds basic cgroup bpf operations to bpftool:
> >>> cgroup list, attach and detach commands.
> >>>
> >>> Usage is described in the corresponding man pages,
> >>> and examples are provided.
> > [...]
> >>> +MAP COMMANDS
> >>> +=
> >>> +
> >>> +|**bpftool** **cgroup list** *CGROUP*
> >>> +|**bpftool** **cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* 
> >>> [*ATTACH_FLAGS*]
> >>> +|**bpftool** **cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
> >>> +|**bpftool** **cgroup help**
> >>> +|
> >>> +|*PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** 
> >>> *PROG_TAG* }
> >>
> >> Could you please give the different possible values for ATTACH_TYPE and
> >> ATTACH_FLAGS, and provide some documentation for the flags?
> > 
> > I intentionally didn't include the list of possible values, as it depends
> > on the exact kernel version, and other bpftool docs are carefully avoiding
> > specifying such things.
> 
> Do they? As far as I can tell the only other bpftool command that uses
> flags is the `bpftool map update`, and it does specify the possible
> values for UPDATE_FLAGS (and document them) in the man page.

You are right about UPDATE_FLAGS, but at the same time we do
not describe bpf program attributes in prog show:
  **bpftool prog show** [*PROG*]
  Show information about loaded programs.  If *PROG* is
  specified show information only about given program, otherwise
  list all programs currently loaded on the system.

  Output will start with program ID followed by program type and
  zero or more named attributes (depending on kernel version).

I think, that actually ATTACH_TYPE is similar to PROGRAM_TYPE because
it will likely be extended in the following kernel versions.
So we should probably support specifying it in a numeric form too.

ATTACH_FLAGS are probably less volatile and will unlikely be extended often,
so we can describe them in docs and add a note about the kernel version
next time when a new flag will be added.

Anyway, I don't see any big problem in documenting current ATTACH_FLAG
and ATTACH_TYPE sets, if we think that it's a good way forward.

Thanks!

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread Jakub Kicinski 
On Fri, 8 Dec 2017 09:52:16 -0700, David Ahern wrote:
> On 12/8/17 8:39 AM, Quentin Monnet wrote:
> > I don't believe compatibility is an issue here, since the program and
> > its documentation come together (so they should stay in sync) and are
> > part of the kernel tree (so the tool should be compatible with the
> > kernel sources it comes with). My concern is that there is no way to
> > guess from the current description what the values for ATTACH_FLAG or
> > ATTACH_TYPE can be, without reading the source code of the program—which
> > is not exactly user-friendly.
> 
> The tool should be backward and forward compatible across kernel
> versions. Running a newer command on an older kernel should fail in a
> deterministic. While the tool is in the kernel tree for ease of
> development, that should not be confused with having a direct tie to any
> kernel version.
>
> I believe man pages do include kernel version descriptions in flags
> (e.g., man 7 socket -- flags are denoted with "since Linux x.y") which
> is one way to handle it with the usual caveat that vendors might have
> backported support to earlier kernels.

Let's see if I understand correctly.  We have a list of hard coded
strings which the tool will recognize (static const char * const
attach_type_strings[]).  We should put that list into the man page and
help so users know what values are possible.  And in the "verbose"
part of the man section mark each flag with kernel version it was
introduced in.

Roman, would you agree this is the best way forward?

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread David Ahern 
On 12/8/17 8:39 AM, Quentin Monnet wrote:
> I don't believe compatibility is an issue here, since the program and
> its documentation come together (so they should stay in sync) and are
> part of the kernel tree (so the tool should be compatible with the
> kernel sources it comes with). My concern is that there is no way to
> guess from the current description what the values for ATTACH_FLAG or
> ATTACH_TYPE can be, without reading the source code of the program—which
> is not exactly user-friendly.
> 

The tool should be backward and forward compatible across kernel
versions. Running a newer command on an older kernel should fail in a
deterministic. While the tool is in the kernel tree for ease of
development, that should not be confused with having a direct tie to any
kernel version.

I believe man pages do include kernel version descriptions in flags
(e.g., man 7 socket -- flags are denoted with "since Linux x.y") which
is one way to handle it with the usual caveat that vendors might have
backported support to earlier kernels.

