All other resource control features work as 'best-effort', and failures
in applying them are handled gracefully. However, unlike the other features,
we tested if the BPF programs can be loaded and refuse execution on failure.
Moreover, the previous behavior of testing loading BPF programs had
inconsistency: the test was silently skipped if the cgroup for the unit does
not exist yet, but tested when the cgroup already exists.
Let's not handle failures in loading custom BPF programs as critical, but
gracefully ignore them, like we do for the other resource control features.
Follow-up for
fab347489fcfafbc8367c86afc637ce1b81ae59e.
one more restricted, depending on the use case.</para>
<para>Note that these settings might not be supported on some systems (for example if eBPF control group
- support is not enabled in the underlying kernel or container manager). These settings will fail the service in
+ support is not enabled in the underlying kernel or container manager). These settings will have no effect in
that case. If compatibility with such systems is desired it is hence recommended to attach your filter manually
(requires <varname>Delegate=</varname><constant>yes</constant>) instead of using this setting.</para>
if (set_isempty(pids))
return 0;
- /* Load any custom firewall BPF programs here once to test if they are existing and actually loadable.
- * Fail here early since later errors in the call chain unit_realize_cgroup to cgroup_context_apply are ignored. */
- r = bpf_firewall_load_custom(u);
- if (r < 0)
- return r;
-
r = unit_realize_cgroup(u);
if (r < 0)
return r;
assert(u);
- /* Load any custom firewall BPF programs here once to test if they are existing and actually loadable.
- * Fail here early since later errors in the call chain unit_realize_cgroup to cgroup_context_apply are ignored. */
- r = bpf_firewall_load_custom(u);
- if (r < 0)
- return r;
-
/* Prepares everything so that we can fork of a process for this unit */
r = unit_realize_cgroup(u);
projects / thirdparty / systemd.git / commitdiff
