selftests/bpf: Test CGROUP_STORAGE behavior on shared egress + ingress

This mirrors the original egress-only test. The cgroup_storage is
now extended to have two packet counters, one for egress and one
for ingress. We also extend to have two egress programs to test
that egress will always share with other egress origrams in the
same cgroup. The behavior of the counters are exactly the same as
the original egress-only test.

The test is split into two, one "isolated" test that when the key
type is struct bpf_cgroup_storage_key, which contains the attach
type, programs of different attach types will see different
storages. The other, "shared" test that when the key type is u64,
programs of different attach types will see the same storage if
they are attached to the same cgroup.

Signed-off-by: YiFei Zhu <zhuyifei@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/c756f5f1521227b8e6e90a453299dda722d7324d.1595565795.git.zhuyifei@google.com
This commit is contained in:
YiFei Zhu 2020-07-23 23:47:44 -05:00 committed by Alexei Starovoitov
parent 7d9c342789
commit 3573f38401
3 changed files with 311 additions and 27 deletions

View File

@ -11,25 +11,23 @@
#include "progs/cg_storage_multi.h" #include "progs/cg_storage_multi.h"
#include "cg_storage_multi_egress_only.skel.h" #include "cg_storage_multi_egress_only.skel.h"
#include "cg_storage_multi_egress_ingress.skel.h" #include "cg_storage_multi_isolated.skel.h"
#include "cg_storage_multi_shared.skel.h"
#define PARENT_CGROUP "/cgroup_storage" #define PARENT_CGROUP "/cgroup_storage"
#define CHILD_CGROUP "/cgroup_storage/child" #define CHILD_CGROUP "/cgroup_storage/child"
static int duration; static int duration;
static bool assert_storage(struct bpf_map *map, const char *cgroup_path, static bool assert_storage(struct bpf_map *map, const void *key,
struct cgroup_value *expected) struct cgroup_value *expected)
{ {
struct bpf_cgroup_storage_key key = {0};
struct cgroup_value value; struct cgroup_value value;
int map_fd; int map_fd;
map_fd = bpf_map__fd(map); map_fd = bpf_map__fd(map);
key.cgroup_inode_id = get_cgroup_id(cgroup_path); if (CHECK(bpf_map_lookup_elem(map_fd, key, &value) < 0,
key.attach_type = BPF_CGROUP_INET_EGRESS;
if (CHECK(bpf_map_lookup_elem(map_fd, &key, &value) < 0,
"map-lookup", "errno %d", errno)) "map-lookup", "errno %d", errno))
return true; return true;
if (CHECK(memcmp(&value, expected, sizeof(struct cgroup_value)), if (CHECK(memcmp(&value, expected, sizeof(struct cgroup_value)),
@ -39,17 +37,14 @@ static bool assert_storage(struct bpf_map *map, const char *cgroup_path,
return false; return false;
} }
static bool assert_storage_noexist(struct bpf_map *map, const char *cgroup_path) static bool assert_storage_noexist(struct bpf_map *map, const void *key)
{ {
struct bpf_cgroup_storage_key key = {0};
struct cgroup_value value; struct cgroup_value value;
int map_fd; int map_fd;
map_fd = bpf_map__fd(map); map_fd = bpf_map__fd(map);
key.cgroup_inode_id = get_cgroup_id(cgroup_path); if (CHECK(bpf_map_lookup_elem(map_fd, key, &value) == 0,
key.attach_type = BPF_CGROUP_INET_EGRESS;
if (CHECK(bpf_map_lookup_elem(map_fd, &key, &value) == 0,
"map-lookup", "succeeded, expected ENOENT")) "map-lookup", "succeeded, expected ENOENT"))
return true; return true;
if (CHECK(errno != ENOENT, if (CHECK(errno != ENOENT,
@ -90,9 +85,12 @@ static void test_egress_only(int parent_cgroup_fd, int child_cgroup_fd)
{ {
struct cg_storage_multi_egress_only *obj; struct cg_storage_multi_egress_only *obj;
struct cgroup_value expected_cgroup_value; struct cgroup_value expected_cgroup_value;
struct bpf_cgroup_storage_key key;
struct bpf_link *parent_link = NULL, *child_link = NULL; struct bpf_link *parent_link = NULL, *child_link = NULL;
bool err; bool err;
key.attach_type = BPF_CGROUP_INET_EGRESS;
obj = cg_storage_multi_egress_only__open_and_load(); obj = cg_storage_multi_egress_only__open_and_load();