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread Quentin Monnet 
2017-12-08 14:12 UTC+ ~ Roman Gushchin 
> On Fri, Dec 08, 2017 at 10:34:16AM +, Quentin Monnet wrote:
>> 2017-12-07 18:39 UTC+ ~ Roman Gushchin 
>>> This patch adds basic cgroup bpf operations to bpftool:
>>> cgroup list, attach and detach commands.
>>>
>>> Usage is described in the corresponding man pages,
>>> and examples are provided.
> [...]
>>> +MAP COMMANDS
>>> +=
>>> +
>>> +|  **bpftool** **cgroup list** *CGROUP*
>>> +|  **bpftool** **cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* 
>>> [*ATTACH_FLAGS*]
>>> +|  **bpftool** **cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
>>> +|  **bpftool** **cgroup help**
>>> +|
>>> +|  *PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* }
>>
>> Could you please give the different possible values for ATTACH_TYPE and
>> ATTACH_FLAGS, and provide some documentation for the flags?
> 
> I intentionally didn't include the list of possible values, as it depends
> on the exact kernel version, and other bpftool docs are carefully avoiding
> specifying such things.

Do they? As far as I can tell the only other bpftool command that uses
flags is the `bpftool map update`, and it does specify the possible
values for UPDATE_FLAGS (and document them) in the man page.

I don't believe compatibility is an issue here, since the program and
its documentation come together (so they should stay in sync) and are
part of the kernel tree (so the tool should be compatible with the
kernel sources it comes with). My concern is that there is no way to
guess from the current description what the values for ATTACH_FLAG or
ATTACH_TYPE can be, without reading the source code of the program—which
is not exactly user-friendly.

> 
> It would be nice to have a way to ask the kernel about provided bpf program 
> types,
> attach types, etc; but I'm not sure that hardcoding it in bpftool docs is
> a good idea.

They are coded into the bpftool that comes with the docs anyway :).

Quentin

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread Roman Gushchin 
On Fri, Dec 08, 2017 at 02:56:15PM +0100, Philippe Ombredanne wrote:
> On Fri, Dec 8, 2017 at 11:34 AM, Quentin Monnet
>  wrote:
> > 2017-12-07 18:39 UTC+ ~ Roman Gushchin 
> >> This patch adds basic cgroup bpf operations to bpftool:
> >> cgroup list, attach and detach commands.
> 
> [...]
> >> --- /dev/null
> >> +++ b/tools/bpf/bpftool/cgroup.c
> >> @@ -0,0 +1,305 @@
> >> +/*
> >> + * Copyright (C) 2017 Facebook
> >> + *
> >> + * This program is free software; you can redistribute it and/or
> >> + * modify it under the terms of the GNU General Public License
> >> + * as published by the Free Software Foundation; either version
> >> + * 2 of the License, or (at your option) any later version.
> >> + *
> >> + *
> >> + */
> >> +
> 
> Roman,
> Have you considered using the simpler and new SPDX ids instead? e.g.:
> 
> // SPDX-License-Identifier: GPL-2.0+
> // Copyright (C) 2017 Facebook
> // Author: Roman Gushchin 
> 
> This would boost your code/comments ratio nicely IMHO.

Thanks, applied to v3!

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread Roman Gushchin 
On Thu, Dec 07, 2017 at 02:23:06PM -0800, Jakub Kicinski wrote:
> On Thu, 7 Dec 2017 18:39:09 +, Roman Gushchin wrote:
> > This patch adds basic cgroup bpf operations to bpftool:
> > cgroup list, attach and detach commands.
> > 
> > Usage is described in the corresponding man pages,
> > and examples are provided.
> > 
> > Syntax:
> > $ bpftool cgroup list CGROUP
> > $ bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
> > $ bpftool cgroup detach CGROUP ATTACH_TYPE PROG
> > 
> > Signed-off-by: Roman Gushchin 
> 
> Looks good, a few very minor nits/questions below.
> 
> > diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> > new file mode 100644
> > index ..88d67f74313f
> > --- /dev/null
> > +++ b/tools/bpf/bpftool/cgroup.c
> > @@ -0,0 +1,305 @@
> > +/*
> > + * Copyright (C) 2017 Facebook
> > + *
> > + * This program is free software; you can redistribute it and/or
> > + * modify it under the terms of the GNU General Public License
> > + * as published by the Free Software Foundation; either version
> > + * 2 of the License, or (at your option) any later version.
> > + *
> > + * Author: Roman Gushchin 
> > + */
> > +
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +
> > +#include 
> > +
> > +#include "main.h"
> > +
> > +static const char * const attach_type_strings[] = {
> > +   [BPF_CGROUP_INET_INGRESS] = "ingress",
> > +   [BPF_CGROUP_INET_EGRESS] = "egress",
> > +   [BPF_CGROUP_INET_SOCK_CREATE] = "sock_create",
> > +   [BPF_CGROUP_SOCK_OPS] = "sock_ops",
> > +   [BPF_CGROUP_DEVICE] = "device",
> > +   [__MAX_BPF_ATTACH_TYPE] = NULL,
> > +};
> > +
> > +static enum bpf_attach_type parse_attach_type(const char *str)
> > +{
> > +   enum bpf_attach_type type;
> > +
> > +   for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
> > +   if (attach_type_strings[type] &&
> > +   strcmp(str, attach_type_strings[type]) == 0)
> 
> Here and for matching flags you use straight strcmp(), not our locally
> defined is_prefix(), is this intentional?  is_prefix() allows
> abbreviations, like in iproute2 commands.  E.g. this would work:

