Cgroup v2 BPF program attachment for container and process control
Cgroup v2 BPF program attachment for container and process control
(attach-cgroup-program cgroup-path
prog-fd
attach-type
&
{:keys [flags replace-fd auto-close-cgroup]
:or {flags :none auto-close-cgroup true}})Attach BPF program to a cgroup (high-level API).
Parameters:
Returns a map with :cgroup-fd and :attach-type for use with detach.
Example: (attach-cgroup-program "my-container" prog-fd :cgroup-inet-ingress :flags :override)
Attach BPF program to a cgroup (high-level API).
Parameters:
- cgroup-path: Path to cgroup (absolute or relative to /sys/fs/cgroup)
- prog-fd: BPF program file descriptor
- attach-type: Attach type keyword (e.g., :cgroup-inet-ingress, :cgroup-device)
- options: Map of options:
- :flags - Attach flags (:none, :override, :multi, :replace)
- :replace-fd - Program FD to replace (with :replace flag)
- :auto-close-cgroup - Close cgroup FD after attach (default true)
Returns a map with :cgroup-fd and :attach-type for use with detach.
Example:
(attach-cgroup-program "my-container" prog-fd :cgroup-inet-ingress
:flags :override)(cgroup-exists? cgroup-path)Check if a cgroup path exists.
Parameters:
Returns true if the cgroup exists, false otherwise.
Check if a cgroup path exists. Parameters: - cgroup-path: Path to cgroup directory Returns true if the cgroup exists, false otherwise.
(close-cgroup cgroup-fd)Close a cgroup file descriptor.
Parameters:
Example: (close-cgroup fd)
Close a cgroup file descriptor. Parameters: - cgroup-fd: Cgroup file descriptor Example: (close-cgroup fd)
(detach-cgroup-program cgroup-path
attach-type
&
{:keys [prog-fd] :or {prog-fd nil}})Detach BPF program from a cgroup (high-level API).
Parameters:
Example: (detach-cgroup-program "my-container" :cgroup-inet-ingress prog-fd)
Or using attachment info: (let [info (attach-cgroup-program "my-container" prog-fd :cgroup-inet-ingress)] (detach-cgroup-program (:cgroup-path info) (:attach-type info) (:prog-fd info)))
Detach BPF program from a cgroup (high-level API).
Parameters:
- cgroup-path: Path to cgroup
- attach-type: Attach type keyword
- prog-fd: Program FD to detach (nil to detach all)
Example:
(detach-cgroup-program "my-container" :cgroup-inet-ingress prog-fd)
Or using attachment info:
(let [info (attach-cgroup-program "my-container" prog-fd :cgroup-inet-ingress)]
(detach-cgroup-program (:cgroup-path info) (:attach-type info) (:prog-fd info)))(get-cgroup-fd cgroup-path)Get file descriptor for a cgroup path.
Parameters:
Returns the cgroup file descriptor.
Example: (get-cgroup-fd "/sys/fs/cgroup") (get-cgroup-fd "my-container") ; relative to /sys/fs/cgroup
Get file descriptor for a cgroup path.
Parameters:
- cgroup-path: Absolute path to cgroup directory (e.g., "/sys/fs/cgroup/my-container")
or relative path from default cgroup root
Returns the cgroup file descriptor.
Example:
(get-cgroup-fd "/sys/fs/cgroup")
(get-cgroup-fd "my-container") ; relative to /sys/fs/cgroup(get-current-cgroup)Get the cgroup path of the current process.
Reads /proc/self/cgroup and returns the cgroup v2 path.
Returns the cgroup path relative to /sys/fs/cgroup.
Get the cgroup path of the current process. Reads /proc/self/cgroup and returns the cgroup v2 path. Returns the cgroup path relative to /sys/fs/cgroup.
(list-cgroup-children cgroup-path)List child cgroups of a given cgroup path.
Parameters:
Returns a vector of child cgroup names.
List child cgroups of a given cgroup path. Parameters: - cgroup-path: Path to cgroup directory Returns a vector of child cgroup names.
(load-cgroup-device-program bytecode
&
{:keys [prog-name license log-level log-size]
:or {license "GPL" log-level 0 log-size 0}})Load a cgroup device program for device access control.
Controls access to devices (character and block devices).
Example: (load-cgroup-device-program bytecode :prog-name "device_filter" :license "GPL")
Load a cgroup device program for device access control. Controls access to devices (character and block devices). Example: (load-cgroup-device-program bytecode :prog-name "device_filter" :license "GPL")
(load-cgroup-skb-program bytecode
direction
&
{:keys [prog-name license log-level log-size]
:or {license "GPL" log-level 0 log-size 0}})Load a cgroup SKB program for network filtering.
Parameters:
Returns program file descriptor.
Example: (load-cgroup-skb-program bytecode :ingress :prog-name "skb_filter" :license "GPL")
Load a cgroup SKB program for network filtering. Parameters: - bytecode: BPF bytecode - direction: :ingress or :egress - options: Program load options (see programs/load-program) Returns program file descriptor. Example: (load-cgroup-skb-program bytecode :ingress :prog-name "skb_filter" :license "GPL")
(load-cgroup-sock-program bytecode
&
{:keys [prog-name license log-level log-size]
:or {license "GPL" log-level 0 log-size 0}})Load a cgroup socket program for socket operations control.
Use for controlling socket creation, bind, connect operations.
