[Devel] [PATCH RHEL10 COMMIT] ve: Add bpf_prog_max_nr/bpf_prog_avail_nr cgroup files
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jun 18 19:58:27 MSK 2026
The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.12.3.vz10
------>
commit 52c8700582bfe02a62f61f21451a63bbb3869495
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Fri May 29 16:42:12 2026 +0200
ve: Add bpf_prog_max_nr/bpf_prog_avail_nr cgroup files
Expose the per-VE BPF program load limit via two ve cgroup files:
bpf_prog_max_nr - rw, writable only from ve0, restricts loads
bpf_prog_avail_nr - ro, remaining quota
Writes adjust the avail counter by the delta so that already-loaded
programs are not retroactively rejected when the cap is lowered.
https://virtuozzo.atlassian.net/browse/VSTOR-131947
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Feature: ve: allow BPF in Containers
---
kernel/ve/ve.c | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 9938d87c8462c..4c7a8649ac42d 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1076,6 +1076,35 @@ static s64 ve_netif_avail_nr_read(struct cgroup_subsys_state *css, struct cftype
return atomic_read(&css_to_ve(css)->netif_avail_nr);
}
+static u64 ve_bpf_prog_max_nr_read(struct cgroup_subsys_state *css, struct cftype *cft)
+{
+ return css_to_ve(css)->bpf_prog_max_nr;
+}
+
+static int ve_bpf_prog_max_nr_write(struct cgroup_subsys_state *css, struct cftype *cft, u64 val)
+{
+ struct ve_struct *ve = css_to_ve(css);
+ int delta;
+
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
+ if (val > INT_MAX)
+ return -EOVERFLOW;
+
+ down_write(&ve->op_sem);
+ delta = val - ve->bpf_prog_max_nr;
+ ve->bpf_prog_max_nr = val;
+ atomic_add(delta, &ve->bpf_prog_avail_nr);
+ up_write(&ve->op_sem);
+ return 0;
+}
+
+static s64 ve_bpf_prog_avail_nr_read(struct cgroup_subsys_state *css, struct cftype *cft)
+{
+ return atomic_read(&css_to_ve(css)->bpf_prog_avail_nr);
+}
+
static int ve_os_release_read(struct seq_file *sf, void *v)
{
struct cgroup_subsys_state *css = seq_css(sf);
@@ -1588,6 +1617,16 @@ static struct cftype ve_cftypes[] = {
.name = "netif_avail_nr",
.read_s64 = ve_netif_avail_nr_read,
},
+ {
+ .name = "bpf_prog_max_nr",
+ .flags = CFTYPE_NOT_ON_ROOT,
+ .read_u64 = ve_bpf_prog_max_nr_read,
+ .write_u64 = ve_bpf_prog_max_nr_write,
+ },
+ {
+ .name = "bpf_prog_avail_nr",
+ .read_s64 = ve_bpf_prog_avail_nr_read,
+ },
{
.name = "os_release",
.max_write_len = __NEW_UTS_LEN + 1,
More information about the Devel
mailing list