зеркало из
https://github.com/iharh/notes.git
synced 2025-10-29 20:56:06 +02:00
m
Этот коммит содержится в:
Ihar Hancharenka
родитель
df85ef5e3e
Коммит
9b95ccc522
10
os/linux/internals/cgroups/cgroups-systemd.txt
Обычный файл
10
os/linux/internals/cgroups/cgroups-systemd.txt
Обычный файл
@ -0,0 +1,10 @@
|
||||
https://systemd.io/CONTROL_GROUP_INTERFACE/
|
||||
https://systemd.io/CONTAINER_INTERFACE/
|
||||
https://systemd.io/WRITING_VM_AND_CONTAINER_MANAGERS/
|
||||
|
||||
?
|
||||
https://www.freedesktop.org/software/systemd/man/latest/systemd-cgls.html#
|
||||
Recursively show control group contents
|
||||
https://www.freedesktop.org/software/systemd/man/latest/machinectl.html#
|
||||
https://www.freedesktop.org/software/systemd/man/latest/systemd-machined.service.html#
|
||||
https://www.freedesktop.org/software/systemd/man/latest/org.freedesktop.machine1
|
||||
@ -1,8 +1,18 @@
|
||||
https://kernel.org/doc/html/latest/admin-guide/cgroup-v1/net_cls.html
|
||||
https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html
|
||||
|
||||
https://systemd.io/CGROUP_DELEGATION/
|
||||
This means systemd currently does not and will never manage the following controllers on cgroup v1:
|
||||
freezer, cpuset, net_cls, perf_event, net_prio, hugetlb.
|
||||
Why not? Depending on the case, either their API semantics or implementations aren’t really usable,
|
||||
or it’s very clear they have no future on cgroup v2, and we won’t add new code for stuff that clearly has no future.
|
||||
|
||||
sudo mount | grep cgroup
|
||||
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
|
||||
|
||||
grep cgroup2 /proc/self/mountinfo
|
||||
42 40 0:28 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:7 - cgroup2 cgroup2 rw,nsdelegate,memory_recursiveprot
|
||||
|
||||
sudo lsmod | grep net_cls
|
||||
sudo mkdir /sys/fs/cgroup/net_cls/firefox
|
||||
sudo sh -c "echo 0x100001 > /sys/fs/cgroup/net_cls/firefox/net_cls.classid"
|
||||
@ -17,3 +27,76 @@ for the cgroup2
|
||||
|
||||
$ sudo cat /sys/fs/cgroup/cgroup.controllers
|
||||
cpuset cpu io memory hugetlb pids rdma misc dmem
|
||||
|
||||
|
||||
https://github.com/libcgroup/libcgroup
|
||||
https://github.com/libcgroup/libcgroup/blob/main/README
|
||||
https://github.com/libcgroup/libcgroup/issues/432
|
||||
https://github.com/libcgroup/libcgroup/issues/432#issuecomment-2200828308
|
||||
# export CGROUP_LOGLEVEL=debug
|
||||
# cgexec ...
|
||||
|
||||
? misc
|
||||
https://docs.kernel.org/admin-guide/cgroup-v2.html#misc
|
||||
https://manpages.ubuntu.com/manpages/questing/en/man7/cgroups.7.html
|
||||
There is no direct equivalent of the net_cls and net_prio controllers from cgroups version 1.
|
||||
Instead, support has been added to iptables(8) to allow eBPF filters that hook on cgroup v2 path‐names to make decisions about network traffic on a per-cgroup basis.
|
||||
|
||||
! need
|
||||
The kernel source file
|
||||
Documentation/admin-guide/cgroup-v2.rst.
|
||||
|
||||
https://gist.github.com/kriswebdev/a8d291936fe4299fb17d3744497b1170
|
||||
iptables_arg="--path $cgroup_name"
|
||||
...
|
||||
sudo iptables -t mangle -C OUTPUT -m cgroup $iptables_arg -j MARK --set-mark
|
||||
|
||||
|
||||
# Создаем cgroup
|
||||
mkdir -p /sys/fs/cgroup/my_cgroup
|
||||
# Добавляем текущий процесс (или другой с PID x) в cgroup
|
||||
echo $$ > /sys/fs/cgroup/my_cgroup/cgroup.procs
|
||||
|
||||
sudo nft add table inet filter
|
||||
sudo nft add chain inet filter input { type filter hook input priority 0 \; }
|
||||
|
||||
???
|
||||
sudo nft add rule inet filter output cgroup v2path "/my_cgroup" meta mark set 0x1
|
||||
sudo nft add rule inet filter input cgroupv2 path /sys/fs/cgroup/my_cgroup mark set 0x1
|
||||
|
||||
sudo nft list ruleset
|
||||
sudo tcpdump -nnvvv -i eth0 ip
|
||||
|
||||
https://git.netfilter.org/nftables/tree/py/src/nftables.py
|
||||
https://blog.fraggod.net/2021/08/31/easy-control-over-applications-network-access-using-nftables-and-systemd-cgroup-v2-tree.html
|
||||
|
||||
!!!
|
||||
https://unix.stackexchange.com/questions/752635/can-nftables-perform-postrouting-matching-on-crgroupv2
|
||||
!!! need to read
|
||||
https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager
|
||||
https://github.com/systemd/systemd/issues/7327
|
||||
|
||||
https://github.com/cedrickchee/awesome-wireguard
|
||||
https://github.com/cedrickchee/awesome-wireguard#mesh-network
|
||||
https://github.com/slackhq/nebula
|
||||
https://noiseprotocol.org/
|
||||
https://nebula.defined.net/docs/
|
||||
https://medium.com/several-people-are-coding/introducing-nebula-the-open-source-global-overlay-network-from-slack-884110a5579
|
||||
https://github.com/tonarino/innernet
|
||||
https://blog.tonari.no/introducing-innernet
|
||||
https://patchwork.ozlabs.org/project/netfilter-devel/patch/1479114761-19534-1-git-send-email-pablo@netfilter.org/#1511797
|
||||
https://tailscale.com/
|
||||
https://github.com/juanfont/headscale
|
||||
https://headscale.net/stable/
|
||||
https://www.youtube.com/@Tailscale/videos
|
||||
misc
|
||||
https://github.com/linuxserver/docker-wireguard
|
||||
https://github.com/netbirdio/netbird
|
||||
https://github.com/gravitl/netmaker
|
||||
https://github.com/svenstaro/wiresmith
|
||||
|
||||
|
||||
tools
|
||||
https://github.com/wagoodman/dive
|
||||
https://github.com/bitwister/twine
|
||||
netwoking using labels
|
||||
|
||||
Загрузка…
x
Ссылка в новой задаче
Block a user