if (CHECK(!obj, "skel-load", "errno %d", errno)) if (CHECK(!obj, "skel-load", "errno %d", errno))
return; return;
@ -113,11 +111,13 @@ static void test_egress_only(int parent_cgroup_fd, int child_cgroup_fd)
if (CHECK(obj->bss->invocations != 1, if (CHECK(obj->bss->invocations != 1,
"first-invoke", "invocations=%d", obj->bss->invocations)) "first-invoke", "invocations=%d", obj->bss->invocations))
goto close_bpf_object; goto close_bpf_object;
key.cgroup_inode_id = get_cgroup_id(PARENT_CGROUP);
expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 1 }; expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 1 };
if (assert_storage(obj->maps.cgroup_storage, if (assert_storage(obj->maps.cgroup_storage,
PARENT_CGROUP, &expected_cgroup_value)) &key, &expected_cgroup_value))
goto close_bpf_object; goto close_bpf_object;
if (assert_storage_noexist(obj->maps.cgroup_storage, CHILD_CGROUP)) key.cgroup_inode_id = get_cgroup_id(CHILD_CGROUP);
if (assert_storage_noexist(obj->maps.cgroup_storage, &key))
goto close_bpf_object; goto close_bpf_object;
/* Attach to parent and child cgroup, trigger packet from child. /* Attach to parent and child cgroup, trigger packet from child.
@ -135,13 +135,15 @@ static void test_egress_only(int parent_cgroup_fd, int child_cgroup_fd)
if (CHECK(obj->bss->invocations != 3, if (CHECK(obj->bss->invocations != 3,
"second-invoke", "invocations=%d", obj->bss->invocations)) "second-invoke", "invocations=%d", obj->bss->invocations))
goto close_bpf_object; goto close_bpf_object;
key.cgroup_inode_id = get_cgroup_id(PARENT_CGROUP);
expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 2 }; expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 2 };
if (assert_storage(obj->maps.cgroup_storage, if (assert_storage(obj->maps.cgroup_storage,
PARENT_CGROUP, &expected_cgroup_value)) &key, &expected_cgroup_value))
goto close_bpf_object; goto close_bpf_object;
key.cgroup_inode_id = get_cgroup_id(CHILD_CGROUP);
expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 1 }; expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 1 };
if (assert_storage(obj->maps.cgroup_storage, if (assert_storage(obj->maps.cgroup_storage,
CHILD_CGROUP, &expected_cgroup_value)) &key, &expected_cgroup_value))
goto close_bpf_object; goto close_bpf_object;
close_bpf_object: close_bpf_object:
@ -151,18 +153,228 @@ static void test_egress_only(int parent_cgroup_fd, int child_cgroup_fd)
cg_storage_multi_egress_only__destroy(obj); cg_storage_multi_egress_only__destroy(obj);
} }
static void test_egress_ingress(int parent_cgroup_fd, int child_cgroup_fd) static void test_isolated(int parent_cgroup_fd, int child_cgroup_fd)
{ {
struct cg_storage_multi_egress_ingress *obj; struct cg_storage_multi_isolated *obj;
struct cgroup_value expected_cgroup_value;
struct bpf_cgroup_storage_key key;
struct bpf_link *parent_egress1_link = NULL, *parent_egress2_link = NULL;
struct bpf_link *child_egress1_link = NULL, *child_egress2_link = NULL;
struct bpf_link *parent_ingress_link = NULL, *child_ingress_link = NULL;
bool err;
/* Cannot load both programs due to verifier failure: obj = cg_storage_multi_isolated__open_and_load();
* "only one cgroup storage of each type is allowed" if (CHECK(!obj, "skel-load", "errno %d", errno))
return;
/* Attach to parent cgroup, trigger packet from child.
* Assert that there is three runs, two with parent cgroup egress and
* one with parent cgroup ingress, stored in separate parent storages.
* Also assert that child cgroup's storages does not exist
*/ */
obj = cg_storage_multi_egress_ingress__open_and_load(); parent_egress1_link = bpf_program__attach_cgroup(obj->progs.egress1,
CHECK(obj || errno != EBUSY, parent_cgroup_fd);
"skel-load", "errno %d, expected EBUSY", errno); if (CHECK(IS_ERR(parent_egress1_link), "parent-egress1-cg-attach",
"err %ld", PTR_ERR(parent_egress1_link)))
goto close_bpf_object;
parent_egress2_link = bpf_program__attach_cgroup(obj->progs.egress2,
