1BPFTOOL-CGROUP(8) BPFTOOL-CGROUP(8)
2
6 bpftool-cgroup - tool for inspection and simple manipulation of eBPF
7 progs
8
10 bpftool [OPTIONS] cgroup COMMAND
11 OPTIONS := { { -j | --json } [{ -p | --pretty }] | { -f | --bpffs }
13 }
14 COMMANDS := { show | list | tree | attach | detach | help }
16
18 bpftool cgroup { show | list } CGROUP
19 bpftool cgroup tree [CGROUP_ROOT]
20 bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
21 bpftool cgroup detach CGROUP ATTACH_TYPE PROG
22 bpftool cgroup help
23 PROG := { id PROG_ID | pinned FILE | tag PROG_TAG }
25 ATTACH_TYPE := { ingress | egress | sock_create | sock_ops | device |
26 bind4 | bind6 | post_bind4 | post_bind6 | connect4 | connect6 |
27 sendmsg4 | sendmsg6 | recvmsg4 | recvmsg6 | sysctl |
28 getsockopt | setsockopt }
29 ATTACH_FLAGS := { multi | override }
30
33 bpftool cgroup { show | list } CGROUP
34 List all programs attached to the cgroup CGROUP.
35 Output will start with program ID followed by attach type,
37 attach flags and program name.
38 bpftool cgroup tree [CGROUP_ROOT]
40 Iterate over all cgroups in CGROUP_ROOT and list all attached
41 programs. If CGROUP_ROOT is not specified, bpftool uses
42 cgroup v2 mountpoint.
43 The output is similar to the output of cgroup show/list com‐
45 mands: it starts with absolute cgroup path, followed by pro‐
46 gram ID, attach type, attach flags and program name.
47 bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
49 Attach program PROG to the cgroup CGROUP with attach type
50 ATTACH_TYPE and optional ATTACH_FLAGS.
51 ATTACH_FLAGS can be one of: override if a sub-cgroup installs
53 some bpf program, the program in this cgroup yields to
54 sub-cgroup program; multi if a sub-cgroup installs some bpf
55 program, that cgroup program gets run in addition to the pro‐
56 gram in this cgroup.
57 Only one program is allowed to be attached to a cgroup with
59 no attach flags or the override flag. Attaching another pro‐
60 gram will release old program and attach the new one.
61 Multiple programs are allowed to be attached to a cgroup with
63 multi. They are executed in FIFO order (those that were
64 attached first, run first).
65 Non-default ATTACH_FLAGS are supported by kernel version 4.14
67 and later.
68 ATTACH_TYPE can be on of: ingress ingress path of the inet
70 socket (since 4.10); egress egress path of the inet socket
71 (since 4.10); sock_create opening of an inet socket (since
72 4.10); sock_ops various socket operations (since 4.12);
73 device device access (since 4.15); bind4 call to bind(2) for
74 an inet4 socket (since 4.17); bind6 call to bind(2) for an
75 inet6 socket (since 4.17); post_bind4 return from bind(2) for
76 an inet4 socket (since 4.17); post_bind6 return from bind(2)
77 for an inet6 socket (since 4.17); connect4 call to connect(2)
78 for an inet4 socket (since 4.17); connect6 call to connect(2)
79 for an inet6 socket (since 4.17); sendmsg4 call to sendto(2),
80 sendmsg(2), sendmmsg(2) for an unconnected udp4 socket (since
81 4.18); sendmsg6 call to sendto(2), sendmsg(2), sendmmsg(2)
82 for an unconnected udp6 socket (since 4.18); recvmsg4 call to
83 recvfrom(2), recvmsg(2), recvmmsg(2) for an unconnected udp4
84 socket (since 5.2); recvmsg6 call to recvfrom(2), recvmsg(2),
85 recvmmsg(2) for an unconnected udp6 socket (since 5.2);
86 sysctl sysctl access (since 5.2); getsockopt call to getsock‐
87 opt (since 5.3); setsockopt call to setsockopt (since 5.3).
88 bpftool cgroup detach CGROUP ATTACH_TYPE PROG
90 Detach PROG from the cgroup CGROUP and attach type
91 ATTACH_TYPE.
92 bpftool prog help
94 Print short help message.
95
97 -h, --help
98 Print short generic help message (similar to bpftool help).
99 -V, --version
101 Print version number (similar to bpftool version).
102 -j, --json
104 Generate JSON output. For commands that cannot produce JSON,
105 this option has no effect.
106 -p, --pretty
108 Generate human-readable JSON output. Implies -j.
109 -f, --bpffs
111 Show file names of pinned programs.
112 -d, --debug
114 Print all logs available from libbpf, including debug-level
115 information.
116
118 # mount -t bpf none /sys/fs/bpf/
119 # mkdir /sys/fs/cgroup/test.slice
120 # bpftool prog load ./device_cgroup.o /sys/fs/bpf/prog
121 # bpftool cgroup attach /sys/fs/cgroup/test.slice/ device id 1 allow_multi
122 # bpftool cgroup list /sys/fs/cgroup/test.slice/
125 ID AttachType AttachFlags Name
127 1 device allow_multi bpf_prog1
128 # bpftool cgroup detach /sys/fs/cgroup/test.slice/ device id 1
130 # bpftool cgroup list /sys/fs/cgroup/test.slice/
131 ID AttachType AttachFlags Name
134
136 bpf(2), bpf-helpers(7), bpftool(8), bpftool-prog(8), bpftool-map(8),
137 bpftool-feature(8), bpftool-net(8), bpftool-perf(8), bpftool-btf(8)
138 BPFTOOL-CGROUP(8)