I am using Cilium ebpf to attach programs to cgroups. However, in my code I didn’t detach the program correctly and now I have some cgroup programs running in the background and I am trying to look for other ways to close them.
I tried to delete everything with bpftool cgroup detach CGROUP ATTACH_TYPE PROG, and when I run bpftool cgroup tree at first, I get nothing in the tree. I then ran bpftool prog showbut still got cgroup programs running like the following:
1096: cgroup_device tag 47dd357395126b0c gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 504B jited 309B memlock 4096B
1097: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1098: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1099: cgroup_device tag b73cbcf8b8c71a5b gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 496B jited 307B memlock 4096B
1100: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1101: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1102: cgroup_device tag ce28cc67158d681f gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 744B jited 447B memlock 4096B
1103: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1104: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-02-23T13:36:22-0500 uid 0
xlated 64B jited 54B memlock 4096B
1105: cgroup_device tag 26dcd5a87c1d07a2 gpl
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 440B jited 268B memlock 4096B
1106: cgroup_device tag ab4bc4523b7fe6b4
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 552B jited 353B memlock 4096B
1107: cgroup_device tag 26dcd5a87c1d07a2 gpl
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 440B jited 268B memlock 4096B
1108: cgroup_device tag ab4bc4523b7fe6b4
loaded_at 2023-02-23T13:40:36-0500 uid 0
xlated 552B jited 353B memlock 4096B
What's more, whenever I restart my virtual machine and type bpftool cgroup tree, my previously empty tree has content again. Here is what's shown when bpftool cgroup tree is called:
CgroupPath
ID AttachType AttachFlags Name
/sys/fs/cgroup/system.slice/systemd-udevd.service
1844 ingress
1843 egress
1842 device multi
/sys/fs/cgroup/system.slice/docker-c515f626ae992e61d4894704823a9fbc41ce42fbc7a8e4b26cc7ca07ba5ef1cb.scope
1865 device multi
/sys/fs/cgroup/system.slice/systemd-journald.service
1840 ingress
1839 egress
1838 device multi
/sys/fs/cgroup/system.slice/docker-67d06fd3514a55c180718472791e45aae102830f6d35e1c6acf073598115a5ee.scope
1869 device multi
/sys/fs/cgroup/system.slice/systemd-logind.service
1848 ingress
1847 egress
1846 device multi
I tried to delete everything with bpftool cgroup detach CGROUP ATTACH_TYPE PROG again, but these programs don't seem to go away. To prevent further leakage I froze the maps and got rid of them. If I try to delete these programs using bpftool prog detach PROG ATTACH_TYPE [MAP], I get either failure to detach from map or several programs have the same handle.
For the cgroups that belong to docker containers, I can fix the issue by simply removing the docker containers. For the other cgroups, I am unsure whether there are other ways to detach these programs without needing to use bpftool.
Any advice is greatly appreciated. Thanks in advance!