parent_cgroup_fd);
if (CHECK(IS_ERR(parent_egress2_link), "parent-egress2-cg-attach",
"err %ld", PTR_ERR(parent_egress2_link)))
goto close_bpf_object;
parent_ingress_link = bpf_program__attach_cgroup(obj->progs.ingress,
parent_cgroup_fd);
if (CHECK(IS_ERR(parent_ingress_link), "parent-ingress-cg-attach",
"err %ld", PTR_ERR(parent_ingress_link)))
goto close_bpf_object;
err = connect_send(CHILD_CGROUP);
if (CHECK(err, "first-connect-send", "errno %d", errno))
goto close_bpf_object;
if (CHECK(obj->bss->invocations != 3,
"first-invoke", "invocations=%d", obj->bss->invocations))
goto close_bpf_object;
key.cgroup_inode_id = get_cgroup_id(PARENT_CGROUP);
key.attach_type = BPF_CGROUP_INET_EGRESS;
expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 2 };
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
key.attach_type = BPF_CGROUP_INET_INGRESS;
expected_cgroup_value = (struct cgroup_value) { .ingress_pkts = 1 };
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
key.cgroup_inode_id = get_cgroup_id(CHILD_CGROUP);
key.attach_type = BPF_CGROUP_INET_EGRESS;
if (assert_storage_noexist(obj->maps.cgroup_storage, &key))
goto close_bpf_object;
key.attach_type = BPF_CGROUP_INET_INGRESS;
if (assert_storage_noexist(obj->maps.cgroup_storage, &key))
goto close_bpf_object;
cg_storage_multi_egress_ingress__destroy(obj); /* Attach to parent and child cgroup, trigger packet from child.
* Assert that there is six additional runs, parent cgroup egresses and
* ingress, child cgroup egresses and ingress.
* Assert that egree and ingress storages are separate.
*/
child_egress1_link = bpf_program__attach_cgroup(obj->progs.egress1,
child_cgroup_fd);
if (CHECK(IS_ERR(child_egress1_link), "child-egress1-cg-attach",
"err %ld", PTR_ERR(child_egress1_link)))
goto close_bpf_object;
child_egress2_link = bpf_program__attach_cgroup(obj->progs.egress2,
child_cgroup_fd);
if (CHECK(IS_ERR(child_egress2_link), "child-egress2-cg-attach",
"err %ld", PTR_ERR(child_egress2_link)))
goto close_bpf_object;
child_ingress_link = bpf_program__attach_cgroup(obj->progs.ingress,
child_cgroup_fd);
if (CHECK(IS_ERR(child_ingress_link), "child-ingress-cg-attach",
"err %ld", PTR_ERR(child_ingress_link)))
goto close_bpf_object;
err = connect_send(CHILD_CGROUP);
if (CHECK(err, "second-connect-send", "errno %d", errno))
goto close_bpf_object;
if (CHECK(obj->bss->invocations != 9,
"second-invoke", "invocations=%d", obj->bss->invocations))
goto close_bpf_object;
key.cgroup_inode_id = get_cgroup_id(PARENT_CGROUP);
key.attach_type = BPF_CGROUP_INET_EGRESS;
expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 4 };
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
key.attach_type = BPF_CGROUP_INET_INGRESS;
expected_cgroup_value = (struct cgroup_value) { .ingress_pkts = 2 };
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
key.cgroup_inode_id = get_cgroup_id(CHILD_CGROUP);
key.attach_type = BPF_CGROUP_INET_EGRESS;
expected_cgroup_value = (struct cgroup_value) { .egress_pkts = 2 };
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
key.attach_type = BPF_CGROUP_INET_INGRESS;
expected_cgroup_value = (struct cgroup_value) { .ingress_pkts = 1 };
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
close_bpf_object:
bpf_link__destroy(parent_egress1_link);
bpf_link__destroy(parent_egress2_link);
bpf_link__destroy(parent_ingress_link);
bpf_link__destroy(child_egress1_link);
bpf_link__destroy(child_egress2_link);
bpf_link__destroy(child_ingress_link);
cg_storage_multi_isolated__destroy(obj);
}
static void test_shared(int parent_cgroup_fd, int child_cgroup_fd)
{
struct cg_storage_multi_shared *obj;
struct cgroup_value expected_cgroup_value;
__u64 key;
struct bpf_link *parent_egress1_link = NULL, *parent_egress2_link = NULL;
struct bpf_link *child_egress1_link = NULL, *child_egress2_link = NULL;
struct bpf_link *parent_ingress_link = NULL, *child_ingress_link = NULL;
bool err;
