Using pinned maps within a network namespace

Using pinned maps within a network namespace

[John McDowall]

Hi everyone,

This may be a dumb question, I have set up a simple test environment
with multiple network namespaces running on a ubuntu 20.04 vagrant
box, with the latest github libbpf.

I want to use a pinned map, I can make /sys/fs/bpf shared by:

$ mount mount --make-shared /sys/fs/bpf
$ mount --bind /sys/fs/bpf /sys/fs/bpf

but when I try access the maps from a C program running in a namespace
using bpf I get

 Access to /sys/fs/bpf/lwtconfig map failed obj_pin errno: No such
file or directory

The code snippet is:

mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
        if (mapfd < 0) {
            jed_info(jed_logfile,"Access to %s map failed obj_pin ",
CONFIG_MAP_PATH);
            pin_fd = bpf_obj_get(CONFIG_MAP_PATH);
            if (pin_fd < 0){
             jed_error(jed_logfile,"Access to %s map failed with
obj_get ", CONFIG_MAP_PATH);
            }
        }

Is this possible, and if so what am I missing?

Regards

John

Re: Using pinned maps within a network namespace

[Y Song]

On Tue, Sep 15, 2020 at 11:46 AM John McDowall
<jmcdowall@paloaltonetworks.com> wrote:
>
> Hi everyone,
>
> This may be a dumb question, I have set up a simple test environment
> with multiple network namespaces running on a ubuntu 20.04 vagrant
> box, with the latest github libbpf.
>
> I want to use a pinned map, I can make /sys/fs/bpf shared by:
>
> $ mount mount --make-shared /sys/fs/bpf
> $ mount --bind /sys/fs/bpf /sys/fs/bpf

Similar commands `mount --bind /sys/fs/bpf /sys/fs/bpf1` in the same namespace
works fine.

Maybe there are restrictions related to namespace? Maybe it becomes readonly?
Could you print out the error code below?

>
> but when I try access the maps from a C program running in a namespace
> using bpf I get
>
>  Access to /sys/fs/bpf/lwtconfig map failed obj_pin errno: No such
> file or directory
>
> The code snippet is:
>
> mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
>         if (mapfd < 0) {
>             jed_info(jed_logfile,"Access to %s map failed obj_pin ",
> CONFIG_MAP_PATH);
>             pin_fd = bpf_obj_get(CONFIG_MAP_PATH);
>             if (pin_fd < 0){
>              jed_error(jed_logfile,"Access to %s map failed with
> obj_get ", CONFIG_MAP_PATH);
>             }
>         }
>
> Is this possible, and if so what am I missing?
>
> Regards
>
> John

Re: Using pinned maps within a network namespace

[Quentin Monnet]

On 15/09/2020 18:00, John McDowall wrote:
> Hi everyone,
> 
> This may be a dumb question, I have set up a simple test environment
> with multiple network namespaces running on a ubuntu 20.04 vagrant
> box, with the latest github libbpf.
> 
> I want to use a pinned map, I can make /sys/fs/bpf shared by:
> 
> $ mount mount --make-shared /sys/fs/bpf
> $ mount --bind /sys/fs/bpf /sys/fs/bpf
> 
> but when I try access the maps from a C program running in a namespace
> using bpf I get
> 
>  Access to /sys/fs/bpf/lwtconfig map failed obj_pin errno: No such
> file or directory
> 
> The code snippet is:
> 
> mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
>         if (mapfd < 0) {
>             jed_info(jed_logfile,"Access to %s map failed obj_pin ",
> CONFIG_MAP_PATH);

Hi, from your log message ("obj_pin") it looks like the error occurs
when you try to pin the map, not when you try to access it. The way you
try to pin it:

	mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);

looks suspicious. If I remember correctly, bpf_obj_pin() returns 0 on
success, it does not return a fd. It does use a file descriptor to the
map as a first argument, can you double check that this is what "pin_fd"
contains? How did you retrieve this fd? It looks to me like "pin_fd"
does not point to an existing map, and that the kernel fails to find the
map to pin.

Good luck,
Quentin

Re: Using pinned maps within a network namespace

[John McDowall]

Song,

I think it is something to do with the namespace, when I run the same
code on the host os (not in a network namespace) it works fine and
creates the map and writes to it.

The error coming back from bpf_pin_obj is errno: No such file or directory

I can see /sys/fs/bpf in the namespace after I do.

$ mount --make-shared /sys/fs/bpf

but just cannot access it.

