1BPFTOOL-CGROUP(8) BPFTOOL-CGROUP(8)
2
6 bpftool-cgroup - tool for inspection and simple manipulation of eBPF
7 progs
8
10 bpftool [OPTIONS] cgroup COMMAND
11 OPTIONS := { { -j | --json } [{ -p | --pretty }] | { -d | --debug }
13 |
14 { -f | --bpffs } }
15 COMMANDS := { show | list | tree | attach | detach | help }
17
19 bpftool cgroup { show | list } CGROUP [effective]
20 bpftool cgroup tree [CGROUP_ROOT] [effective]
21 bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
22 bpftool cgroup detach CGROUP ATTACH_TYPE PROG
23 bpftool cgroup help
24 PROG := { id PROG_ID | pinned FILE | tag PROG_TAG }
26 ATTACH_TYPE := { ingress | egress | sock_create | sock_ops | device |
27 bind4 | bind6 | post_bind4 | post_bind6 | connect4 | connect6 |
28 getpeername4 | getpeername6 | getsockname4 | getsockname6 | sendmsg4 |
29 sendmsg6 | recvmsg4 | recvmsg6 | sysctl | getsockopt | setsockopt |
30 sock_release }
31 ATTACH_FLAGS := { multi | override }
32
35 bpftool cgroup { show | list } CGROUP [effective]
36 List all programs attached to the cgroup CGROUP.
37 Output will start with program ID followed by attach type,
39 attach flags and program name.
40 If effective is specified retrieve effective programs that
42 will execute for events within a cgroup. This includes inher‐
43 ited along with attached ones.
44 bpftool cgroup tree [CGROUP_ROOT] [effective]
46 Iterate over all cgroups in CGROUP_ROOT and list all attached
47 programs. If CGROUP_ROOT is not specified, bpftool uses
48 cgroup v2 mountpoint.
49 The output is similar to the output of cgroup show/list com‐
51 mands: it starts with absolute cgroup path, followed by pro‐
52 gram ID, attach type, attach flags and program name.
53 If effective is specified retrieve effective programs that
55 will execute for events within a cgroup. This includes inher‐
56 ited along with attached ones.
57 bpftool cgroup attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]
59 Attach program PROG to the cgroup CGROUP with attach type AT‐
60 TACH_TYPE and optional ATTACH_FLAGS.
61 ATTACH_FLAGS can be one of: override if a sub-cgroup installs
63 some bpf program, the program in this cgroup yields to
64 sub-cgroup program; multi if a sub-cgroup installs some bpf
65 program, that cgroup program gets run in addition to the pro‐
66 gram in this cgroup.
67 Only one program is allowed to be attached to a cgroup with
69 no attach flags or the override flag. Attaching another pro‐
70 gram will release old program and attach the new one.
71 Multiple programs are allowed to be attached to a cgroup with
73 multi. They are executed in FIFO order (those that were at‐
74 tached first, run first).
75 Non-default ATTACH_FLAGS are supported by kernel version 4.14
77 and later.
78 ATTACH_TYPE can be on of: ingress ingress path of the inet
80 socket (since 4.10); egress egress path of the inet socket
81 (since 4.10); sock_create opening of an inet socket (since
82 4.10); sock_ops various socket operations (since 4.12); de‐
83 vice device access (since 4.15); bind4 call to bind(2) for an
84 inet4 socket (since 4.17); bind6 call to bind(2) for an inet6
85 socket (since 4.17); post_bind4 return from bind(2) for an
86 inet4 socket (since 4.17); post_bind6 return from bind(2) for
87 an inet6 socket (since 4.17); connect4 call to connect(2) for
88 an inet4 socket (since 4.17); connect6 call to connect(2) for
89 an inet6 socket (since 4.17); sendmsg4 call to sendto(2),
90 sendmsg(2), sendmmsg(2) for an unconnected udp4 socket (since
91 4.18); sendmsg6 call to sendto(2), sendmsg(2), sendmmsg(2)
92 for an unconnected udp6 socket (since 4.18); recvmsg4 call to
93 recvfrom(2), recvmsg(2), recvmmsg(2) for an unconnected udp4
94 socket (since 5.2); recvmsg6 call to recvfrom(2), recvmsg(2),
95 recvmmsg(2) for an unconnected udp6 socket (since 5.2);
96 sysctl sysctl access (since 5.2); getsockopt call to getsock‐
97 opt (since 5.3); setsockopt call to setsockopt (since 5.3);
98 getpeername4 call to getpeername(2) for an inet4 socket
99 (since 5.8); getpeername6 call to getpeername(2) for an inet6
100 socket (since 5.8); getsockname4 call to getsockname(2) for
101 an inet4 socket (since 5.8); getsockname6 call to getsock‐
102 name(2) for an inet6 socket (since 5.8). sock_release clos‐
103 ing an userspace inet socket (since 5.9).
104 bpftool cgroup detach CGROUP ATTACH_TYPE PROG
106 Detach PROG from the cgroup CGROUP and attach type AT‐
107 TACH_TYPE.
108 bpftool prog help
110 Print short help message.
111
113 -h, --help
114 Print short help message (similar to bpftool help).
115 -V, --version
117 Print version number (similar to bpftool version), and op‐
118 tional features that were included when bpftool was compiled.
119 Optional features include linking against libbfd to provide
120 the disassembler for JIT-ted programs (bpftool prog dump
121 jited) and usage of BPF skeletons (some features like bpftool
122 prog profile or showing pids associated to BPF objects may
123 rely on it).
124 -j, --json
126 Generate JSON output. For commands that cannot produce JSON,
127 this option has no effect.
128 -p, --pretty
130 Generate human-readable JSON output. Implies -j.
131 -d, --debug
133 Print all logs available, even debug-level information. This
134 includes logs from libbpf as well as from the verifier, when
135 attempting to load programs.
136 -f, --bpffs
138 Show file names of pinned programs.
139
141 # mount -t bpf none /sys/fs/bpf/
142 # mkdir /sys/fs/cgroup/test.slice
143 # bpftool prog load ./device_cgroup.o /sys/fs/bpf/prog
144 # bpftool cgroup attach /sys/fs/cgroup/test.slice/ device id 1 allow_multi
145 # bpftool cgroup list /sys/fs/cgroup/test.slice/
148 ID AttachType AttachFlags Name
150 1 device allow_multi bpf_prog1
151 # bpftool cgroup detach /sys/fs/cgroup/test.slice/ device id 1
153 # bpftool cgroup list /sys/fs/cgroup/test.slice/
154 ID AttachType AttachFlags Name
157
159 bpf(2), bpf-helpers(7), bpftool(8), bpftool-btf(8), bpftool-fea‐
160 ture(8), bpftool-gen(8), bpftool-iter(8), bpftool-link(8),
161 bpftool-map(8), bpftool-net(8), bpftool-perf(8), bpftool-prog(8),
162 bpftool-struct_ops(8)
163 BPFTOOL-CGROUP(8)