Fixed in v3.

> 
> # bpftool cg att /sys/fs/cgroup/test.slice/ dev id 1 allow_multi
> 
> > +   return type;
> > +   }
> > +
> > +   return __MAX_BPF_ATTACH_TYPE;
> > +}
> 
> > +static int list_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type 
> > type)
> > +{
> > +   __u32 attach_flags;
> > +   __u32 prog_ids[1024] = {0};
> > +   __u32 prog_cnt, iter;
> > +   char *attach_flags_str;
> > +   int ret;
> 
> nit: could you reorder the variables so they're listed longest to
>  shortest (reverse christmas tree)?
> 
> > +   prog_cnt = ARRAY_SIZE(prog_ids);
> > +   ret = bpf_prog_query(cgroup_fd, type, 0, _flags, prog_ids,
> > +_cnt);
> > +   if (ret)
> > +   return ret;
> > +
> > +   if (prog_cnt == 0)
> > +   return 0;
> > +
> > +   switch (attach_flags) {
> > +   case BPF_F_ALLOW_MULTI:
> > +   attach_flags_str = "allow_multi";
> > +   break;
> > +   case BPF_F_ALLOW_OVERRIDE:
> > +   attach_flags_str = "allow_override";
> > +   break;
> > +   case 0:
> > +   attach_flags_str = "";
> > +   break;
> > +   default:
> > +   attach_flags_str = "unknown";
> 
> nit: would it make sense to perhaps print flags in hex format in this
>  case?
> 
> > +   }
> > +
> > +   for (iter = 0; iter < prog_cnt; iter++)
> > +   list_bpf_prog(prog_ids[iter], attach_type_strings[type],
> > + attach_flags_str);
> > +
> > +   return 0;
> > +}
> 
> > +static int do_attach(int argc, char **argv)
> > +{
> > +   int cgroup_fd, prog_fd;
> > +   enum bpf_attach_type attach_type;
> > +   int attach_flags = 0;
> > +   int i;
> > +   int ret = -1;
> > +
> > +   if (argc < 4) {
> > +   p_err("too few parameters for cgroup attach\n");
> > +   goto exit;
> > +   }
> > +
> > +   cgroup_fd = open(argv[0], O_RDONLY);
> > +   if (cgroup_fd < 0) {
> > +   p_err("can't open cgroup %s\n", argv[1]);
> > +   goto exit;
> > +   }
> > +
> > +   attach_type = parse_attach_type(argv[1]);
> > +   if (attach_type == __MAX_BPF_ATTACH_TYPE) {
> > +   p_err("invalid attach type\n");
> > +   goto exit_cgroup;
> > +   }
> > +
> > +   argc -= 2;
> > +   argv = [2];
> > +   prog_fd = prog_parse_fd(, );
> > +   if (prog_fd < 0)
> > +   goto exit_cgroup;
> > +
> > +   for (i = 0; i < argc; i++) {
> > +   if (strcmp(argv[i], "allow_multi") == 0) {
> > +   attach_flags |= BPF_F_ALLOW_MULTI;
> > +   } else if (strcmp(argv[i], "allow_override") == 0) {
> > +   attach_flags |= BPF_F_ALLOW_OVERRIDE;
> 
> This is the other potential place for is_prefix() I referred to.