Thanks for the help

Regards

John

On Tue, Sep 15, 2020 at 10:12 PM Y Song <ys114321@gmail.com> wrote:
>
> On Tue, Sep 15, 2020 at 11:46 AM John McDowall
> <jmcdowall@paloaltonetworks.com> wrote:
> >
> > Hi everyone,
> >
> > This may be a dumb question, I have set up a simple test environment
> > with multiple network namespaces running on a ubuntu 20.04 vagrant
> > box, with the latest github libbpf.
> >
> > I want to use a pinned map, I can make /sys/fs/bpf shared by:
> >
> > $ mount mount --make-shared /sys/fs/bpf
> > $ mount --bind /sys/fs/bpf /sys/fs/bpf
>
> Similar commands `mount --bind /sys/fs/bpf /sys/fs/bpf1` in the same namespace
> works fine.
>
> Maybe there are restrictions related to namespace? Maybe it becomes readonly?
> Could you print out the error code below?
>
> >
> > but when I try access the maps from a C program running in a namespace
> > using bpf I get
> >
> >  Access to /sys/fs/bpf/lwtconfig map failed obj_pin errno: No such
> > file or directory
> >
> > The code snippet is:
> >
> > mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
> >         if (mapfd < 0) {
> >             jed_info(jed_logfile,"Access to %s map failed obj_pin ",
> > CONFIG_MAP_PATH);
> >             pin_fd = bpf_obj_get(CONFIG_MAP_PATH);
> >             if (pin_fd < 0){
> >              jed_error(jed_logfile,"Access to %s map failed with
> > obj_get ", CONFIG_MAP_PATH);
> >             }
> >         }
> >
> > Is this possible, and if so what am I missing?
> >
> > Regards
> >
> > John

Re: Using pinned maps within a network namespace

[John McDowall]

Quentin,

You're right, my code is a little messy but it does what you
suggested, as I mentioned to Song it works on the host system just not
in the network namespace. The error from bpf_obj_pin is

errno: No such file or directory

Here is a larger code segment:

  pin_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY,
                     sizeof(uint32_t), sizeof(config_data),1, 0);
        if (pin_fd < 0){
            jed_error(jed_logfile,"Failed to create map ", CONFIG_MAP_PATH);
        }

        ret = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
        if (ret < 0) {
            jed_info(jed_logfile,"Access to %s map failed obj_pin ",
CONFIG_MAP_PATH);
            pin_fd = bpf_obj_get(CONFIG_MAP_PATH);
            if (pin_fd < 0){
             jed_error(jed_logfile,"Access to %s map failed with
obj_get ", CONFIG_MAP_PATH);
            }
        }

        key = 0;
        ret = bpf_map_update_elem(pin_fd, &key, &config_data, 0);
        if (ret < 0) {
           jed_error(jed_logfile,"bpf_map_update_elem %s ",CONFIG_MAP_PATH);
        }

Thanks for your help

Regards

John

On Wed, Sep 16, 2020 at 2:22 AM Quentin Monnet <quentin@isovalent.com> wrote:
>
> On 15/09/2020 18:00, John McDowall wrote:
> > Hi everyone,
> >
> > This may be a dumb question, I have set up a simple test environment
> > with multiple network namespaces running on a ubuntu 20.04 vagrant
> > box, with the latest github libbpf.
> >
> > I want to use a pinned map, I can make /sys/fs/bpf shared by:
> >
> > $ mount mount --make-shared /sys/fs/bpf
> > $ mount --bind /sys/fs/bpf /sys/fs/bpf
> >
> > but when I try access the maps from a C program running in a namespace
> > using bpf I get
> >
> >  Access to /sys/fs/bpf/lwtconfig map failed obj_pin errno: No such
> > file or directory
> >
> > The code snippet is:
> >
> > mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
> >         if (mapfd < 0) {
> >             jed_info(jed_logfile,"Access to %s map failed obj_pin ",
> > CONFIG_MAP_PATH);
>
> Hi, from your log message ("obj_pin") it looks like the error occurs
> when you try to pin the map, not when you try to access it. The way you
> try to pin it:
>
>         mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
>
> looks suspicious. If I remember correctly, bpf_obj_pin() returns 0 on
> success, it does not return a fd. It does use a file descriptor to the
> map as a first argument, can you double check that this is what "pin_fd"
> contains? How did you retrieve this fd? It looks to me like "pin_fd"
> does not point to an existing map, and that the kernel fails to find the
> map to pin.
>
> Good luck,
> Quentin

Re: Using pinned maps within a network namespace

[John McDowall]

Song,

You are right the issue is that in a new namespace /sys/fs/bpf is readonly.

