[PATCH v3 06/15] vircgroup: introduce virCgroupV2DevicesPrepareProg

Pavel Hrdina <phrdina@xxxxxxxxxx> · Thu, 25 Apr 2019 09:44:23 +0200

This function will be called for every virCgroup(Allow|Deny)* API in
order to prepare BPF program for guest.  Since libvirtd can be restarted
at any point we will first try to detect existing progam, if there is
none we will create a new empty BPF program and lastly if we don't have
any space left in the existing BPF map we will create a new copy of the
BPF map with more space and attach a new program with that map into the
guest cgroup.

This solution allows us to start with reasonably small BPF map consuming
only small amount of memory and if needed we can easily extend the BPF
map if there is a lot of host devices used in guest or if user wants to
hot-plug a lot of devices once the guest is running.

Since there is no way how to reallocate existing BPF map we need to
create a new copy if we run out of space in current BPF map.

This overcomes all the limitations in BPF:

    - map used in program has to be created before the program is loaded
      into kernel

    - once map is created you cannot change its size

    - you cannot replace map in existing program

    - you cannot use an array of maps because it can store FD to maps
      of one specific size so we would not be able to use it to overcome
      the second issue

Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx>
---
 src/libvirt_private.syms      |  1 +
 src/util/vircgroupv2devices.c | 83 +++++++++++++++++++++++++++++++++++
 src/util/vircgroupv2devices.h |  3 ++
 3 files changed, 87 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index f49f401d2b..9ab07de06d 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1657,6 +1657,7 @@ virCgroupV2DevicesAttachProg;
 virCgroupV2DevicesAvailable;
 virCgroupV2DevicesCreateProg;
 virCgroupV2DevicesDetectProg;
+virCgroupV2DevicesPrepareProg;
 
 # util/virclosecallbacks.h
 virCloseCallbacksGet;
diff --git a/src/util/vircgroupv2devices.c b/src/util/vircgroupv2devices.c
index d8934e8add..e8c6f74091 100644
--- a/src/util/vircgroupv2devices.c
+++ b/src/util/vircgroupv2devices.c
@@ -455,6 +455,52 @@ virCgroupV2DevicesCreateMap(size_t size)
 }
 
 
+static int
+virCgroupV2DevicesReallocMap(int mapfd,
+                             size_t size)
+{
+    uint64_t key = 0;
+    uint64_t prevKey = 0;
+    int rc;
+    int newmapfd = virCgroupV2DevicesCreateMap(size);
+
+    VIR_DEBUG("realloc devices map mapfd:%d, size:%lu", mapfd, size);
+
+    if (newmapfd < 0)
+        return -1;
+
+    while ((rc = virBPFGetNextElem(mapfd, &prevKey, &key)) == 0) {
+        uint32_t val = 0;
+
+        if (virBPFLookupElem(mapfd, &key, &val) < 0) {
+            virReportSystemError(errno, "%s",
+                                 _("failed to lookup device in old map"));
+            goto error;
+        }
+
+        if (virBPFUpdateElem(newmapfd, &key, &val) < 0) {
+            virReportSystemError(errno, "%s",
+                                 _("failed to add device into new map"));
+            goto error;
+        }
+
+        prevKey = key;
+    }
+
+    if (rc < 0 && errno != ENOENT) {
+        virReportSystemError(errno, "%s",
+                             _("failed to copy all device rules"));
+        goto error;
+    }
+
+    return newmapfd;
+
+ error:
+    VIR_FORCE_CLOSE(newmapfd);
+    return -1;
+}
+
+
 int
 virCgroupV2DevicesCreateProg(virCgroupPtr group)
 {
@@ -478,6 +524,33 @@ virCgroupV2DevicesCreateProg(virCgroupPtr group)
     VIR_FORCE_CLOSE(mapfd);
     return -1;
 }
+
+
+int
+virCgroupV2DevicesPrepareProg(virCgroupPtr group)
+{
+    if (virCgroupV2DevicesDetectProg(group) < 0)
+        return -1;
+
+    if (virCgroupV2DevicesCreateProg(group) < 0)
+        return -1;
+
+    if (group->unified.devices.count >= group->unified.devices.max) {
+        size_t max = group->unified.devices.max * 2;
+        int newmapfd = virCgroupV2DevicesReallocMap(group->unified.devices.mapfd,
+                                                    max);
+
+        if (newmapfd < 0)
+            return -1;
+
+        if (virCgroupV2DevicesAttachProg(group, newmapfd, max) < 0) {
+            VIR_FORCE_CLOSE(newmapfd);
+            return -1;
+        }
+    }
+
+    return 0;
+}
 #else /* !HAVE_DECL_BPF_CGROUP_DEVICE */
 bool
 virCgroupV2DevicesAvailable(virCgroupPtr group ATTRIBUTE_UNUSED)
@@ -516,4 +589,14 @@ virCgroupV2DevicesCreateProg(virCgroupPtr group ATTRIBUTE_UNUSED)
                            "with this kernel"));
     return -1;
 }
+
+
+int
+virCgroupV2DevicesPrepareProg(virCgroupPtr group ATTRIBUTE_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("cgroups v2 BPF devices not supported "
+                           "with this kernel"));
+    return -1;
+}
 #endif /* !HAVE_DECL_BPF_CGROUP_DEVICE */
diff --git a/src/util/vircgroupv2devices.h b/src/util/vircgroupv2devices.h
index bcbd761537..10c80c8ae4 100644
--- a/src/util/vircgroupv2devices.h
+++ b/src/util/vircgroupv2devices.h
@@ -35,4 +35,7 @@ virCgroupV2DevicesDetectProg(virCgroupPtr group);
 int
 virCgroupV2DevicesCreateProg(virCgroupPtr group);
 
+int
+virCgroupV2DevicesPrepareProg(virCgroupPtr group);
+
 #endif /* LIBVIRT_VIRCGROUPV2DEVICES_H */
-- 
2.20.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list






