test-bpf fails under lxc

[mbiebl]

systemd version the issue has been seen with

v239

Used distribution

Debian sid

This is a follow-up for #9649.
I'm using LXC (2.0.9) and autopkgtest to run the root-unittests test. With a default lxc config, test-bpf is skipped, but turning off AA via lxc.aa_profile = unconfined the test is now executed. After ensuring, /bin/ping is installed, it fails with the following message:

root@autopkgtest-lxc-pwobei:/tmp/autopkgtest-lxc.0ctkdqu5/downtmp/build.kVR/src# /usr/lib/systemd/tests/test-bpf 
Found cgroup2 on /sys/fs/cgroup/unified, unified hierarchy for systemd controller
Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!
BPF firewalling with BPF_F_ALLOW_MULTI supported. Yay!
Found cgroup2 on /sys/fs/cgroup/unified, unified hierarchy for systemd controller
Unified cgroup hierarchy is located at /sys/fs/cgroup/unified/56b685af60ebdda. Controllers are on legacy hierarchies.
Controller 'cpu' supported: yes
Controller 'cpuacct' supported: yes
Controller 'io' supported: no
Controller 'blkio' supported: yes
Controller 'memory' supported: yes
Controller 'devices' supported: yes
Controller 'pids' supported: yes
Looking for unit files in (higher priority first):
	/usr/lib/systemd/tests/testdata
Unit type .device is not supported on this system.
Unit type .automount is not supported on this system.
Found container virtualization lxc.
Unit type .swap is not supported on this system.
Unit type .device is not supported on this system.
Unit type .automount is not supported on this system.
Unit type .swap is not supported on this system.
root.mount: Failed to load configuration: No such file or directory
dev.mount: Failed to load configuration: No such file or directory
proc.mount: Failed to load configuration: No such file or directory
tmp.mount: Failed to load configuration: No such file or directory
sys.mount: Failed to load configuration: No such file or directory
sys-fs.mount: Failed to load configuration: No such file or directory
sys-fs-fuse.mount: Failed to load configuration: No such file or directory
sys-devices.mount: Failed to load configuration: No such file or directory
sys-devices-virtual.mount: Failed to load configuration: No such file or directory
proc-sys.mount: Failed to load configuration: No such file or directory
Successfully created private D-Bus server.
Bus bus-system: changing state UNSET → OPENING
Bus bus-system: changing state OPENING → AUTHENTICATING
Successfully connected to system bus.
Invoking unit coldplug() handlers…
proc-swaps.mount: Changed dead -> mounted
dev-tty3.mount: Changed dead -> mounted
-.mount: Changed dead -> mounted
dev-tty4.mount: Changed dead -> mounted
init.scope changed dead -> running
dev-tty1.mount: Changed dead -> mounted
proc-sysrq\x2dtrigger.mount: Changed dead -> mounted
proc-cpuinfo.mount: Changed dead -> mounted
proc-meminfo.mount: Changed dead -> mounted
dev-hugepages.mount: Changed dead -> mounted
dev-mqueue.mount: Changed dead -> mounted
proc-sys-net.mount: Changed dead -> mounted
proc-uptime.mount: Changed dead -> mounted
tmp-autopkgtest\x2dlxc.0ctkdqu5.mount: Changed dead -> mounted
sys-devices-virtual-net.mount: Changed dead -> mounted
dev-tty2.mount: Changed dead -> mounted
proc-diskstats.mount: Changed dead -> mounted
proc-stat.mount: Changed dead -> mounted
sys-fs-fuse-connections.mount: Changed dead -> mounted
-.slice changed dead -> active
dev-ptmx.mount: Changed dead -> mounted
Invoking unit catchup() handlers…
-> Unit foo.service:
	Description: foo.service
	Instance: n/a
	Unit Load State: loaded
	Unit Active State: inactive
	State Change Timestamp: n/a
	Inactive Exit Timestamp: n/a
	Active Enter Timestamp: n/a