On host system (Centos 8.2)

[jmcdowall@jed102 framework]$ ls -al /sys/fs
total 0
drwxr-xr-x.  9 root root   0 Jul 15 16:01 .
dr-xr-xr-x. 13 root root   0 Jul 15 16:02 ..
drwx-----T.  2 root root   0 Jul 15 16:01 bpf
drwxr-xr-x. 14 root root 360 Jul 15 16:01 cgroup
drwxr-xr-x.  4 root root   0 Jul 22 11:58 ext4
drwxr-xr-x.  3 root root   0 Jul 16 11:05 fuse
drwxr-x---.  2 root root   0 Jul 15 16:01 pstore
drwxr-xr-x.  7 root root   0 Jul 15 16:01 selinux
drwxr-xr-x.  5 root root   0 Jul 29 18:58 xfs
[jmcdowall@jed102 framework]$

Then create a network namespace

[jmcdowall@jed102 framework]$ sudo ip netns add test
[sudo] password for jmcdowall:
[jmcdowall@jed102 framework]$ sudo ip netns exec test ls -la /sys/fs
total 0
drwxr-xr-x.  9 root root 0 Sep 25 14:31 .
dr-xr-xr-x. 13 root root 0 Jul 15 16:02 ..
dr-xr-xr-x.  2 root root 0 Sep 25 14:31 bpf
dr-xr-xr-x.  2 root root 0 Sep 25 14:31 cgroup
drwxr-xr-x.  4 root root 0 Sep 25 14:31 ext4
drwxr-xr-x.  3 root root 0 Sep 25 14:31 fuse
dr-xr-xr-x.  2 root root 0 Sep 25 14:31 pstore
dr-xr-xr-x.  2 root root 0 Sep 25 14:31 selinux
drwxr-xr-x.  5 root root 0 Sep 25 14:31 xfs
[jmcdowall@jed102 framework]$

and the bpf directory is readonly.

There does not seem to be a way to make the directory writable.

Does anyone have any ideas?

Regards

John



On Tue, Sep 15, 2020 at 10:12 PM Y Song <ys114321@gmail.com> wrote:
>
> On Tue, Sep 15, 2020 at 11:46 AM John McDowall
> <jmcdowall@paloaltonetworks.com> wrote:
> >
> > Hi everyone,
> >
> > This may be a dumb question, I have set up a simple test environment
> > with multiple network namespaces running on a ubuntu 20.04 vagrant
> > box, with the latest github libbpf.
> >
> > I want to use a pinned map, I can make /sys/fs/bpf shared by:
> >
> > $ mount mount --make-shared /sys/fs/bpf
> > $ mount --bind /sys/fs/bpf /sys/fs/bpf
>
> Similar commands `mount --bind /sys/fs/bpf /sys/fs/bpf1` in the same namespace
> works fine.
>
> Maybe there are restrictions related to namespace? Maybe it becomes readonly?
> Could you print out the error code below?
>
> >
> > but when I try access the maps from a C program running in a namespace
> > using bpf I get
> >
> >  Access to /sys/fs/bpf/lwtconfig map failed obj_pin errno: No such
> > file or directory
> >
> > The code snippet is:
> >
> > mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
> >         if (mapfd < 0) {
> >             jed_info(jed_logfile,"Access to %s map failed obj_pin ",
> > CONFIG_MAP_PATH);
> >             pin_fd = bpf_obj_get(CONFIG_MAP_PATH);
> >             if (pin_fd < 0){
> >              jed_error(jed_logfile,"Access to %s map failed with
> > obj_get ", CONFIG_MAP_PATH);
> >             }
> >         }
> >
> > Is this possible, and if so what am I missing?
> >
> > Regards
> >
> > John

Re: Using pinned maps within a network namespace

[Y Song]

On Fri, Sep 25, 2020 at 3:54 PM John McDowall
<jmcdowall@paloaltonetworks.com> wrote:
>
> Song,
>
> You are right the issue is that in a new namespace /sys/fs/bpf is readonly.
>
> On host system (Centos 8.2)
>
> [jmcdowall@jed102 framework]$ ls -al /sys/fs
> total 0
> drwxr-xr-x.  9 root root   0 Jul 15 16:01 .
> dr-xr-xr-x. 13 root root   0 Jul 15 16:02 ..
> drwx-----T.  2 root root   0 Jul 15 16:01 bpf

You probably called
   mount -t bpf bpf /sys/fs/bpf
with additional mode options to mount bffs.

