1BPFTOOL-CGROUP(8) BPFTOOL-CGROUP(8)
2
6 bpftool-cgroup - tool for inspection and simple manipulation of eBPF
7 progs
8
10 bpftool [OPTIONS] cgroup COMMAND
11 OPTIONS := { { -j | --json } [{ -p | --pretty }] | { -f | --bpffs }
13 }
14 COMMANDS := { show | list | tree | attach | detach | help }
16
18 bpftool cgroup { show | list } CGROUP [effective]
19 bpftool cgroup tree [CGROUP_ROOT] [effective]
20 bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
21 bpftool cgroup detach CGROUP ATTACH_TYPE PROG
22 bpftool cgroup help
23 PROG := { id PROG_ID | pinned FILE | tag PROG_TAG }
25 ATTACH_TYPE := { ingress | egress | sock_create | sock_ops | device |
26 bind4 | bind6 | post_bind4 | post_bind6 | connect4 | connect6 |
27 sendmsg4 | sendmsg6 | recvmsg4 | recvmsg6 | sysctl |
28 getsockopt | setsockopt }
29 ATTACH_FLAGS := { multi | override }
30
33 bpftool cgroup { show | list } CGROUP [effective]
34 List all programs attached to the cgroup CGROUP.
35 Output will start with program ID followed by attach type,
37 attach flags and program name.
38 If effective is specified retrieve effective programs that
40 will execute for events within a cgroup. This includes inher‐
41 ited along with attached ones.
42 bpftool cgroup tree [CGROUP_ROOT] [effective]
44 Iterate over all cgroups in CGROUP_ROOT and list all attached
45 programs. If CGROUP_ROOT is not specified, bpftool uses
46 cgroup v2 mountpoint.
47 The output is similar to the output of cgroup show/list com‐
49 mands: it starts with absolute cgroup path, followed by pro‐
50 gram ID, attach type, attach flags and program name.
51 If effective is specified retrieve effective programs that
53 will execute for events within a cgroup. This includes inher‐
54 ited along with attached ones.
55 bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
57 Attach program PROG to the cgroup CGROUP with attach type
58 ATTACH_TYPE and optional ATTACH_FLAGS.
59 ATTACH_FLAGS can be one of: override if a sub-cgroup installs
61 some bpf program, the program in this cgroup yields to
62 sub-cgroup program; multi if a sub-cgroup installs some bpf
63 program, that cgroup program gets run in addition to the pro‐
64 gram in this cgroup.
65 Only one program is allowed to be attached to a cgroup with
67 no attach flags or the override flag. Attaching another pro‐
68 gram will release old program and attach the new one.
69 Multiple programs are allowed to be attached to a cgroup with
71 multi. They are executed in FIFO order (those that were
72 attached first, run first).
73 Non-default ATTACH_FLAGS are supported by kernel version 4.14
75 and later.
76 ATTACH_TYPE can be on of: ingress ingress path of the inet
78 socket (since 4.10); egress egress path of the inet socket
79 (since 4.10); sock_create opening of an inet socket (since
80 4.10); sock_ops various socket operations (since 4.12);
81 device device access (since 4.15); bind4 call to bind(2) for
82 an inet4 socket (since 4.17); bind6 call to bind(2) for an
83 inet6 socket (since 4.17); post_bind4 return from bind(2) for
84 an inet4 socket (since 4.17); post_bind6 return from bind(2)
85 for an inet6 socket (since 4.17); connect4 call to connect(2)
86 for an inet4 socket (since 4.17); connect6 call to connect(2)
87 for an inet6 socket (since 4.17); sendmsg4 call to sendto(2),
88 sendmsg(2), sendmmsg(2) for an unconnected udp4 socket (since
89 4.18); sendmsg6 call to sendto(2), sendmsg(2), sendmmsg(2)
90 for an unconnected udp6 socket (since 4.18); recvmsg4 call to
91 recvfrom(2), recvmsg(2), recvmmsg(2) for an unconnected udp4
92 socket (since 5.2); recvmsg6 call to recvfrom(2), recvmsg(2),
93 recvmmsg(2) for an unconnected udp6 socket (since 5.2);
94 sysctl sysctl access (since 5.2); getsockopt call to getsock‐
95 opt (since 5.3); setsockopt call to setsockopt (since 5.3).
96 bpftool cgroup detach CGROUP ATTACH_TYPE PROG
98 Detach PROG from the cgroup CGROUP and attach type
99 ATTACH_TYPE.
100 bpftool prog help
102 Print short help message.
103
105 -h, --help
106 Print short generic help message (similar to bpftool help).
107 -V, --version
109 Print version number (similar to bpftool version).
110 -j, --json
112 Generate JSON output. For commands that cannot produce JSON,
113 this option has no effect.
114 -p, --pretty
116 Generate human-readable JSON output. Implies -j.
117 -f, --bpffs
119 Show file names of pinned programs.
120 -d, --debug
122 Print all logs available from libbpf, including debug-level
123 information.
124
126 # mount -t bpf none /sys/fs/bpf/
127 # mkdir /sys/fs/cgroup/test.slice
128 # bpftool prog load ./device_cgroup.o /sys/fs/bpf/prog
129 # bpftool cgroup attach /sys/fs/cgroup/test.slice/ device id 1 allow_multi
130 # bpftool cgroup list /sys/fs/cgroup/test.slice/
133 ID AttachType AttachFlags Name
135 1 device allow_multi bpf_prog1
136 # bpftool cgroup detach /sys/fs/cgroup/test.slice/ device id 1
138 # bpftool cgroup list /sys/fs/cgroup/test.slice/
139 ID AttachType AttachFlags Name
142
144 bpf(2), bpf-helpers(7), bpftool(8), bpftool-prog(8), bpftool-map(8),
145 bpftool-feature(8), bpftool-net(8), bpftool-perf(8), bpftool-btf(8)
146 BPFTOOL-CGROUP(8)