On Wed, Dec 04, 2019 at 07:00:07PM -0500, Kenny Ho wrote: > Hi, > > I have been reading cgroup v2 for device cgroup along with bpf cgroup > and have some questions. For bpf cgroup, is it typical to not have a > default bpf program to define "normal" behaviour? Is it fair to say > that, for device cgroup in v2, if it's not for the v1 implementation > as the catch-all, userspace applications like container runtimes will > have to supply their own bpf program in order to get the same > functionality in v1? Hi! Yeah, there is no "default" program, partially because there is no default bpf infrastructure to distribute and load bpf programs (or at least there was no such infrastructure at the moment when the controller was introduced). Also, it's not clear to me how such a program should look like. Should it be a bpf program which relies on data in a bpf map? But then you'll need some convenient way to modify the data in the map. Maybe it can be a standalone tool, which composes and loads bpf programs depending on ploicies. A library? I agree, that to some extent cgroup v2 interface is less easy to use (at the first time), but it's more flexible at the end. I'm not sure there are many users who use the device controller directly. Modern versions of systemd do support the cgroup v2 device controller, so my assumption is that the majority of users will be covered by systemd. Thanks!