	Active Exit Timestamp: n/a
	Inactive Enter Timestamp: n/a
	May GC: no
	Need Daemon Reload: no
	Transient: no
	Perpetual: yes
	Garbage Collection Mode: inactive
	Slice: n/a
	CGroup: n/a
	CGroup realized: no
	CGroup own mask: memory pids
	Name: foo.service
	StopWhenUnneeded: no
	RefuseManualStart: no
	RefuseManualStop: no
	DefaultDependencies: yes
	OnFailureJobMode: replace
	IgnoreOnIsolate: no
	Service State: dead
	Result: success
	Reload Result: success
	PermissionsStartOnly: no
	RootDirectoryStartOnly: no
	RemainAfterExit: no
	GuessMainPID: yes
	Type: oneshot
	Restart: no
	NotifyAccess: none
	NotifyState: unknown
	RestartSec: 100ms
	TimeoutStartSec: 1min 30s
	TimeoutStopSec: 1min 30s
	RuntimeMaxSec: infinity
	WatchdogSec: 0
	KillMode: control-group
	KillSignal: SIGTERM
	SendSIGKILL: yes
	SendSIGHUP:  no
	UMask: 0022
	WorkingDirectory: /
	RootDirectory: /
	NonBlocking: no
	PrivateTmp: no
	PrivateDevices: no
	ProtectKernelTunables: no
	ProtectKernelModules: no
	ProtectControlGroups: no
	PrivateNetwork: no
	PrivateUsers: no
	ProtectHome: no
	ProtectSystem: no
	MountAPIVFS: no
	IgnoreSIGPIPE: yes
	MemoryDenyWriteExecute: no
	RestrictRealtime: no
	KeyringMode: inherit
	RuntimeDirectoryPreserve: no
	RuntimeDirectoryMode: 0755
	StateDirectoryMode: 0755
	CacheDirectoryMode: 0755
	LogsDirectoryMode: 0755
	ConfigurationDirectoryMode: 0755
	StandardInput: null
	StandardOutput: inherit
	StandardError: inherit
	DynamicUser: no
	LockPersonality: no
	-> ExecStart:
		Command Line: /bin/ping -c 1 127.0.0.2 -W 5
		Command Line: /bin/ping -c 1 127.0.0.3 -W 5
	CPUAccounting=no
	IOAccounting=no
	BlockIOAccounting=no
	MemoryAccounting=yes
	TasksAccounting=yes
	IPAccounting=yes
	CPUWeight=18446744073709551615
	StartupCPUWeight=18446744073709551615
	CPUShares=18446744073709551615
	StartupCPUShares=18446744073709551615
	CPUQuotaPerSecSec=infinity
	IOWeight=18446744073709551615
	StartupIOWeight=18446744073709551615
	BlockIOWeight=18446744073709551615
	StartupBlockIOWeight=18446744073709551615
	MemoryLow=0
	MemoryHigh=18446744073709551615
	MemoryMax=18446744073709551615
	MemorySwapMax=18446744073709551615
	MemoryLimit=18446744073709551615
	TasksMax=18446744073709551615
	DevicePolicy=auto
	Delegate=no
	IPAddressAllow=10.0.1.0/24
	IPAddressAllow=127.0.0.2/32
	IPAddressDeny=10.0.3.0/24
	IPAddressDeny=127.0.0.0/25
log:
-------
0: (bf) r6 = r1
1: (61) r7 = *(u32 *)(r6 +16)
2: (b4) (u32) r8 = (u32) 0
3: (55) if r7 != 0x8 goto pc+14
 R1=ctx(id=0,off=0,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv0 R10=fp0,call_-1
4: (bf) r1 = r6
5: (b4) (u32) r2 = (u32) 12
6: (bf) r3 = r10
7: (07) r3 += -4
8: (b4) (u32) r4 = (u32) 4
9: (85) call bpf_skb_load_bytes#26
10: (18) r1 = 0xffff8b64085c7f00
12: (bf) r2 = r10
13: (07) r2 += -8
14: (62) *(u32 *)(r2 +0) = 32
15: (85) call bpf_map_lookup_elem#1
16: (15) if r0 == 0x0 goto pc+1
 R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv0 R10=fp0,call_-1
17: (44) (u32) r8 |= (u32) 2
18: (55) if r7 != 0x8 goto pc+14
19: (bf) r1 = r6
20: (b4) (u32) r2 = (u32) 12
21: (bf) r3 = r10
22: (07) r3 += -4
23: (b4) (u32) r4 = (u32) 4
24: (85) call bpf_skb_load_bytes#26
25: (18) r1 = 0xffff8b64085c7b40
27: (bf) r2 = r10
28: (07) r2 += -8
29: (62) *(u32 *)(r2 +0) = 32
30: (85) call bpf_map_lookup_elem#1
31: (15) if r0 == 0x0 goto pc+1
 R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv2 R10=fp0,call_-1
32: (44) (u32) r8 |= (u32) 1
33: (b7) r0 = 1
34: (55) if r8 != 0x2 goto pc+1
36: (15) if r0 == 0x0 goto pc+21
37: (b7) r0 = 0
38: (63) *(u32 *)(r10 -4) = r0
39: (bf) r2 = r10
40: (07) r2 += -4
41: (18) r1 = 0xffff8b648f160c00
43: (85) call bpf_map_lookup_elem#1
44: (15) if r0 == 0x0 goto pc+2