Example: (load-cgroup-sock-program bytecode :prog-name "sock_filter" :license "GPL")
Load a cgroup socket program for socket operations control. Use for controlling socket creation, bind, connect operations. Example: (load-cgroup-sock-program bytecode :prog-name "sock_filter" :license "GPL")
(load-cgroup-sysctl-program bytecode
&
{:keys [prog-name license log-level log-size]
:or {license "GPL" log-level 0 log-size 0}})Load a cgroup sysctl program for sysctl access control.
Controls access to sysctl parameters.
Example: (load-cgroup-sysctl-program bytecode :prog-name "sysctl_filter" :license "GPL")
Load a cgroup sysctl program for sysctl access control. Controls access to sysctl parameters. Example: (load-cgroup-sysctl-program bytecode :prog-name "sysctl_filter" :license "GPL")
(prog-attach-cgroup cgroup-fd
prog-fd
attach-type
&
{:keys [flags replace-fd] :or {flags :none replace-fd nil}})Attach BPF program to a cgroup (low-level syscall wrapper).
Parameters:
Returns 0 on success, throws on error.
Example: (prog-attach-cgroup cgroup-fd prog-fd :cgroup-inet-ingress :override)
Attach BPF program to a cgroup (low-level syscall wrapper). Parameters: - cgroup-fd: Cgroup file descriptor - prog-fd: BPF program file descriptor - attach-type: Attach type keyword (e.g., :cgroup-inet-ingress) - flags: Attach flags (default :none) - replace-fd: Program FD to replace (for :replace flag) Returns 0 on success, throws on error. Example: (prog-attach-cgroup cgroup-fd prog-fd :cgroup-inet-ingress :override)
(prog-detach-cgroup cgroup-fd attach-type & {:keys [prog-fd] :or {prog-fd nil}})Detach BPF program from a cgroup (low-level syscall wrapper).
Parameters:
Returns 0 on success, throws on error.
Example: (prog-detach-cgroup cgroup-fd :cgroup-inet-ingress prog-fd)
Detach BPF program from a cgroup (low-level syscall wrapper). Parameters: - cgroup-fd: Cgroup file descriptor - attach-type: Attach type keyword - prog-fd: Program FD to detach (nil to detach all) Returns 0 on success, throws on error. Example: (prog-detach-cgroup cgroup-fd :cgroup-inet-ingress prog-fd)
(setup-cgroup-device
cgroup-path
bytecode
&
{:keys [prog-name flags] :or {flags :override} :as options})Setup cgroup device filter (load program and attach).
Example: (def setup (setup-cgroup-device "my-container" bytecode :prog-name "device_filter"))
Setup cgroup device filter (load program and attach).
Example:
(def setup (setup-cgroup-device "my-container" bytecode
:prog-name "device_filter"))(setup-cgroup-skb cgroup-path
bytecode
direction
&
{:keys [prog-name flags] :or {flags :override} :as options})Setup cgroup SKB filter (load program and attach).
Convenience function that:
Parameters:
Returns a map with :prog-fd and :attach-info for cleanup.
Example: (def setup (setup-cgroup-skb "my-container" bytecode :ingress :prog-name "filter" :flags :override)) ;; ... later ... (teardown-cgroup-program setup)
Setup cgroup SKB filter (load program and attach).
Convenience function that:
1. Loads the BPF program
2. Attaches it to the cgroup
Parameters:
- cgroup-path: Path to cgroup
- bytecode: BPF bytecode
- direction: :ingress or :egress
- options: Combined program load and attach options
Returns a map with :prog-fd and :attach-info for cleanup.
Example:
(def setup (setup-cgroup-skb "my-container" bytecode :ingress
:prog-name "filter" :flags :override))
;; ... later ...
(teardown-cgroup-program setup)(setup-cgroup-sock cgroup-path
bytecode
&
{:keys [prog-name flags] :or {flags :override} :as options})Setup cgroup socket filter (load program and attach).
Example: (def setup (setup-cgroup-sock "my-container" bytecode :prog-name "sock_filter"))
Setup cgroup socket filter (load program and attach).
Example:
(def setup (setup-cgroup-sock "my-container" bytecode
:prog-name "sock_filter"))(teardown-cgroup-program {:keys [prog-fd attach-info]})Teardown cgroup program setup created by setup-* functions.
Parameters:
Example: (teardown-cgroup-program setup)
Teardown cgroup program setup created by setup-* functions. Parameters: - setup: Map returned by setup-cgroup-* functions with :prog-fd and :attach-info Example: (teardown-cgroup-program setup)
(with-cgroup-program [binding attach-expr] & body)Attach cgroup program and ensure detachment after use.
Example: (with-cgroup-program [info (attach-cgroup-program "my-container" prog-fd :cgroup-inet-ingress)] ;; Program is attached (do-work))
Attach cgroup program and ensure detachment after use.
Example:
(with-cgroup-program [info (attach-cgroup-program "my-container"
prog-fd
:cgroup-inet-ingress)]
;; Program is attached
(do-work))(with-cgroup-skb [binding setup-expr] & body)Load and attach cgroup SKB program, ensure cleanup.
Example: (with-cgroup-skb [setup (setup-cgroup-skb "my-container" bytecode :ingress)] ;; Program is loaded and attached (process-packets))
Load and attach cgroup SKB program, ensure cleanup.
Example:
(with-cgroup-skb [setup (setup-cgroup-skb "my-container"
bytecode
:ingress)]
;; Program is loaded and attached
(process-packets))cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |