Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-30 Thread Andrew Melnichenko
Hi, all. Thank you for ur comments. I've tested few possible solutions and I'll prepare new patches for RFC with mmap() based eBPF in the near future. On Tue, Jun 29, 2021 at 6:39 AM Jason Wang wrote: > > 在 2021/6/28 下午7:18, Yuri Benditovich 写道: > > On Wed, Jun 23, 2021 at 3:47 AM Jason Wang

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-28 Thread Jason Wang
在 2021/6/28 下午7:18, Yuri Benditovich 写道: On Wed, Jun 23, 2021 at 3:47 AM Jason Wang wrote: 在 2021/6/22 下午5:09, Toke Høiland-Jørgensen 写道: Daniel P. Berrangé writes: On Tue, Jun 22, 2021 at 10:25:19AM +0200, Toke Høiland-Jørgensen wrote: Jason Wang writes: 在 2021/6/22 上午11:29, Yuri

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-28 Thread Yuri Benditovich
On Wed, Jun 23, 2021 at 3:47 AM Jason Wang wrote: > > > 在 2021/6/22 下午5:09, Toke Høiland-Jørgensen 写道: > > Daniel P. Berrangé writes: > > > >> On Tue, Jun 22, 2021 at 10:25:19AM +0200, Toke Høiland-Jørgensen wrote: > >>> Jason Wang writes: > >>> > 在 2021/6/22 上午11:29, Yuri Benditovich 写道:

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-22 Thread Jason Wang
在 2021/6/22 下午5:09, Toke Høiland-Jørgensen 写道: Daniel P. Berrangé writes: On Tue, Jun 22, 2021 at 10:25:19AM +0200, Toke Høiland-Jørgensen wrote: Jason Wang writes: 在 2021/6/22 上午11:29, Yuri Benditovich 写道: On Mon, Jun 21, 2021 at 12:20 PM Jason Wang wrote: 在 2021/6/19 上午4:03, Andrew

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-22 Thread Toke Høiland-Jørgensen
Andrew Melnichenko writes: > Hi, > Thank you for your comments. > I'll play with array type mmap. And later will provide some solution. Cool - you're welcome! :) -Toke

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-22 Thread Andrew Melnichenko
Hi, Thank you for your comments. I'll play with array type mmap. And later will provide some solution. On Tue, Jun 22, 2021 at 12:09 PM Toke Høiland-Jørgensen wrote: > Daniel P. Berrangé writes: > > > On Tue, Jun 22, 2021 at 10:25:19AM +0200, Toke Høiland-Jørgensen wrote: > >> Jason Wang

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-22 Thread Toke Høiland-Jørgensen
Daniel P. Berrangé writes: > On Tue, Jun 22, 2021 at 10:25:19AM +0200, Toke Høiland-Jørgensen wrote: >> Jason Wang writes: >> >> > 在 2021/6/22 上午11:29, Yuri Benditovich 写道: >> >> On Mon, Jun 21, 2021 at 12:20 PM Jason Wang wrote: >> >>> >> >>> 在 2021/6/19 上午4:03, Andrew Melnichenko 写道: >>

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-22 Thread Daniel P . Berrangé
On Tue, Jun 22, 2021 at 10:25:19AM +0200, Toke Høiland-Jørgensen wrote: > Jason Wang writes: > > > 在 2021/6/22 上午11:29, Yuri Benditovich 写道: > >> On Mon, Jun 21, 2021 at 12:20 PM Jason Wang wrote: > >>> > >>> 在 2021/6/19 上午4:03, Andrew Melnichenko 写道: > Hi Jason, > I've checked

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-22 Thread Toke Høiland-Jørgensen
Jason Wang writes: > 在 2021/6/22 上午11:29, Yuri Benditovich 写道: >> On Mon, Jun 21, 2021 at 12:20 PM Jason Wang wrote: >>> >>> 在 2021/6/19 上午4:03, Andrew Melnichenko 写道: Hi Jason, I've checked "kernel.unprivileged_bpf_disabled=0" on Fedora, Ubuntu, and Debian - no need permissions

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-21 Thread Jason Wang
在 2021/6/22 上午11:29, Yuri Benditovich 写道: On Mon, Jun 21, 2021 at 12:20 PM Jason Wang wrote: 在 2021/6/19 上午4:03, Andrew Melnichenko 写道: Hi Jason, I've checked "kernel.unprivileged_bpf_disabled=0" on Fedora, Ubuntu, and Debian - no need permissions to update BPF maps. How about RHEL :) ?