Not sure about this case, as allow_multi and allow_override have
a common "allow_" prefix, so it might

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread Roman Gushchin 
On Fri, Dec 08, 2017 at 10:34:16AM +, Quentin Monnet wrote:
> 2017-12-07 18:39 UTC+ ~ Roman Gushchin 
> > This patch adds basic cgroup bpf operations to bpftool:
> > cgroup list, attach and detach commands.
> > 
> > Usage is described in the corresponding man pages,
> > and examples are provided.
[...]
> > +MAP COMMANDS
> > +=
> > +
> > +|  **bpftool** **cgroup list** *CGROUP*
> > +|  **bpftool** **cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* 
> > [*ATTACH_FLAGS*]
> > +|  **bpftool** **cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
> > +|  **bpftool** **cgroup help**
> > +|
> > +|  *PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* }
> 
> Could you please give the different possible values for ATTACH_TYPE and
> ATTACH_FLAGS, and provide some documentation for the flags?

I intentionally didn't include the list of possible values, as it depends
on the exact kernel version, and other bpftool docs are carefully avoiding
specifying such things.

It would be nice to have a way to ask the kernel about provided bpf program 
types,
attach types, etc; but I'm not sure that hardcoding it in bpftool docs is
a good idea.

> 
> > +
> > +DESCRIPTION
> > +===
> > +   **bpftool cgroup list** *CGROUP*
> > + List all programs attached to the cgroup *CGROUP*.
> > +
> > + Output will start with program ID followed by attach type,
> > + attach flags and program name.
> > +
> > +   **bpftool cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* [*ATTACH_FLAGS*]
> > + Attach program *PROG* to the cgroup *CGROUP* with attach type
> > + *ATTACH_TYPE* and optional *ATTACH_FLAGS*.
[...]
> > +
> > +   attach_type = parse_attach_type(argv[1]);
> > +   if (attach_type == __MAX_BPF_ATTACH_TYPE) {
> > +   p_err("invalid attach type");
> > +   goto exit_cgroup;
> > +   }
> > +
> > +   argc -= 2;
> > +   argv = [2];
> > +   prog_fd = prog_parse_fd(, );
> > +   if (prog_fd < 0)
> > +   goto exit_cgroup;
> > +
> > +   if (bpf_prog_detach2(prog_fd, cgroup_fd, attach_type)) {
> > +   p_err("failed to attach program");
> 
> Failed to *detach* instead of “attach”.

Fixed.

> 
> > +   goto exit_prog;
> > +   }
> > +
> > +   if (json_output)
> > +   jsonw_null(json_wtr);
> > +
> > +   ret = 0;
> > +
> > +exit_prog:
> > +   close(prog_fd);
> > +exit_cgroup:
> > +   close(cgroup_fd);
> > +exit:
> > +   return ret;
> > +}
> 
> […]
> 
> Very nice work on this v2, thanks a lot!
> Quentin

Thank you for reviewing!

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread Philippe Ombredanne 
On Fri, Dec 8, 2017 at 11:34 AM, Quentin Monnet
 wrote:
> 2017-12-07 18:39 UTC+ ~ Roman Gushchin 
>> This patch adds basic cgroup bpf operations to bpftool:
>> cgroup list, attach and detach commands.

[...]
>> --- /dev/null
>> +++ b/tools/bpf/bpftool/cgroup.c
>> @@ -0,0 +1,305 @@
>> +/*
>> + * Copyright (C) 2017 Facebook
>> + *
>> + * This program is free software; you can redistribute it and/or
>> + * modify it under the terms of the GNU General Public License
>> + * as published by the Free Software Foundation; either version
>> + * 2 of the License, or (at your option) any later version.
>> + *
>> + *
>> + */
>> +

Roman,
Have you considered using the simpler and new SPDX ids instead? e.g.:

// SPDX-License-Identifier: GPL-2.0+
// Copyright (C) 2017 Facebook
// Author: Roman Gushchin 

This would boost your code/comments ratio nicely IMHO.

For  reference please check Linus [1][2][3], Thomas [4] and Greg [5]
comments on the topic of C++ style // comments!

Jonathan also wrote a nice background article on the SPDXification
topic at LWN [6]


PS: and if you could spread the word at FB, that would we awesome!

