On Tue, Mar 31, 2020 at 2:52 PM Edward Cree <ecree@xxxxxxxxxxxxxx> wrote: > > On 31/03/2020 04:54, Andrii Nakryiko wrote: > > No need to kill random processes, you can kill only those that hold > > bpf_link FD. You can find them using drgn tool with script like [0]. > For the record, I find the argument "we don't need a query feature, > because you can just use a kernel debugger" *utterly* *horrifying*. > Now, it seems to be moot, because Alexei has given other, better > reasons why query doesn't need to land yet; but can we please not > ever treat debugging interfaces as a substitute for proper APIs? Can you please point out where I was objecting to observability API (which is LINK_QUERY thing we've discussed and I didn't oppose, and I'm going to add next)? What I'm doubtful of is this "human override" functionality. I think a tool that shows who's using (processes and mounted files in BPF FS) given bpf_link is way more useful, because it allows you to both "unblock" BPF hook (by killing "bad" processes and removing mounted bpf_link files) and know which processes (read applications) are misbehaving. I'll address drgn vs not concern in reply to David Ahern, who's also *utterly horrified*, apparently, so I'll try to calm him as well. ;) > > </scream> > -ed
