On Fri, Jun 12, 2020 at 03:31:50PM -0700, Andrii Nakryiko wrote: > Add bpf_iter-based way to find all the processes that hold open FDs against > BPF object (map, prog, link, btf). Add new flag (-o, for "ownership", given > -p is already taken) to trigger collection and output of these PIDs. > > Sample output for each of 4 BPF objects: > > $ sudo ./bpftool -o prog show > 1992: cgroup_skb name egress_alt tag 9ad187367cf2b9e8 gpl > loaded_at 2020-06-12T14:18:10-0700 uid 0 > xlated 48B jited 59B memlock 4096B map_ids 2074 > btf_id 460 > pids: 913709,913732,913733,913734 > 2062: cgroup_device tag 8c42dee26e8cd4c2 gpl > loaded_at 2020-06-12T14:37:52-0700 uid 0 > xlated 648B jited 409B memlock 4096B > pids: 1 > > $ sudo ./bpftool -o map show > 2074: array name test_cgr.bss flags 0x400 > key 4B value 8B max_entries 1 memlock 8192B > btf_id 460 > pids: 913709,913732,913733,913734 > > $ sudo ./bpftool -o link show > 82: cgroup prog 1992 > cgroup_id 0 attach_type egress > pids: 913709,913732,913733,913734 > 86: cgroup prog 1992 > cgroup_id 0 attach_type egress > pids: 913709,913732,913733,913734 This is awesome. Why extra flag though? I think it's so useful that everyone would want to see this by default. Also the word 'pid' has kernel meaning or user space meaning? Looks like kernel then bpftool should say 'tid'. Could you capture comm as well and sort it by comm, like: $ sudo ./bpftool link show 82: cgroup prog 1992 cgroup_id 0 attach_type egress systemd(1), firewall(913709 913732), logger(913733 913734)