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
45: (b7) r1 = 1
46: (db) lock *(u64 *)(r0 +0) += r1
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R1_w=inv1 R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R1_w=inv1 R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
47: (b7) r0 = 1
48: (63) *(u32 *)(r10 -4) = r0
49: (bf) r2 = r10
50: (07) r2 += -4
51: (18) r1 = 0xffff8b648f160c00
53: (85) call bpf_map_lookup_elem#1
54: (15) if r0 == 0x0 goto pc+2
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
55: (61) r1 = *(u32 *)(r6 +0)
56:
-------
log:
-------
0: (bf) r6 = r1
1: (61) r7 = *(u32 *)(r6 +16)
2: (b4) (u32) r8 = (u32) 0
3: (55) if r7 != 0x8 goto pc+14
 R1=ctx(id=0,off=0,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv0 R10=fp0,call_-1
4: (bf) r1 = r6
5: (b4) (u32) r2 = (u32) 16
6: (bf) r3 = r10
7: (07) r3 += -4
8: (b4) (u32) r4 = (u32) 4
9: (85) call bpf_skb_load_bytes#26
10: (18) r1 = 0xffff8b64085c7f00
12: (bf) r2 = r10
13: (07) r2 += -8
14: (62) *(u32 *)(r2 +0) = 32
15: (85) call bpf_map_lookup_elem#1
16: (15) if r0 == 0x0 goto pc+1
 R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv0 R10=fp0,call_-1
17: (44) (u32) r8 |= (u32) 2
18: (55) if r7 != 0x8 goto pc+14
19: (bf) r1 = r6
20: (b4) (u32) r2 = (u32) 16
21: (bf) r3 = r10
22: (07) r3 += -4
23: (b4) (u32) r4 = (u32) 4
24: (85) call bpf_skb_load_bytes#26
25: (18) r1 = 0xffff8b64085c7b40
27: (bf) r2 = r10
28: (07) r2 += -8
29: (62) *(u32 *)(r2 +0) = 32
30: (85) call bpf_map_lookup_elem#1
31: (15) if r0 == 0x0 goto pc+1
 R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv2 R10=fp0,call_-1
32: (44) (u32) r8 |= (u32) 1
33: (b7) r0 = 1
34: (55) if r8 != 0x2 goto pc+1
36: (15) if r0 == 0x0 goto pc+21
37: (b7) r0 = 0
38: (63) *(u32 *)(r10 -4) = r0
39: (bf) r2 = r10
40: (07) r2 += -4
41: (18) r1 = 0xffff8b648f160200
43: (85) call bpf_map_lookup_elem#1
44: (15) if r0 == 0x0 goto pc+2
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
45: (b7) r1 = 1
46: (db) lock *(u64 *)(r0 +0) += r1
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R1_w=inv1 R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R1_w=inv1 R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
47: (b7) r0 = 1
48: (63) *(u32 *)(r10 -4) = r0
49: (bf) r2 = r10
50: (07) r2 += -4
51: (18) r1 = 0xffff8b648f160200
53: (85) call bpf_map_lookup_elem#1
54: (15) if r0 == 0x0 goto pc+2
 R0=map_value(id=0,off=0,ks=4,vs=8,imm=0) R6=ctx(id=0,off=0,imm=0) R7=inv8 R8=inv3 R10=fp0,call_-1
55: (61) r1 = *(u32 *)(r6 +0)
56:
-------
foo.service: Passing 0 fds to service
foo.service: About to execute: /bin/ping -c 1 127.0.0.2 -W 5
foo.service: Forked /bin/ping as 2134
foo.service: Changed dead -> start
Bus bus-system: changing state AUTHENTICATING → HELLO
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=2 reply_cookie=0 signature=s error-name=n/a error-message=n/a
foo.service: Executing: /bin/ping -c 1 127.0.0.2 -W 5
Got message type=method_return sender=org.freedesktop.DBus destination=:1.26 path=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a
Bus bus-system: changing state HELLO → RUNNING
Got message type=signal sender=org.freedesktop.DBus destination=:1.26 path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameAcquired cookie=2 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.26 path=n/a interface=n/a member=n/a cookie=3 reply_cookie=2 signature=n/a error-name=n/a error-message=n/a
Match type='signal',path='/org/freedesktop/systemd1/agent',interface='org.freedesktop.systemd1.Agent',member='Released' successfully installed.
PING 127.0.0.2 (127.0.0.2) 56(84) bytes of data.
64 bytes from 127.0.0.2: icmp_seq=1 ttl=64 time=0.030 ms

