Skip to content

loader: attach XDP programs using bpf_link #28308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 10, 2023
Merged

loader: attach XDP programs using bpf_link #28308

merged 8 commits into from
Nov 10, 2023

Conversation

rgo3
Copy link
Contributor

@rgo3 rgo3 commented Sep 27, 2023
edited by ti-mo
Loading

See individual commits.

The first two commits (prog removal and xdp bpf_link cleanup) will be submitted as a separate PR for backporting to 1.14 and 1.13 so these versions can handle downgrades from bpf_link-enabled Cilium agents. They were kept in this branch since future commits depended on them, and getting this broken up into smaller commits that make sense was already a challenge.

On a high level, this PR:

  • attaches XDP progs using bpf_link
  • adds per-device bpffs dirs, currently only for 'physical' devs, and only used for XDP links, at e.g. /sys/fs/bpf/cilium/devices/enp5s0/links/cil_xdp_entry
  • adds a few utility functions to package bpf for working with bpffs and bpf_link pins
  • refactors attachProgram() into attachTCProgram() and attachXDPProgram() (this was a minimal change)
  • now uses ebpf-go's link.XDPAttachFlags as parameters instead of a simple u32
  • adds netns-driven tests for attaching XDP progs to veths

This also puts us in a better position for adding tcx support during the next cycle.

Fixes: #27630

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 27, 2023
@rgo3
Copy link
Contributor Author

rgo3 commented Sep 27, 2023

/test

@rgo3
Copy link
Contributor Author

rgo3 commented Sep 28, 2023

/test

@rgo3 rgo3 force-pushed the xdp-bpf-link branch 2 times, most recently from c1e0667 to e524710 Compare October 4, 2023 16:19
@rgo3
Copy link
Contributor Author

rgo3 commented Oct 4, 2023

/test

@rgo3 rgo3 force-pushed the xdp-bpf-link branch 2 times, most recently from 41cd870 to 1432100 Compare October 10, 2023 10:05
@rgo3
Copy link
Contributor Author

rgo3 commented Oct 10, 2023

/test

@rgo3
Copy link
Contributor Author

rgo3 commented Oct 10, 2023

After the offline code walk with @ti-mo and @lmb last week I'll move this into ready for review.

I've left 2 TODO's open intentionally to be discussed during review, most important probably being the decision around the bpffs linkpath we choose to store pins.

I think that there is a possibility to backport this entire PR (the fix to maybeUnloadObsoleteXDPPrograms and the new xdp link code) as that would solve the removing links and their respective bpffs pins when downgrading. If we don't want to backport all of it we should discuss what needs to be backported instead.

@rgo3 rgo3 marked this pull request as ready for review October 10, 2023 10:29
@rgo3 rgo3 requested review from a team as code owners October 10, 2023 10:29
@rgo3 rgo3 requested review from ti-mo and asauber October 10, 2023 10:29
@rgo3 rgo3 added the release-note/misc This PR makes changes that have no direct user impact. label Oct 10, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 10, 2023
@rgo3 rgo3 added area/loader Impacts the loading of BPF programs into the kernel. area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 10, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 10, 2023
asauber
asauber requested changes Oct 20, 2023
View reviewed changes
Copy link
Member

@asauber asauber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed for Config and CLI. Didn't review the attach/detach logic.

@ti-mo ti-mo mentioned this pull request Oct 24, 2023
Merged
6 tasks
@rgo3 rgo3 force-pushed the xdp-bpf-link branch 2 times, most recently from 48c811a to 01f7fc9 Compare October 27, 2023 17:36
@asauber asauber self-requested a review November 6, 2023 17:11
@rgo3 @ti-mo
loader: fix bug in obsolete XDP program removal
e7d3a92 
This commit fixes a bug where Cilium expected the XDP mode flag to be carried
in the netlink.LinkXdp.Flags field, while in reality the XDP mode is actually
contained in the LinkXdp.AttachMode field. Also added a regression test.

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
@ti-mo ti-mo requested a review from bimmlerd November 9, 2023 13:01
@ti-mo
Copy link
Contributor

ti-mo commented Nov 9, 2023

@cilium/tophat Sorry for the noise, you got pinged because pkg/socketlb didn't have a codeowner. I assigned one now.

rgo3 and others added 7 commits November 9, 2023 14:17
@rgo3 @ti-mo
loader: clean up XDP bpf_links created by newer Cilium versions
8dd705b 
A follow-up commit will introduce attaching XDP programs using bpf_link. Those
attachments cannot be overridden using netlink. If an older version of Cilium
wants to replace an XDP program on a managed interface, it'll need to remove
the bpf_link first.

This commit teaches the agent to remove the (currently) only XDP entrypoint,
cil_xdp_entry, before reattaching it using netlink. Note that this transition
is never seamless, since some time passes between deleting the link and
attaching the new program.