obj = cg_storage_multi_shared__open_and_load();
if (CHECK(!obj, "skel-load", "errno %d", errno))
return;
/* Attach to parent cgroup, trigger packet from child.
* Assert that there is three runs, two with parent cgroup egress and
* one with parent cgroup ingress.
* Also assert that child cgroup's storage does not exist
*/
parent_egress1_link = bpf_program__attach_cgroup(obj->progs.egress1,
parent_cgroup_fd);
if (CHECK(IS_ERR(parent_egress1_link), "parent-egress1-cg-attach",
"err %ld", PTR_ERR(parent_egress1_link)))
goto close_bpf_object;
parent_egress2_link = bpf_program__attach_cgroup(obj->progs.egress2,
parent_cgroup_fd);
if (CHECK(IS_ERR(parent_egress2_link), "parent-egress2-cg-attach",
"err %ld", PTR_ERR(parent_egress2_link)))
goto close_bpf_object;
parent_ingress_link = bpf_program__attach_cgroup(obj->progs.ingress,
parent_cgroup_fd);
if (CHECK(IS_ERR(parent_ingress_link), "parent-ingress-cg-attach",
"err %ld", PTR_ERR(parent_ingress_link)))
goto close_bpf_object;
err = connect_send(CHILD_CGROUP);
if (CHECK(err, "first-connect-send", "errno %d", errno))
goto close_bpf_object;
if (CHECK(obj->bss->invocations != 3,
"first-invoke", "invocations=%d", obj->bss->invocations))
goto close_bpf_object;
key = get_cgroup_id(PARENT_CGROUP);
expected_cgroup_value = (struct cgroup_value) {
.egress_pkts = 2,
.ingress_pkts = 1,
};
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
key = get_cgroup_id(CHILD_CGROUP);
if (assert_storage_noexist(obj->maps.cgroup_storage, &key))
goto close_bpf_object;
/* Attach to parent and child cgroup, trigger packet from child.
* Assert that there is six additional runs, parent cgroup egresses and
* ingress, child cgroup egresses and ingress.
*/
child_egress1_link = bpf_program__attach_cgroup(obj->progs.egress1,
child_cgroup_fd);
if (CHECK(IS_ERR(child_egress1_link), "child-egress1-cg-attach",
"err %ld", PTR_ERR(child_egress1_link)))
goto close_bpf_object;
child_egress2_link = bpf_program__attach_cgroup(obj->progs.egress2,
child_cgroup_fd);
if (CHECK(IS_ERR(child_egress2_link), "child-egress2-cg-attach",
"err %ld", PTR_ERR(child_egress2_link)))
goto close_bpf_object;
child_ingress_link = bpf_program__attach_cgroup(obj->progs.ingress,
child_cgroup_fd);
if (CHECK(IS_ERR(child_ingress_link), "child-ingress-cg-attach",
"err %ld", PTR_ERR(child_ingress_link)))
goto close_bpf_object;
err = connect_send(CHILD_CGROUP);
if (CHECK(err, "second-connect-send", "errno %d", errno))
goto close_bpf_object;
if (CHECK(obj->bss->invocations != 9,
"second-invoke", "invocations=%d", obj->bss->invocations))
goto close_bpf_object;
key = get_cgroup_id(PARENT_CGROUP);
expected_cgroup_value = (struct cgroup_value) {
.egress_pkts = 4,
.ingress_pkts = 2,
};
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
key = get_cgroup_id(CHILD_CGROUP);
expected_cgroup_value = (struct cgroup_value) {
.egress_pkts = 2,
.ingress_pkts = 1,
};
if (assert_storage(obj->maps.cgroup_storage,
&key, &expected_cgroup_value))
goto close_bpf_object;
close_bpf_object:
bpf_link__destroy(parent_egress1_link);
bpf_link__destroy(parent_egress2_link);
bpf_link__destroy(parent_ingress_link);
bpf_link__destroy(child_egress1_link);
bpf_link__destroy(child_egress2_link);
bpf_link__destroy(child_ingress_link);
cg_storage_multi_shared__destroy(obj);
} }
void test_cg_storage_multi(void) void test_cg_storage_multi(void)
@ -179,8 +391,11 @@ void test_cg_storage_multi(void)
if (test__start_subtest("egress_only")) if (test__start_subtest("egress_only"))
test_egress_only(parent_cgroup_fd, child_cgroup_fd); test_egress_only(parent_cgroup_fd, child_cgroup_fd);
if (test__start_subtest("egress_ingress")) if (test__start_subtest("isolated"))
test_egress_ingress(parent_cgroup_fd, child_cgroup_fd); test_isolated(parent_cgroup_fd, child_cgroup_fd);
if (test__start_subtest("shared"))
test_shared(parent_cgroup_fd, child_cgroup_fd);
close_cgroup_fd: close_cgroup_fd:
close(child_cgroup_fd); close(child_cgroup_fd);