> drwxr-xr-x. 14 root root 360 Jul 15 16:01 cgroup
> drwxr-xr-x.  4 root root   0 Jul 22 11:58 ext4
> drwxr-xr-x.  3 root root   0 Jul 16 11:05 fuse
> drwxr-x---.  2 root root   0 Jul 15 16:01 pstore
> drwxr-xr-x.  7 root root   0 Jul 15 16:01 selinux
> drwxr-xr-x.  5 root root   0 Jul 29 18:58 xfs
> [jmcdowall@jed102 framework]$
>
> Then create a network namespace
>
> [jmcdowall@jed102 framework]$ sudo ip netns add test
> [sudo] password for jmcdowall:
> [jmcdowall@jed102 framework]$ sudo ip netns exec test ls -la /sys/fs
> total 0
> drwxr-xr-x.  9 root root 0 Sep 25 14:31 .
> dr-xr-xr-x. 13 root root 0 Jul 15 16:02 ..
> dr-xr-xr-x.  2 root root 0 Sep 25 14:31 bpf

This is just the default directory. It is not mounted with bpffs.

> dr-xr-xr-x.  2 root root 0 Sep 25 14:31 cgroup
> drwxr-xr-x.  4 root root 0 Sep 25 14:31 ext4
> drwxr-xr-x.  3 root root 0 Sep 25 14:31 fuse
> dr-xr-xr-x.  2 root root 0 Sep 25 14:31 pstore
> dr-xr-xr-x.  2 root root 0 Sep 25 14:31 selinux
> drwxr-xr-x.  5 root root 0 Sep 25 14:31 xfs
> [jmcdowall@jed102 framework]$
>
> and the bpf directory is readonly.
>
> There does not seem to be a way to make the directory writable.
>
> Does anyone have any ideas?

somethings like this may help.
mkdir /tmp/t
mount -t bpf bpf /tmp/t
ip netns exec test mount --bind /root/t /tmp/t
ip netns exec test mount | grep bpf
    none on /root/t type bpf (rw,relatime)

Now inside namespace, you will have a bpffs.
Based on my experience, you cannot create bpffs (like `mount -t bpf
bpf <...>`) inside the net namespace.

>
> Regards
>
> John
>
>
>
> On Tue, Sep 15, 2020 at 10:12 PM Y Song <ys114321@gmail.com> wrote:
> >
> > On Tue, Sep 15, 2020 at 11:46 AM John McDowall
> > <jmcdowall@paloaltonetworks.com> wrote:
> > >
> > > Hi everyone,
> > >
> > > This may be a dumb question, I have set up a simple test environment
> > > with multiple network namespaces running on a ubuntu 20.04 vagrant
> > > box, with the latest github libbpf.
> > >
> > > I want to use a pinned map, I can make /sys/fs/bpf shared by:
> > >
> > > $ mount mount --make-shared /sys/fs/bpf
> > > $ mount --bind /sys/fs/bpf /sys/fs/bpf
> >
> > Similar commands `mount --bind /sys/fs/bpf /sys/fs/bpf1` in the same namespace
> > works fine.
> >
> > Maybe there are restrictions related to namespace? Maybe it becomes readonly?
> > Could you print out the error code below?
> >
> > >
> > > but when I try access the maps from a C program running in a namespace
> > > using bpf I get
> > >
> > >  Access to /sys/fs/bpf/lwtconfig map failed obj_pin errno: No such
> > > file or directory
> > >
> > > The code snippet is:
> > >
> > > mapfd = bpf_obj_pin(pin_fd,CONFIG_MAP_PATH);
> > >         if (mapfd < 0) {
> > >             jed_info(jed_logfile,"Access to %s map failed obj_pin ",
> > > CONFIG_MAP_PATH);
> > >             pin_fd = bpf_obj_get(CONFIG_MAP_PATH);
> > >             if (pin_fd < 0){
> > >              jed_error(jed_logfile,"Access to %s map failed with
> > > obj_get ", CONFIG_MAP_PATH);
> > >             }
> > >         }
> > >
> > > Is this possible, and if so what am I missing?
> > >
> > > Regards
> > >
> > > John