[1] https://lkml.org/lkml/2017/11/2/715
[2] https://lkml.org/lkml/2017/11/25/125
[3] https://lkml.org/lkml/2017/11/25/133
[4] https://lkml.org/lkml/2017/11/2/805
[5] https://lkml.org/lkml/2017/10/19/165
[6] https://lwn.net/Articles/739183/

-- 
Cordially
Philippe Ombredanne

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-08 Thread Quentin Monnet 
2017-12-07 18:39 UTC+ ~ Roman Gushchin 
> This patch adds basic cgroup bpf operations to bpftool:
> cgroup list, attach and detach commands.
> 
> Usage is described in the corresponding man pages,
> and examples are provided.
> 
> Syntax:
> $ bpftool cgroup list CGROUP
> $ bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
> $ bpftool cgroup detach CGROUP ATTACH_TYPE PROG
> 
> Signed-off-by: Roman Gushchin 
> Cc: Alexei Starovoitov 
> Cc: Daniel Borkmann 
> Cc: Jakub Kicinski 
> Cc: Martin KaFai Lau 
> Cc: Quentin Monnet 
> Cc: David Ahern 
> ---
>  tools/bpf/bpftool/Documentation/bpftool-cgroup.rst |  92 +++
>  tools/bpf/bpftool/Documentation/bpftool-map.rst|   2 +-
>  tools/bpf/bpftool/Documentation/bpftool-prog.rst   |   2 +-
>  tools/bpf/bpftool/Documentation/bpftool.rst|   6 +-
>  tools/bpf/bpftool/cgroup.c | 305 
> +
>  tools/bpf/bpftool/main.c   |   3 +-
>  tools/bpf/bpftool/main.h   |   1 +
>  7 files changed, 406 insertions(+), 5 deletions(-)
>  create mode 100644 tools/bpf/bpftool/Documentation/bpftool-cgroup.rst
>  create mode 100644 tools/bpf/bpftool/cgroup.c
> 
> diff --git a/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst 
> b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst
> new file mode 100644
> index ..61ded613aee1
> --- /dev/null
> +++ b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst
> @@ -0,0 +1,92 @@
> +
> +bpftool-cgroup
> +
> +---
> +tool for inspection and simple manipulation of eBPF progs
> +---
> +
> +:Manual section: 8
> +
> +SYNOPSIS
> +
> +
> + **bpftool** [*OPTIONS*] **cgroup** *COMMAND*
> +
> + *OPTIONS* := { { **-j** | **--json** } [{ **-p** | **--pretty** }] | { 
> **-f** | **--bpffs** } }
> +
> + *COMMANDS* :=
> + { **list** | **attach** | **detach** | **help** }
> +
> +MAP COMMANDS
> +=
> +
> +|**bpftool** **cgroup list** *CGROUP*
> +|**bpftool** **cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* 
> [*ATTACH_FLAGS*]
> +|**bpftool** **cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
> +|**bpftool** **cgroup help**
> +|
> +|*PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* }

Could you please give the different possible values for ATTACH_TYPE and
ATTACH_FLAGS, and provide some documentation for the flags?

> +
> +DESCRIPTION
> +===
> + **bpftool cgroup list** *CGROUP*
> +   List all programs attached to the cgroup *CGROUP*.
> +
> +   Output will start with program ID followed by attach type,
> +   attach flags and program name.
> +
> + **bpftool cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* [*ATTACH_FLAGS*]
> +   Attach program *PROG* to the cgroup *CGROUP* with attach type
> +   *ATTACH_TYPE* and optional *ATTACH_FLAGS*.
> +
> + **bpftool cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
> +   Detach *PROG* from the cgroup *CGROUP* and attach type
> +   *ATTACH_TYPE*.
> +
> + **bpftool prog help**
> +   Print short help message.

[…]

> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> new file mode 100644
> index ..88d67f74313f
> --- /dev/null
> +++ b/tools/bpf/bpftool/cgroup.c
> @@ -0,0 +1,305 @@
> +/*
> + * Copyright (C) 2017 Facebook
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License
> + * as published by the Free Software Foundation; either version
> + * 2 of the License, or (at your option) any later version.
> + *
> + * Author: Roman Gushchin 
> + */
> +

[…]

> +static int do_detach(int argc, char **argv)
> +{
> + int prog_fd, cgroup_fd;
> + enum bpf_attach_type attach_type;
> + int ret = -1;
> +
> + if (argc < 4) {
> + p_err("too few parameters for cgroup detach\n");
> + goto exit;
> + }
> +
> + cgroup_fd = open(argv[0], O_RDONLY);
> + if (cgroup_fd < 0) {
> + p_err("can't open cgroup %s\n", argv[1]);
> + goto exit;
> + }
> +
> + attach_type = parse_attach_type(argv[1]);
> + if (attach_type == __MAX_BPF_ATTACH_TYPE) {
> + p_err("invalid attach type");
> + goto exit_cgroup;
> + }
> +
> + argc -= 2;
> + argv = [2];
> + prog_fd = prog_parse_fd(, );
> + if (prog_fd < 0)
> + goto exit_cgroup;
> +
> + if (bpf_prog_detach2(prog_fd, cgroup_fd, attach_type)) {
> + p_err("failed to attach program");