View File

@ -20,8 +20,20 @@ struct {
__u32 invocations = 0; __u32 invocations = 0;
SEC("cgroup_skb/egress") SEC("cgroup_skb/egress/1")
int egress(struct __sk_buff *skb) int egress1(struct __sk_buff *skb)
{
struct cgroup_value *ptr_cg_storage =
bpf_get_local_storage(&cgroup_storage, 0);
__sync_fetch_and_add(&ptr_cg_storage->egress_pkts, 1);
__sync_fetch_and_add(&invocations, 1);
return 1;
}
SEC("cgroup_skb/egress/2")
int egress2(struct __sk_buff *skb)
{ {
struct cgroup_value *ptr_cg_storage = struct cgroup_value *ptr_cg_storage =
bpf_get_local_storage(&cgroup_storage, 0); bpf_get_local_storage(&cgroup_storage, 0);

View File

@ -0,0 +1,57 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright 2020 Google LLC.
*/
#include <errno.h>
#include <linux/bpf.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <bpf/bpf_helpers.h>
#include "progs/cg_storage_multi.h"
struct {
__uint(type, BPF_MAP_TYPE_CGROUP_STORAGE);
__type(key, __u64);
__type(value, struct cgroup_value);
} cgroup_storage SEC(".maps");
__u32 invocations = 0;
SEC("cgroup_skb/egress/1")
int egress1(struct __sk_buff *skb)
{
struct cgroup_value *ptr_cg_storage =
bpf_get_local_storage(&cgroup_storage, 0);
__sync_fetch_and_add(&ptr_cg_storage->egress_pkts, 1);
__sync_fetch_and_add(&invocations, 1);
return 1;
}
SEC("cgroup_skb/egress/2")
int egress2(struct __sk_buff *skb)
{
struct cgroup_value *ptr_cg_storage =
bpf_get_local_storage(&cgroup_storage, 0);
__sync_fetch_and_add(&ptr_cg_storage->egress_pkts, 1);
__sync_fetch_and_add(&invocations, 1);
return 1;
}
SEC("cgroup_skb/ingress")
int ingress(struct __sk_buff *skb)
{
struct cgroup_value *ptr_cg_storage =
bpf_get_local_storage(&cgroup_storage, 0);
__sync_fetch_and_add(&ptr_cg_storage->ingress_pkts, 1);
__sync_fetch_and_add(&invocations, 1);
return 1;
}