Also note that this downgrade path should seldom be used. If Cilium is upgraded
from a version with only netlink support, the new Cilium version will continue
to use netlink. Only if a fresh node is deployed with a new Cilium version
supporting bpf_link, then downgraded to one supporting only netlink, will the
bpf_link need to be removed.

For adding XDP bpf_link support, a per-device bpffs directory will be created
to pin the device's links, maps, etc. Follow-up commits will put XDP bpf_links
here. Subdirectories will be created for each device, for example:

/sys/fs/bpf/cilium/devices/enp5s0/

Then, following the convention we're already using for cgroup links, another
subdirectory will be created for links, followed by the entrypoint name:

/sys/fs/bpf/cilium/devices/enp5s0/links/cil_xdp_entry

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
Co-authored-by: Timo Beckers <timo@isovalent.com>
@ti-mo
loader: rename removeXDPs to removeXDPAttachments, unexport RemoveTCF…
7d85b69 
…ilters

Signed-off-by: Timo Beckers <timo@isovalent.com>
@ti-mo
bpf: add MkdirBPF() function for creating bpffs dir hierarchies
797e0e5 
We're using 0755 for all bpffs directories, so standardize on this.

Signed-off-by: Timo Beckers <timo@isovalent.com>
@ti-mo
loader: return link.XDPAttachFlags from xdpModeToFlag
31b04fb 
Signed-off-by: Timo Beckers <timo@isovalent.com>
@ti-mo
bpf: lift UpdateLink and UnpinLink helpers out of package socketlb
5893531 
Package socketlb had existing code for updating and unpinning links
based on a pin path and a program handle. Factor these out into package
bpf so the XDP loader can start using them.

Signed-off-by: Timo Beckers <timo@isovalent.com>
@rgo3 @ti-mo
loader: attach and detach XDP programs using the bpf_link API
e184b92 
This extends the loader package to utilize bpf_link to attach XDP programs
if the kernel supports it. To avoid connectivity issues during upgrades,
existing XDP netlink attachments will not be replaced by bpf_link-based ones.
For these interfaces, we keep replacing the existing netlink XDP attachment.
bpf_link will only be used on newly-created or rebooted nodes. This matches
the behaviour of package socketlb.

A high-level overview of the changes:

- Introduced a simple loader.DetachXDP function to ensure a given link doesn't
  have a given XDP program attached. This takes care of detaching both netlink
  and xdp_link-based progs.
- attachProgram() was split into attachTCProgram() and attachXDPProgram().
- attachXDPProgram() implements the functionality outlined in the first
  paragraph.
- Tests were added for all code paths (clean host, existing netlink prog,
  as well as existing bpf_link prog).

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
Co-authored-by: Timo Beckers <timo@isovalent.com>
@ti-mo
loader: remove maybeRemoveXDPLinks
2caa3e9 
This was a forwards-compatibility measure intended for older agent versions
and is now redundant.

Signed-off-by: Timo Beckers <timo@isovalent.com>
@ti-mo
Copy link
Contributor

ti-mo commented Nov 9, 2023

/test

bimmlerd
bimmlerd approved these changes Nov 9, 2023
View reviewed changes
Copy link
Member

@bimmlerd bimmlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CODEOWNERS change LGTM

@ti-mo ti-mo changed the title datapath/loader: attach xdp progs with bpf_link loader: attach XDP programs using bpf_link Nov 9, 2023
dylandreimerink
dylandreimerink approved these changes Nov 10, 2023
View reviewed changes
Copy link
Member

@dylandreimerink dylandreimerink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ti-mo ti-mo added backport/author The backport will be carried out by the author of the PR. needs-backport/1.13 labels Nov 10, 2023
@ti-mo ti-mo merged commit ef8ca62 into cilium:main Nov 10, 2023
@ti-mo ti-mo deleted the xdp-bpf-link branch November 10, 2023 13:15
@julianwiedmann
Copy link
Member

The first two commits (prog removal and xdp bpf_link cleanup) will be submitted as a separate PR for backporting to 1.14 and 1.13 so these versions can handle downgrades from bpf_link-enabled Cilium agents.

@rgo3 If I see things correctly, this happened with #29105 and #29104. So the needs-backport for those two releases is actually complete?

@rgo3 rgo3 added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed needs-backport/1.13 labels Apr 2, 2024
@rgo3
Copy link
Contributor Author

rgo3 commented Apr 2, 2024

Yes, we forgot to update the labels unfortunately 😞

@zviratko zviratko mentioned this pull request Apr 7, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@asauber asauber asauber approved these changes

@ti-mo ti-mo ti-mo approved these changes

@bimmlerd bimmlerd bimmlerd approved these changes

@borkmann borkmann Awaiting requested review from borkmann

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/loader Impacts the loading of BPF programs into the kernel. backport/author The backport will be carried out by the author of the PR. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Attach XDP programs using bpf_link instead of netlink
7 participants
@rgo3 @ti-mo @julianwiedmann @squeed @dylandreimerink @asauber @bimmlerd