[net] Exclude net prio and classid cgroups to avoid conflict with cgroup2 #198
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
modules CONFIG_NET_CLS_CGROUP, CONFIG_NETFILTER_XT_MATCH_CGROUP
in Kconfig to disable those v1 cgroups.
The system contains programs, which use both groups v1 and v2, e.g. docker
uses net_prio, net_cls and "ip vrf" uses cgroup2 socket matching.
But, Linux kernel does not allow to work with net_prio, net_cls and
socket matching from cgroup2 in the same time. Link to comment in source file:
https://elixir.bootlin.com/linux/v4.19.156/source/include/linux/cgroup-defs.h#L745
The related warning, appearing on startup: "sonic INFO kernel: [ 14.057746] cgroup:
cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation".
Disabling of net_prio and net_cls will prevent this conflict and make programs,
which uses cgroup2 socket matching, to be working correct.
Signed-off-by: Maksym Belei [email protected]
What I did
Resolves sonic-net/sonic-buildimage#6858
The next cgroups has disabled in Linux kernel:
net_prio, net_cls
. Their depended modules has disabled too.Why I did it
Using of the v1 cgroups makes impossible using of socket matching from cgroup2. Here is comment from Linux kernel:
https://elixir.bootlin.com/linux/v4.19.156/source/include/linux/cgroup-defs.h#L745
Syslog with the related warning:
sonic INFO kernel: [ 14.057746] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
As some utilities in the system, like
ip vrf
, use cgroup2, there is necessity to disablenet_prio, net_cls
to ensure that those utilities will work correct.How I verified it
sudo ip vrf exec mgmt ping {IP address of eth0 interface}
orshow ntp
(if NTP has configured through eth0 interface)If there is the conflict in cgroups, ip vrf utility will not be able to work in scope of the VRF.