--- 127.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms
Received SIGCHLD from PID 2134 (ping).
Child 2134 (ping) died (code=exited, status=0/SUCCESS)
foo.service: Child 2134 belongs to foo.service.
foo.service: Main process exited, code=exited, status=0/SUCCESS
foo.service: Running next main command for state start.
foo.service: Passing 0 fds to service
foo.service: About to execute: /bin/ping -c 1 127.0.0.3 -W 5
foo.service: Forked /bin/ping as 2135
foo.service: Executing: /bin/ping -c 1 127.0.0.3 -W 5
PING 127.0.0.3 (127.0.0.3) 56(84) bytes of data.
64 bytes from 127.0.0.3: icmp_seq=1 ttl=64 time=0.033 ms

--- 127.0.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.033/0.033/0.033/0.000 ms
Received SIGCHLD from PID 2135 (ping).
Child 2135 (ping) died (code=exited, status=0/SUCCESS)
foo.service: Child 2135 belongs to foo.service.
foo.service: Main process exited, code=exited, status=0/SUCCESS
foo.service: Changed start -> dead
foo.service: Received 0B IP traffic, sent 0B IP traffic
Assertion 'SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED || SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS' failed at ../src/test/test-bpf.c:148, function main(). Aborting.

I can't reproduce the failure if I use autopkgtest in combination with qemu.

