[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191216160002.vytwcpremx2e7ae3@ast-mbp.dhcp.thefacebook.com>
Date: Mon, 16 Dec 2019 08:00:04 -0800
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Jesper Dangaard Brouer <brouer@...hat.com>,
Toke Høiland-Jørgensen <toke@...hat.com>,
Alexei Starovoitov <ast@...nel.org>, netdev@...r.kernel.org,
bpf@...r.kernel.org, guro@...com, hannes@...xchg.org, tj@...nel.org
Subject: Re: [PATCH bpf-next] libbpf: Print hint about ulimit when getting
permission denied error
On Mon, Dec 16, 2019 at 04:53:36PM +0100, Daniel Borkmann wrote:
> On Mon, Dec 16, 2019 at 02:52:30PM +0100, Jesper Dangaard Brouer wrote:
> > On Mon, 16 Dec 2019 13:40:31 +0100
> > Toke Høiland-Jørgensen <toke@...hat.com> wrote:
> >
> > > Probably the single most common error newcomers to XDP are stumped by is
> > > the 'permission denied' error they get when trying to load their program
> > > and 'ulimit -r' is set too low. For examples, see [0], [1].
> > >
> > > Since the error code is UAPI, we can't change that. Instead, this patch
> > > adds a few heuristics in libbpf and outputs an additional hint if they are
> > > met: If an EPERM is returned on map create or program load, and geteuid()
> > > shows we are root, and the current RLIMIT_MEMLOCK is not infinity, we
> > > output a hint about raising 'ulimit -r' as an additional log line.
> > >
> > > [0] https://marc.info/?l=xdp-newbies&m=157043612505624&w=2
> > > [1] https://github.com/xdp-project/xdp-tutorial/issues/86
> > >
> > > Signed-off-by: Toke Høiland-Jørgensen <toke@...hat.com>
> >
> > Acked-by: Jesper Dangaard Brouer <brouer@...hat.com>
> >
> > This is the top #1 issue users hit again-and-again, too bad we cannot
> > change the return code as it is UAPI now. Thanks for taking care of
> > this mitigation.
>
> It's an annoying error that comes up very often, agree, and tooling then
> sets it to a high value / inf anyway as next step if it has the rights
> to do so. Probably time to revisit the idea that if the user has the same
> rights as being able to set setrlimit() anyway, we should just not account
> for it ... incomplete hack:
We cannot drop it quite yet.
There are services that run under root that are relying on this rlimit
to prevent other root services from consuming too much memory.
We need memcg based alternative first before we can remove this limit.
Otherwise users have no way to restrict.
Powered by blists - more mailing lists