I am using Cilium ebpf to attach programs to cgroups. However, in my code I didn’t detach the program correctly and now I have some cgroup programs running in the background and I am trying to look for other ways to close them.
I tried to delete everything with bpftool cgroup detach CGROUP ATTACH_TYPE PROG, and when I run bpftool cgroup tree at first, I get nothing in the tree. I then ran bpftool prog showbut still got cgroup programs running like the following:
1096: cgroup_device tag 47dd357395126b0c gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 504B jited 309B memlock 4096B
1097: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1098: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1099: cgroup_device tag b73cbcf8b8c71a5b gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 496B jited 307B memlock 4096B
1100: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1101: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1102: cgroup_device tag ce28cc67158d681f gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 744B jited 447B memlock 4096B
1103: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1104: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1105: cgroup_device tag 26dcd5a87c1d07a2 gpl
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 440B jited 268B memlock 4096B
1106: cgroup_device tag ab4bc4523b7fe6b4
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 552B jited 353B memlock 4096B
1107: cgroup_device tag 26dcd5a87c1d07a2 gpl
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 440B jited 268B memlock 4096B
1108: cgroup_device tag ab4bc4523b7fe6b4
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 552B jited 353B memlock 4096B
What's more, whenever I restart my virtual machine and type bpftool cgroup tree, my previously empty tree has content again. Here is what's shown when bpftool cgroup tree is called:
CgroupPath
ID AttachType AttachFlags Name
/sys/fs/cgroup/system.slice/systemd-udevd.service
1844 ingress
1843 egress
1842 device multi
/sys/fs/cgroup/system.slice/docker-c515f626ae992e61d4894704823a9fbc41ce42fbc7a8e4b26cc7ca07ba5ef1cb.scope
1865 device multi
/sys/fs/cgroup/system.slice/systemd-journald.service
1840 ingress
1839 egress
1838 device multi
/sys/fs/cgroup/system.slice/docker-67d06fd3514a55c180718472791e45aae102830f6d35e1c6acf073598115a5ee.scope
1869 device multi
/sys/fs/cgroup/system.slice/systemd-logind.service
1848 ingress
1847 egress
1846 device multi
I tried to delete everything with bpftool cgroup detach CGROUP ATTACH_TYPE PROG again, but these programs don't seem to go away. To prevent further leakage I froze the maps and got rid of them. If I try to delete these programs using bpftool prog detach PROG ATTACH_TYPE [MAP], I get either failure to detach from map or several programs have the same handle.
For the cgroups that belong to docker containers, I can fix the issue by simply removing the docker containers. For the other cgroups, I am unsure whether there are other ways to detach these programs without needing to use bpftool.
Any advice is greatly appreciated. Thanks in advance!
BPF programs are loaded in the kernel and attached to hook points. If you detach them, they remain loaded in the kernel and you will therefore see them in bpftool prog show. Those shouldn't matter however because they are not attached anywhere; at most, they consume a bit of memory in the kernel.
Note that systemd installs some BPF cgroup programs. That's probably why you see some even after a reboot.