Inside the container, I have the following network config:

# ip -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
74: eth0@if75: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:90:3a:e1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.3.236/24 brd 10.0.3.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe90:3ae1/64 scope link 
       valid_lft forever preferred_lft forever

and pinging 127.0.0.3 works fine:

root@autopkgtest-lxc-pwobei:/tmp/autopkgtest-lxc.0ctkdqu5/downtmp/build.kVR/src# ping 127.0.0.3 -c 3
PING 127.0.0.3 (127.0.0.3) 56(84) bytes of data.
64 bytes from 127.0.0.3: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 127.0.0.3: icmp_seq=2 ttl=64 time=0.078 ms
64 bytes from 127.0.0.3: icmp_seq=3 ttl=64 time=0.076 ms

--- 127.0.0.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 29ms
rtt min/avg/max/mdev = 0.070/0.074/0.078/0.010 ms

[poettering]

Uh, no idea. It appears bpf cgroup reports success on everything but then the filters are not applied. This smells like an LXC or kernel bug. There's nothing we can do about this much...

It should suffice to block the bpf() syscall in this case in LXC, i.e. make it return EPERM or so, and the test is skipped.

The test simply checks if things are correctly blocked if we install a firewall rule using bpf and cgroup ip filtering... If that fails then this means we claim firewalling would work but it doesn't...

Anyway, this is really between lxc and the kernel afaics...

[poettering]

maybe @brauner has an idea

[evverx]

Interestingly, I can reproduce the crash by just running 100 instances of the test in parallel on a host (that is, without involving any particular container runtime):

$ cat /proc/version
Linux version 4.17.2-100.fc27.x86_64 (mockbuild@bkernel02.phx2.fedoraproject.org) (gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)) #1 SMP Fri Jun 22 15:29:28 UTC 2018

$ getenforce 0
Permissive

$ for i in {1..100}; do sudo ./build/test-bpf >&OUT-$i &  done; wait
...
$ grep Assertion OUT-*
OUT-10:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.
OUT-13:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:68, function main(). Aborting.
OUT-18:Assertion 'SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED || SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS' failed at ../src/test/test-bpf.c:148, function main(). Aborting.
OUT-19:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.
OUT-22:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:68, function main(). Aborting.
OUT-27:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:68, function main(). Aborting.
OUT-33:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.
OUT-35:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:68, function main(). Aborting.
OUT-5:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.
OUT-50:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.
OUT-6:Assertion 'SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED || SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS' failed at ../src/test/test-bpf.c:148, function main(). Aborting.
OUT-69:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.
OUT-8:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.
OUT-97:Assertion 'r >= 0' failed at ../src/test/test-bpf.c:128, function main(). Aborting.

[evverx]

What's more interesting is that I got a few bpf programs with their maps hanging around after all the processes that created them had gone away:

$ sudo bpftool prog
1991: cgroup_skb  tag 45838e6308508c1f
	loaded_at Jul 21/16:17  uid 0
	xlated 568B  jited 375B  memlock 4096B  map_ids 2164,2163,2158
1992: cgroup_skb  tag d246aedc957a78d9
	loaded_at Jul 21/16:17  uid 0
	xlated 568B  jited 375B  memlock 4096B  map_ids 2164,2163,2157
2010: cgroup_skb  tag 45838e6308508c1f
	loaded_at Jul 21/16:17  uid 0
	xlated 568B  jited 375B  memlock 4096B  map_ids 2190,2189,2181
2011: cgroup_skb  tag d246aedc957a78d9
	loaded_at Jul 21/16:17  uid 0
	xlated 568B  jited 375B  memlock 4096B  map_ids 2190,2189,2180

$ sudo bpftool map
2157: array  flags 0x0
	key 4B  value 8B  max_entries 2  memlock 4096B
2158: array  flags 0x0
	key 4B  value 8B  max_entries 2  memlock 4096B
2163: lpm_trie  flags 0x1
	key 8B  value 8B  max_entries 2  memlock 4096B
2164: lpm_trie  flags 0x1
	key 8B  value 8B  max_entries 2  memlock 4096B
2180: array  flags 0x0
	key 4B  value 8B  max_entries 2  memlock 4096B
2181: array  flags 0x0
	key 4B  value 8B  max_entries 2  memlock 4096B
2189: lpm_trie  flags 0x1
	key 8B  value 8B  max_entries 2  memlock 4096B
2190: lpm_trie  flags 0x1
	key 8B  value 8B  max_entries 2  memlock 4096B

There's definitely something fishy going on here.