Failed to *detach*

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-07 Thread Philippe Ombredanne 
Roman,

On Thu, Dec 7, 2017 at 11:23 PM, Jakub Kicinski
 wrote:
> On Thu, 7 Dec 2017 18:39:09 +, Roman Gushchin wrote:
>> This patch adds basic cgroup bpf operations to bpftool:
>> cgroup list, attach and detach commands.
>>
>> Usage is described in the corresponding man pages,
>> and examples are provided.
>>
>> Syntax:
>> $ bpftool cgroup list CGROUP
>> $ bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
>> $ bpftool cgroup detach CGROUP ATTACH_TYPE PROG
>>
>> Signed-off-by: Roman Gushchin 
>
> Looks good, a few very minor nits/questions below.
>
>> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
>> new file mode 100644
>> index ..88d67f74313f
>> --- /dev/null
>> +++ b/tools/bpf/bpftool/cgroup.c
>> @@ -0,0 +1,305 @@
>> +/*
>> + * Copyright (C) 2017 Facebook
>> + *
>> + * This program is free software; you can redistribute it and/or
>> + * modify it under the terms of the GNU General Public License
>> + * as published by the Free Software Foundation; either version
>> + * 2 of the License, or (at your option) any later version.
>> + *
>> + * Author: Roman Gushchin 
>> + */

Have you considered using the new SPDX ids instead?
e.g. may be something like:
// SPDX-License-Identifier: GPL-2.0+
// Copyright (C) 2017 Facebook
// Author: Roman Gushchin 

Don't you love it with less boilerplate and a better code/comments ratio?
BTW the comment style may surprise you here: this is a suggestion, but
not just. Check the posts from Linus on this topic and Thomas's doc
patches for the rationale.

Thank you for your kind consideration!

-- 
Cordially
Philippe Ombredanne

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-07 Thread Jakub Kicinski 
On Thu, 7 Dec 2017 18:39:09 +, Roman Gushchin wrote:
> This patch adds basic cgroup bpf operations to bpftool:
> cgroup list, attach and detach commands.
> 
> Usage is described in the corresponding man pages,
> and examples are provided.
> 
> Syntax:
> $ bpftool cgroup list CGROUP
> $ bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
> $ bpftool cgroup detach CGROUP ATTACH_TYPE PROG
> 
> Signed-off-by: Roman Gushchin 

Looks good, a few very minor nits/questions below.

> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> new file mode 100644
> index ..88d67f74313f
> --- /dev/null
> +++ b/tools/bpf/bpftool/cgroup.c
> @@ -0,0 +1,305 @@
> +/*
> + * Copyright (C) 2017 Facebook
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License
> + * as published by the Free Software Foundation; either version
> + * 2 of the License, or (at your option) any later version.
> + *
> + * Author: Roman Gushchin 
> + */
> +
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +
> +#include 
> +
> +#include "main.h"
> +
> +static const char * const attach_type_strings[] = {
> + [BPF_CGROUP_INET_INGRESS] = "ingress",
> + [BPF_CGROUP_INET_EGRESS] = "egress",
> + [BPF_CGROUP_INET_SOCK_CREATE] = "sock_create",
> + [BPF_CGROUP_SOCK_OPS] = "sock_ops",
> + [BPF_CGROUP_DEVICE] = "device",
> + [__MAX_BPF_ATTACH_TYPE] = NULL,
> +};
> +
> +static enum bpf_attach_type parse_attach_type(const char *str)
> +{
> + enum bpf_attach_type type;
> +
> + for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
> + if (attach_type_strings[type] &&
> + strcmp(str, attach_type_strings[type]) == 0)

Here and for matching flags you use straight strcmp(), not our locally
defined is_prefix(), is this intentional?  is_prefix() allows
abbreviations, like in iproute2 commands.  E.g. this would work:

# bpftool cg att /sys/fs/cgroup/test.slice/ dev id 1 allow_multi

> + return type;
> + }
> +
> + return __MAX_BPF_ATTACH_TYPE;
> +}

> +static int list_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type type)
> +{
> + __u32 attach_flags;
> + __u32 prog_ids[1024] = {0};
> + __u32 prog_cnt, iter;
> + char *attach_flags_str;
> + int ret;

nit: could you reorder the variables so they're listed longest to
 shortest (reverse christmas tree)?

