-
Notifications
You must be signed in to change notification settings - Fork 685
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Utility function to remove memlock rlimit #392
Conversation
Personal opinion, but I think it is not a good idea to set limits to infinity without the option to set them to their original values. Rlimits often need to be increased to load eBPF resources but should then be set again to the original value, I think. |
@florianl I think in practice everyone just bumps RLIMIT_MEMLOCK unconditionally. We could return the original memlock limit from the function, to enable users to reset the limit themselves. But then they can just call the syscall directly, I would think? What I wonder: should this function be |
Maybe my context is different, but I think it is good practice to only increase RLimit while loading eBPF resources. Staying with E.g. cilium/cilium also follows this practice: If a program sets A pattern I'm used to for such cases is something like:
|
I don't think that is true in general for the cilium agent: https://github.com/cilium/cilium/blob/1695d9c59ac4e78b5a02a96e83a57ec07ddbaa7f/daemon/cmd/daemon.go#L340 I shared your hesitancy re. RLIMIT_MEMLOCK, but it's what we've been using in production for several years without adverse effects. Do know of cases where this caused a problem? |
Although still potentially racy, I think returning a function that can be used to reset the rlimit to its value before the infinity bump could make sense here. The caller remains in control, and they're free to ignore the function. This would be rather convenient, and maintains rlimit's footgun removal feature. 🙂 |
Monitoring |
Thanks, I updated it to return a function that resets the value as suggested. Any thoughts on a good name for it? Would you prefer |
Also nice, both work for me.
Do you have thoughts on this? |
I wasn't able to find a way to detect if memcg is available. Found https://lore.kernel.org/bpf/CAEf4BzYe1SDnWBzAP_U7NtUhu_cWa0EEMLv+d-q3YTFvP+y3og@mail.gmail.com/ which discussed the same issue but also didn't come up with a solution. The best alternative I can think of at the moment would be to simply document this in the doc string of the function, saying something along the way of "not necessary on kernels 5.11+ (?)" |
process.go
Outdated
import ( | ||
"fmt" | ||
|
||
"golang.org/x/sys/unix" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please import github.com/cilium/ebpf/internal/unix
instead, that contains dummy definitions so that working on the code base works on non-linux OS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call, I had no idea there was one. Done.
Thanks for checking, that is useful context to have! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Good to go when internal/unix
is imported, the necessary symbols are already there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So sorry, thought of one more quick change after I clicked submit: could we also point the rlimit code in internal/testutils/rlimit.go:init()
to this function instead? That way, we get test coverage for free.
Will require moving this function to internal/unix
and adding a small wrapper or alias in package ebpf.
Thank you
TODO (in a separate PR) is to update what's under |
Works for me. @ti-mo? |
…MLOCK Also switches over testutils to use this implementation for free test coverage. Signed-off-by: Timo Beckers <timo@isovalent.com>
1395832
to
17aba02
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've squashed the commits. Also found a typo, removed unix.Setrlimit
and moved the wrapper to syscalls.go
, didn't really warrant its own file.
I've also found |
This should implement the suggestion in #290 if I understood it correctly.
Wasn't sure what package this would best live in, let me know if there's a better location/name.
Going to open another PR to update the examples once (if) this gets merged.