I've also learned that test-bpf is actually flaky because there are a few places in the code where errors (some of which are relatively easy to trigger) are ignored, for example

systemd/src/core/cgroup.c

Lines 689 to 697 in 46f2579

	static void cgroup_apply_firewall(Unit *u) {
	assert(u);
	/* Best-effort: let's apply IP firewalling and/or accounting if that's enabled */
	if (bpf_firewall_compile(u) < 0)
	return;
	(void) bpf_firewall_install(u);

That's not to say that the original issue was caused by this inherent flakiness, though.

[evverx]

Regarding the bpf programs and their maps which are not removed after the process created them is gone, I'm still gathering data, but it seems that it happens only when the OOM killer is invoked. As soon as I remove empty cgroups, the bpf programs attached to them are gone away. @htejun I'm sorry to bother you, but do you know if this behavior is expected? I though that bpf programs should stay only if they have been explicitly pinned, which doesn't seem to be the case here.

[evverx]

I used perf (the precise command line was sh -c 'ulimit -l unlimited; perf record -e "bpf:*" -e "oom:*" -a sleep 1000') to gather some data. I'm not sure if this helpful, but I'll leave it here just in case:

$ sudo perf script | grep mark_v
        test-bpf  3774 [000]  3916.154471:          oom:mark_victim: pid=3727
        test-bpf  3832 [000]  3951.653501:          oom:mark_victim: pid=3722
        test-bpf  3833 [000]  4017.482645:          oom:mark_victim: pid=3709
        test-bpf  3857 [000]  4092.742698:          oom:mark_victim: pid=4010
        test-bpf  3877 [000]  4110.746500:          oom:mark_victim: pid=3834

