[net] Exclude net prio and classid cgroups to avoid conflict with cgroup2

[ghost]

• Unset CONFIG_CGROUP_NET_CLASSID, CONFIG_CGROUP_NET_PRIO and depended
  modules CONFIG_NET_CLS_CGROUP, CONFIG_NETFILTER_XT_MATCH_CGROUP
  in Kconfig to disable those v1 cgroups.
  The system contains programs, which use both groups v1 and v2, e.g. docker
  uses net_prio, net_cls and "ip vrf" uses cgroup2 socket matching.
  But, Linux kernel does not allow to work with net_prio, net_cls and
  socket matching from cgroup2 in the same time. Link to comment in source file:
  https://elixir.bootlin.com/linux/v4.19.156/source/include/linux/cgroup-defs.h#L745
  The related warning, appearing on startup: "sonic INFO kernel: [ 14.057746] cgroup:
  cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation".
  Disabling of net_prio and net_cls will prevent this conflict and make programs,
  which uses cgroup2 socket matching, to be working correct.

Signed-off-by: Maksym Belei [email protected]

What I did
Resolves sonic-net/sonic-buildimage#6858
The next cgroups has disabled in Linux kernel: net_prio, net_cls. Their depended modules has disabled too.

Why I did it
Using of the v1 cgroups makes impossible using of socket matching from cgroup2. Here is comment from Linux kernel:
https://elixir.bootlin.com/linux/v4.19.156/source/include/linux/cgroup-defs.h#L745
Syslog with the related warning:
sonic INFO kernel: [ 14.057746] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation

As some utilities in the system, like ip vrf, use cgroup2, there is necessity to disable net_prio, net_cls to ensure that those utilities will work correct.

How I verified it

1. sudo config vrf add mgmt
2. sudo ip vrf exec mgmt ping {IP address of eth0 interface} or show ntp(if NTP has configured through eth0 interface)

If there is the conflict in cgroups, ip vrf utility will not be able to work in scope of the VRF.

[paulmenzel]

Thank you for the patch. Can you please add the details, how to reproduce this? I would have imagined, if there was a conflict, than the Linux would have measure to prevent it.

[ghost]

@paulmenzel, could you check the related defect: sonic-net/sonic-buildimage#6858? There is information about how to reproduce the issue and my investigation result with evidences regarding conflict of usage of cgroups v1 and v2. Also, here is 3rd party source with information, regarding net_prio, net_cls and socket matching in cgroup2.

I am currently testing the change locally, could somebody check it with pure jenkins build?

[paulmenzel]

Thank you for your quick reply. A commit message should be self-contained in my opinion. I am going to check in the next days, but it’d be great, if you extended the commit message.

[ghost]

Commit message has updated, could you check it?

[ghost]

@lguohan, the issue is being occurred on 202012 too. I think we can cherry-pick the solution to 202012 without any changes. Could you mark it as for 202012?

[dprital]

@daall - Can you please merge to 202012 ?