> + prog_cnt = ARRAY_SIZE(prog_ids);
> + ret = bpf_prog_query(cgroup_fd, type, 0, _flags, prog_ids,
> +  _cnt);
> + if (ret)
> + return ret;
> +
> + if (prog_cnt == 0)
> + return 0;
> +
> + switch (attach_flags) {
> + case BPF_F_ALLOW_MULTI:
> + attach_flags_str = "allow_multi";
> + break;
> + case BPF_F_ALLOW_OVERRIDE:
> + attach_flags_str = "allow_override";
> + break;
> + case 0:
> + attach_flags_str = "";
> + break;
> + default:
> + attach_flags_str = "unknown";

nit: would it make sense to perhaps print flags in hex format in this
 case?

> + }
> +
> + for (iter = 0; iter < prog_cnt; iter++)
> + list_bpf_prog(prog_ids[iter], attach_type_strings[type],
> +   attach_flags_str);
> +
> + return 0;
> +}

> +static int do_attach(int argc, char **argv)
> +{
> + int cgroup_fd, prog_fd;
> + enum bpf_attach_type attach_type;
> + int attach_flags = 0;
> + int i;
> + int ret = -1;
> +
> + if (argc < 4) {
> + p_err("too few parameters for cgroup attach\n");
> + goto exit;
> + }
> +
> + cgroup_fd = open(argv[0], O_RDONLY);
> + if (cgroup_fd < 0) {
> + p_err("can't open cgroup %s\n", argv[1]);
> + goto exit;
> + }
> +
> + attach_type = parse_attach_type(argv[1]);
> + if (attach_type == __MAX_BPF_ATTACH_TYPE) {
> + p_err("invalid attach type\n");
> + goto exit_cgroup;
> + }
> +
> + argc -= 2;
> + argv = [2];
> + prog_fd = prog_parse_fd(, );
> + if (prog_fd < 0)
> + goto exit_cgroup;
> +
> + for (i = 0; i < argc; i++) {
> + if (strcmp(argv[i], "allow_multi") == 0) {
> + attach_flags |= BPF_F_ALLOW_MULTI;
> + } else if (strcmp(argv[i], "allow_override") == 0) {
> + attach_flags |= BPF_F_ALLOW_OVERRIDE;

This is the other potential place for is_prefix() I referred to.

That reminds me - would you care to also update Quentin's bash
completions (tools/bpf/bpftool/bash-completion/bpftool)?  They 
are _very_ nice to have in day to day use!

> + } else {
> + p_err("unknown option: %s\n", argv[i]);
> + goto exit_cgroup;
> + }
> + }
> +
> + if

Re: [PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-07 Thread David Ahern 
On 12/7/17 11:39 AM, Roman Gushchin wrote:
> This patch adds basic cgroup bpf operations to bpftool:
> cgroup list, attach and detach commands.
> 
> Usage is described in the corresponding man pages,
> and examples are provided.
> 
> Syntax:
> $ bpftool cgroup list CGROUP
> $ bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
> $ bpftool cgroup detach CGROUP ATTACH_TYPE PROG
> 
> Signed-off-by: Roman Gushchin 
> Cc: Alexei Starovoitov 
> Cc: Daniel Borkmann 
> Cc: Jakub Kicinski 
> Cc: Martin KaFai Lau 
> Cc: Quentin Monnet 
> Cc: David Ahern 
> ---


LGTM.

Reviewed-by: David Ahern

[PATCH v2 net-next 4/4] bpftool: implement cgroup bpf operations

2017-12-07 Thread Roman Gushchin 
This patch adds basic cgroup bpf operations to bpftool:
cgroup list, attach and detach commands.

Usage is described in the corresponding man pages,
and examples are provided.