$ cat /proc/3722/cgroup
cat: /proc/3722/cgroup: No such file or directory

$ sudo perf script | perl -alne 'print if $F[1] == 3722'
        test-bpf  3722 [000]  3921.115324:   oom:reclaim_retry_zone: node=0 zone=DMA32    order=0 reclaimable=357 available=11503 min_wmark=11174 no_progress_loops=0 wmark_check=0
        test-bpf  3722 [000]  3921.115327:   oom:reclaim_retry_zone: node=0 zone=DMA      order=0 reclaimable=0 available=2039 min_wmark=89 no_progress_loops=0 wmark_check=0
        test-bpf  3722 [000]  3937.910705:   oom:reclaim_retry_zone: node=0 zone=DMA32    order=0 reclaimable=271 available=11427 min_wmark=11174 no_progress_loops=0 wmark_check=0
        test-bpf  3722 [000]  3937.910707:   oom:reclaim_retry_zone: node=0 zone=DMA      order=0 reclaimable=0 available=2039 min_wmark=89 no_progress_loops=0 wmark_check=0
        test-bpf  3722 [000]  3946.992586:       bpf:bpf_map_create: map type=LPM_TRIE ufd=17 key=8 val=8 max=2 flags=1
        test-bpf  3722 [000]  3946.992590:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=17 key=[18 00 00 00 0a 00 01 00] val=[01 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3946.992592:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=17 key=[20 00 00 00 7f 00 00 02] val=[01 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3946.992594:       bpf:bpf_map_create: map type=LPM_TRIE ufd=18 key=8 val=8 max=2 flags=1
        test-bpf  3722 [000]  3946.992595:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=18 key=[18 00 00 00 0a 00 03 00] val=[02 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3946.992597:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=18 key=[19 00 00 00 7f 00 00 00] val=[02 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3946.992599:       bpf:bpf_map_create: map type=ARRAY ufd=19 key=4 val=8 max=2 flags=0
        test-bpf  3722 [000]  3946.992600:       bpf:bpf_map_create: map type=ARRAY ufd=20 key=4 val=8 max=2 flags=0
        test-bpf  3722 [000]  3947.016131:        bpf:bpf_prog_load: prog=d246aedc957a78d9 type=CGROUP_SKB ufd=21
        test-bpf  3722 [000]  3947.038962:        bpf:bpf_prog_load: prog=45838e6308508c1f type=CGROUP_SKB ufd=22
        test-bpf  3722 [000]  3947.063200:     bpf:bpf_prog_put_rcu: prog=d246aedc957a78d9 type=CGROUP_SKB
        test-bpf  3722 [000]  3947.063227:     bpf:bpf_prog_put_rcu: prog=45838e6308508c1f type=CGROUP_SKB
        test-bpf  3722 [000]  3947.063258:       bpf:bpf_map_create: map type=LPM_TRIE ufd=17 key=8 val=8 max=2 flags=1
        test-bpf  3722 [000]  3947.063264:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=17 key=[18 00 00 00 0a 00 01 00] val=[01 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3947.063267:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=17 key=[20 00 00 00 7f 00 00 02] val=[01 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3947.063272:       bpf:bpf_map_create: map type=LPM_TRIE ufd=18 key=8 val=8 max=2 flags=1
        test-bpf  3722 [000]  3947.063274:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=18 key=[18 00 00 00 0a 00 03 00] val=[02 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3947.063276:  bpf:bpf_map_update_elem: map type=LPM_TRIE ufd=18 key=[19 00 00 00 7f 00 00 00] val=[02 00 00 00 00 00 00 00]
        test-bpf  3722 [000]  3947.063594:        bpf:bpf_prog_load: prog=45838e6308508c1f type=CGROUP_SKB ufd=21
        test-bpf  3722 [000]  3947.063626:    bpf:bpf_prog_get_type: prog=45838e6308508c1f type=CGROUP_SKB
        test-bpf  3722 [000]  3947.186875:        bpf:bpf_prog_load: prog=d246aedc957a78d9 type=CGROUP_SKB ufd=22
        test-bpf  3722 [000]  3979.535658:     bpf:bpf_prog_put_rcu: prog=d246aedc957a78d9 type=CGROUP_SKB

$ sudo sudo bpftool prog show | grep -E 'd246aedc957a78d9|45838e6308508c1f'
37: cgroup_skb  tag 45838e6308508c1f
38: cgroup_skb  tag d246aedc957a78d9
63: cgroup_skb  tag 45838e6308508c1f
64: cgroup_skb  tag d246aedc957a78d9
80: cgroup_skb  tag 45838e6308508c1f
81: cgroup_skb  tag d246aedc957a78d9
246: cgroup_skb  tag 45838e6308508c1f

[rgushchin]

@evverx currently attached bpf programs remain active unless the cgroup is not completely destroyed. They can stay for a very significant amount of time after actual cgroup removal using sysfs (even indefinitely). I have a patchset, which adds a new option for bpf_attach, which causes the kernel to detach all bpf programs on removing the cgroup (on rmdir). I'll polish it and post upstream soon-ish.

[evverx]

@rgushchin thank you for looking at it. We should probably utilize that flag when it's available.

@mbiebl could you run the test under strace to see if it gets EPERM somewhere and then ignores it? If this doesn't happen, then, as @poettering said, it has something to do with the kernel: the filters are installed but for some reason aren't applied. So far I've had no luck with reproducing it from inside a container. I turned cgroup and network namespaces on and off (with CAP_SYS_ADMIN on and bpf allowed). The traffic was filtered as expected.

[mbiebl]

@evverx strace attached
strace.txt

[evverx]

@mbiebl thank you. At first sight, everything looks normal: the filters were attached and there were no EPERMS along the way. I'm inclined to say it has something to do with the kernel, but to be sure, it would be great if you could show how you run the tests. I mean, I can launch a Debian sid VM, but, unfortunately, I have no idea what to do next to get exactly the same environment.