Borna Cafuk <borna.cafuk@xxxxxxxxxx> writes: > On Mon, Sep 7, 2020 at 3:33 PM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: >> >> Borna Cafuk <borna.cafuk@xxxxxxxxxx> writes: >> >> > On Sat, Sep 5, 2020 at 12:47 AM Alexei Starovoitov >> > <alexei.starovoitov@xxxxxxxxx> wrote: >> >> >> >> On Fri, Sep 4, 2020 at 7:57 AM Borna Cafuk <borna.cafuk@xxxxxxxxxx> wrote: >> >> > >> >> > Hello everyone, >> >> > >> >> > Judging by [0], the inner maps in BPF_MAP_TYPE_HASH_OF_MAPS can only be created >> >> > from the userspace. This seems quite limiting in regard to what can be done >> >> > with them. >> >> > >> >> > Are there any plans to allow for creating the inner maps from BPF programs? >> >> > >> >> > [0] https://stackoverflow.com/a/63391528 >> >> >> >> Did you ask that question or your use case is different? >> >> Creating a new map for map_in_map from bpf prog can be implemented. >> >> bpf_map_update_elem() is doing memory allocation for map elements. >> >> In such a case calling this helper on map_in_map can, in theory, create a new >> >> inner map and insert it into the outer map. >> > >> > No, it wasn't me who asked that question, but it seemed close enough to >> > my issue. My use case calls for modifying the syscount example from BCC[1]. >> > >> > The idea is to have an outer map where the keys are PIDs, and inner maps where >> > the keys are system call numbers. This would enable tracking the number of >> > syscalls made by each process and the makeup of those calls for all processes >> > simultaneously. >> > >> > [1] https://github.com/iovisor/bcc/blob/master/libbpf-tools/syscount.bpf.c >> >> Well, if you just want to count, map-in-map seems a bit overkill? You >> could just do: >> >> struct { >> u32 pid; >> u32 syscall; >> } map_key; >> >> and use that? >> >> -Toke >> > > I have considered that, but maps in maps seem better for when I need to get the > data about a single process's syscalls: It requires reading only one of the > inner maps in its entirety. If I have a composite key like that, I don't see > any way, other than: > * either iterating through all the possible keys for a process > (i.e. over all syscalls) and looking them up in the map, or > * iterating over all entries in the map and filtering them. > > Looking at it again, the first option does not seem _that_ bad, You could even use BPF_MAP_LOOKUP_BATCH to do this in one operation, I suppose... > but just iterating over one (inner) map would be easier to fit into > our use-case. ...but yeah, I see what you mean. Well, maybe BPF local storage per process would also be a nice fit here? -Toke