Syntax:
$ bpftool cgroup list CGROUP
$ bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
$ bpftool cgroup detach CGROUP ATTACH_TYPE PROG

Signed-off-by: Roman Gushchin 
Cc: Alexei Starovoitov 
Cc: Daniel Borkmann 
Cc: Jakub Kicinski 
Cc: Martin KaFai Lau 
Cc: Quentin Monnet 
Cc: David Ahern 
---
 tools/bpf/bpftool/Documentation/bpftool-cgroup.rst |  92 +++
 tools/bpf/bpftool/Documentation/bpftool-map.rst|   2 +-
 tools/bpf/bpftool/Documentation/bpftool-prog.rst   |   2 +-
 tools/bpf/bpftool/Documentation/bpftool.rst|   6 +-
 tools/bpf/bpftool/cgroup.c | 305 +
 tools/bpf/bpftool/main.c   |   3 +-
 tools/bpf/bpftool/main.h   |   1 +
 7 files changed, 406 insertions(+), 5 deletions(-)
 create mode 100644 tools/bpf/bpftool/Documentation/bpftool-cgroup.rst
 create mode 100644 tools/bpf/bpftool/cgroup.c

diff --git a/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst 
b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst
new file mode 100644
index ..61ded613aee1
--- /dev/null
+++ b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst
@@ -0,0 +1,92 @@
+
+bpftool-cgroup
+
+---
+tool for inspection and simple manipulation of eBPF progs
+---
+
+:Manual section: 8
+
+SYNOPSIS
+
+
+   **bpftool** [*OPTIONS*] **cgroup** *COMMAND*
+
+   *OPTIONS* := { { **-j** | **--json** } [{ **-p** | **--pretty** }] | { 
**-f** | **--bpffs** } }
+
+   *COMMANDS* :=
+   { **list** | **attach** | **detach** | **help** }
+
+MAP COMMANDS
+=
+
+|  **bpftool** **cgroup list** *CGROUP*
+|  **bpftool** **cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* 
[*ATTACH_FLAGS*]
+|  **bpftool** **cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
+|  **bpftool** **cgroup help**
+|
+|  *PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* }
+
+DESCRIPTION
+===
+   **bpftool cgroup list** *CGROUP*
+ List all programs attached to the cgroup *CGROUP*.
+
+ Output will start with program ID followed by attach type,
+ attach flags and program name.
+
+   **bpftool cgroup attach** *CGROUP* *ATTACH_TYPE* *PROG* [*ATTACH_FLAGS*]
+ Attach program *PROG* to the cgroup *CGROUP* with attach type
+ *ATTACH_TYPE* and optional *ATTACH_FLAGS*.
+
+   **bpftool cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG*
+ Detach *PROG* from the cgroup *CGROUP* and attach type
+ *ATTACH_TYPE*.
+
+   **bpftool prog help**
+ Print short help message.
+
+OPTIONS
+===
+   -h, --help
+ Print short generic help message (similar to **bpftool 
help**).
+
+   -v, --version
+ Print version number (similar to **bpftool version**).
+
+   -j, --json
+ Generate JSON output. For commands that cannot produce JSON, 
this
+ option has no effect.
+
+   -p, --pretty
+ Generate human-readable JSON output. Implies **-j**.
+
+   -f, --bpffs
+ Show file names of pinned programs.
+
+EXAMPLES
+
+|
+| **# mount -t bpf none /sys/fs/bpf/**
+| **# mkdir /sys/fs/cgroup/test.slice**
+| **# bpftool prog load ./device_cgroup.o /sys/fs/bpf/prog**
+| **# bpftool cgroup attach /sys/fs/cgroup/test.slice/ device id 1 
allow_multi**
+
+**# bpftool cgroup list /sys/fs/cgroup/test.slice/**
+
+::
+
+ID   AttachType  AttachFlags Name
+1device  allow_multi bpf_prog1
+
+|
+| **# bpftool cgroup detach /sys/fs/cgroup/test.slice/ device id 1**
+| **# bpftool cgroup list /sys/fs/cgroup/test.slice/**
+
+::
+
+ID   AttachType  AttachFlags Name
+
+SEE ALSO
+
+   **bpftool**\ (8), **bpftool-prog**\ (8), **bpftool-map**\ (8)
diff --git a/tools/bpf/bpftool/Documentation/bpftool-map.rst 
b/tools/bpf/bpftool/Documentation/bpftool-map.rst
index 9f51a268eb06..421cabc417e6 100644
--- a/tools/bpf/bpftool/Documentation/bpftool-map.rst
+++ b/tools/bpf/bpftool/Documentation/bpftool-map.rst
@@ -128,4 +128,4 @@ EXAMPLES
 
 SEE ALSO
 
-   **bpftool**\ (8), **bpftool-prog**\ (8)
+   **bpftool**\ (8), **bpftool-prog**\ (8), **bpftool-cgroup**\ (8)
diff --git a/tools/bpf/bpftool/Documentation/bpftool-prog.rst 
b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
index 827b415f8ab6..61229a1779a3 100644
---