题。 • cgroup v2 特性：cgroup v2 相比 v1，具有统一的层级结构、更完善的线程模式管理、更安全的子树委派以及更丰富的特性支持。 1）统一层级结构： 简化 cgroup 的层级管理，用户不需要为不同的资源管理配置多个独立的 cgroup 树，降低多个控制器协同工作控制难度。提 供了更一致和简化的接口，使得配置更简单易懂。更高的安全性，避免父子 cgroup 资源竞争：cgroup 新增只有父 cgroup 内部无进程时才能启用子 cgroup 控制器的限制。 2）更完善的线程模式管理： cgroup-v2 引入线程模式（threaded），对可线程化管理的子系统进行限制。线程可以被独立于进程其他线程分配到不同的 cgroup 中，对单个线程的资源使用进行更精细的控制。 3）更安全的子树委派： 通过委派机制允许非特权用户创建和管理自己的 cgroup 层次结构。通 QoS 负载均衡，进一步降低离线业务 QoS 干扰。 • SMT 驱离优先级反转特性：解决混部 SMT 驱离特性的优先级反转问题，减少离线任务对在线任务 QoS 的影响。 • 混部多优先级：允许 cgroup 配置 -2~2 的 cpu.qos_level，即多个优先级，使用 qos_level_weight 设置不同优先级权重，按照 CPU 的使用比例进行资源的划分，并提供唤醒抢占能力。 •

Docs: man:sshd(8) man:sshd_config(5) Main PID: 3673 (sshd) Tasks: 1 (limit: 4915) CGroup: /system.slice/sshd.service └─3673 /usr/sbin/sshd -D Jun 22 18:19:28 kdas-laptop systemd[1]: 10:03:25 UTC; 1 day 3h ago Main PID: 21019 (myserver) Tasks: 2 (limit: 50586) Memory: 9.6M CGroup: /system.slice/myserver.service ├─21019 /usr/bin/sh /usr/sbin/myserver └─21020 nosuid,nodev,seclabel,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,releas

18:19:28 IST; 1s ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 3673 (sshd) Tasks: 1 (limit: 4915) CGroup: /system.slice/sshd.service 3673 /usr/sbin/sshd -D Jun 22 18:19:28 kdas-laptop systemd[1]: Starting 2022-03-12 10:03:25 UTC; 1 day 3h ago Main PID: 21019 (myserver) Tasks: 2 (limit: 50586) Memory: 9.6M CGroup: /system.slice/myserver.service 21019 /usr/bin/sh /usr/sbin/myserver 21020 python3 -m http.server nosuid,nodev,seclabel,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr, ˓→rele

namespaces: cgroup, mount, pid and optionally: ipc, net, user, uts ● cgroup v2 ● ... other usual building blocks ... ● cgroup-bpf programs 2 Vast majority of twagent tasks have one or more cgroup-bpf features only: ○ sysctl access control Let’s look at some of them .. Example of cgroup-bpf programs (bpftool cgroup tree ): cgroup-bpf 3 Task IP assignment (aka IP-per-task) ● Facebook DC network is and UDP is enough Solution: ● Make task use specified IP by a set of BPF_PROG_TYPE_CGROUP_SOCK_ADDR and BPF_CGROUP_SOCK_OPS programs Move TCP/UDP servers to task IP: ● bind(2): ctx.user_ip6 = task_ip

kube- proxy), cgroup v2 needs to be enabled by setting the kernel systemd.unified_cgroup_hierarchy=1 parameter. Also, cgroup v1 controllers net_cls and net_prio have to be disabled, or cgroup v1 has to be (e.g. by setting the kernel cgroup_no_v1="all" parameter). This ensures that Kind nodes have their own cgroup namespace, and Cilium can attach BPF programs at the right cgroup hierarchy. To verify this, sudo ls -al /proc/$(docker inspect -f '{{.State.Pid}}' kind- control-plane)/ns/cgroup $ sudo ls -al /proc/self/ns/cgroup See the Pull Request [https://github.com/cilium/cilium/pull/16259] for more details

replacement (Kubernetes Without kube- proxy), cgroup v1 controllers net_cls and net_prio have to be disabled, or cgroup v1 has to be disabled (e.g. by setting the kernel cgroup_no_v1="all" parameter). Validate the overlapping BPF cgroup type programs attached to the parent cgroup hierarchy of the kind container nodes. In such cases, either tear down Cilium, or manually detach the overlapping BPF cgroup programs running running in the parent cgroup hierarchy by following the bpftool documentation [https://manpages.ubuntu.com/manpages/focal/man8/bpftool-cgroup.8.html]. For more information, see the Pull Request [https://github

replacement (Kubernetes Without kube- proxy), cgroup v1 controllers net_cls and net_prio have to be disabled, or cgroup v1 has to be disabled (e.g. by setting the kernel cgroup_no_v1="all" parameter). Validate the overlapping BPF cgroup type programs attached to the parent cgroup hierarchy of the kind container nodes. In such cases, either tear down Cilium, or manually detach the overlapping BPF cgroup programs running running in the parent cgroup hierarchy by following the bpftool documentation [https://manpages.ubuntu.com/manpages/focal/man8/bpftool-cgroup.8.html]. For more information, see the Pull Request [https://github

"Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com)." Tasks: 2 (limit: 4915) CGroup: /system.slice/systemd-timesyncd.service |-3744 /lib/systemd/systemd-timesyncd Feb 23 to facilitate running in a container. This support is expected to land upstream soon. Note that 'cgroup namespace' support is also required. This is available in the 16.04 kernel as well as in the 4.6 configuration file: 364 Virtualization lxc.mount.auto = cgroup lxc.aa_profile = lxc-container-default-with-nesting The first will cause the cgroup manager socket to be bound into the container, so that

conf(5) Main PID: 6198 (smbd) Status: "smbd: ready to serve connections..." Tasks: 4 (limit: 19660) CGroup: /system.slice/smbd.service ├─6198 /usr/sbin/smbd --foreground --no-process-group ├─6214 /usr/sbin/smbd parent container configuration file: lxc.mount.auto = cgroup lxc.aa_profile = lxc-container-default-with-nesting The first will cause the cgroup manager socket to be bound into the container, so that values for several lxc settings, including the lxcpath, the default configuration, cgroups to use, a cgroup creation pattern, and storage backend settings for lvm and zfs. • default.conf specifies configuration

• sched_cls 。cilium在内核 TC 处实现数据包转发、负载均衡、过滤 • xdp 。cilium在内核 XDP 处实现数据包的转发、负载均衡、过滤 • cgroup_sock_addr 。cilium在 cgroup 中实现对service解析 • sock_ops + sk_msg。记录本地应用之间通信的socket，实现本地数据包的加速转发 加速同节点pod间通信 cilium —> pod3: 172.20.0.30:80 step2 pod3: 172.20.0.30:80 —> pod1: 172.20.0.10:10000 cgroup ebpf service DNAT connect sendmsg recvmsg getpeername bind cilium的Host-Reachable 技术，利 用eBPF程序，拦截应用在内核connect