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-21 Thread Yuri Benditovich
On Mon, Jun 21, 2021 at 12:20 PM Jason Wang wrote: > > > 在 2021/6/19 上午4:03, Andrew Melnichenko 写道: > > Hi Jason, > > I've checked "kernel.unprivileged_bpf_disabled=0" on Fedora, Ubuntu, > > and Debian - no need permissions to update BPF maps. > > > How about RHEL :) ? If I'm not mistaken, the

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-21 Thread Jason Wang
在 2021/6/19 上午4:03, Andrew Melnichenko 写道: Hi Jason, I've checked "kernel.unprivileged_bpf_disabled=0" on Fedora,  Ubuntu, and Debian - no need permissions to update BPF maps. How about RHEL :) ? Thanks On Wed, Jun 16, 2021 at 1:18 AM Andrew Melnichenko >

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-18 Thread Andrew Melnichenko
Hi Jason, I've checked "kernel.unprivileged_bpf_disabled=0" on Fedora, Ubuntu, and Debian - no need permissions to update BPF maps. On Wed, Jun 16, 2021 at 1:18 AM Andrew Melnichenko wrote: > Hi, > >> I may miss something. >> >> But RSS requires to update the map. This won't work if you don't

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-15 Thread Andrew Melnichenko
Hi, > I may miss something. > > But RSS requires to update the map. This won't work if you don't grant > any permission to qemu. > > Thanks > Partly - with "kernel.unprivileged_bpf_disabled=0" capabilities is not required to update maps. With "kernel.unprivileged_bpf_disabled=1" - setting maps

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-15 Thread Jason Wang
在 2021/6/12 上午12:49, Andrew Melnichenko 写道: Hi, So I think the series is for unprivileged_bpf disabled. If I'm not wrong, I guess the policy is to grant CAP_BPF but do fine grain checks via LSM. The main idea is to run eBPF RSS with qemu without any permission. Libvirt

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-11 Thread Daniel P . Berrangé
On Fri, Jun 11, 2021 at 07:49:21PM +0300, Andrew Melnichenko wrote: > Hi, > > > So I think the series is for unprivileged_bpf disabled. If I'm not > > wrong, I guess the policy is to grant CAP_BPF but do fine grain checks > > via LSM. > > > > The main idea is to run eBPF RSS with qemu without

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-11 Thread Andrew Melnichenko
Hi, > So I think the series is for unprivileged_bpf disabled. If I'm not > wrong, I guess the policy is to grant CAP_BPF but do fine grain checks > via LSM. > The main idea is to run eBPF RSS with qemu without any permission. Libvirt should handle everything and pass proper eBPF file

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-10 Thread Jason Wang
在 2021/6/10 下午2:55, Yuri Benditovich 写道: On Thu, Jun 10, 2021 at 9:41 AM Jason Wang wrote: 在 2021/6/9 下午6:04, Andrew Melnychenko 写道: Libvirt usually launches qemu with strict permissions. To enable eBPF RSS steering, qemu-ebpf-rss-helper was added. A silly question: Kernel had the

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-10 Thread Yuri Benditovich
On Thu, Jun 10, 2021 at 9:41 AM Jason Wang wrote: > > > 在 2021/6/9 下午6:04, Andrew Melnychenko 写道: > > Libvirt usually launches qemu with strict permissions. > > To enable eBPF RSS steering, qemu-ebpf-rss-helper was added. > > > A silly question: > > Kernel had the following permission checks in

Re: [RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-10 Thread Jason Wang
在 2021/6/9 下午6:04, Andrew Melnychenko 写道: Libvirt usually launches qemu with strict permissions. To enable eBPF RSS steering, qemu-ebpf-rss-helper was added. A silly question: Kernel had the following permission checks in bpf syscall:    if (sysctl_unprivileged_bpf_disabled &&

[RFC PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

2021-06-09 Thread Andrew Melnychenko
Libvirt usually launches qemu with strict permissions. To enable eBPF RSS steering, qemu-ebpf-rss-helper was added. Added property "ebpf_rss_fds" for "virtio-net" that allows to initialize eBPF RSS context with passed program & maps fds. Added qemu-ebpf-rss-helper - simple helper that loads eBPF