The 12/15/2020 09:51, Bob Liu wrote: > Hi Folks, > > On 12/12/20 12:56 AM, Hannes Reinecke wrote: > > On 12/11/20 5:33 PM, Jens Axboe wrote: > >> On 12/11/20 9:30 AM, Mike Snitzer wrote: > >>> While I still think there needs to be a proper _upstream_ consumer of > >>> blk_interposer as a condition of it going in.. I'll let others make the > >>> call. > >> > >> That's an unequivocal rule. > >> > >>> As such, I'll defer to Jens, Christoph and others on whether your > >>> minimalist blk_interposer hook is acceptable in the near-term. > >> > >> I don't think so, we don't do short term bandaids just to plan on > >> ripping that out when the real functionality is there. IMHO, the dm > >> approach is the way to go - it provides exactly the functionality that > >> is needed in an appropriate way, instead of hacking some "interposer" > >> into the core block layer. > >> > > Which is my plan, too. > > > > I'll be working with the Veeam folks to present a joint patchset (including the DM bits) for the next round. > > > > Besides the dm approach, do you think Veeam's original requirement is a good > use case of "block/bpf: add eBPF based block layer IO filtering"? > https://lwn.net/ml/bpf/20200812163305.545447-1-leah.rumancik@xxxxxxxxx/ > > Thanks, > Bob Hi Bob. Thank you for your message. I looked at your patch - it's interesting, but I have a few comments. 1. #ifdef CONFIG_BPF_IO_FILTER struct bpf_prog_array __rcu *progs; struct mutex io_filter_lock; #endif For DM and blk-snap to work, it is necessary that there is always the possibility of interception. 2. We could get rid of the io_filter_lock lock if we do attach/detach while the queue is stopped. And __rcu for *progs, can not use either. 3. int io_filter_bpf_run(struct bio *bio) { struct bpf_io_request io_req = { .sector_start = bio->bi_iter.bi_sector, .sector_cnt = bio_sectors(bio), .opf = bio->bi_opf, }; return BPF_PROG_RUN_ARRAY_CHECK(bio->bi_disk->progs, &io_req, BPF_PROG_RUN); } Allows to get little information. It will not allow to work with the bios`s data. blk_interposer allows to get full access to bio. For use in the DM, we must also be able to add new bio's. Summary: For device-mapper purposes, bpf_io_filter is not suitable. bpf_io_filter in this form is probably convenient to use for monitoring and studying the block layer. For the security task, I would suggest making a separate module and using blk_interposer to intercept bio requests. This will give more flexible functionality and better performance. -- Sergei Shtepa Veeam Software developer.
