Understanding Resource Limits in Linux eBPF

Resource Limits

The Linux kernel has protective mechanisms to prevent processes from consuming excessive memory. Since BPF maps can consume a significant amount of memory, they are also subject to these mechanisms.

rlimit (Resource Limit)

<span>rlimit</span> (resource limit) is a system mechanism used to track and limit the amount of specific resources that a process can use. One of the resources that is limited is “locked memory”, see: https://man7.org/linux/man-pages/man2/getrlimit.2.html

Prior to Linux kernel version v5.11, the memory usage of BPF maps was counted towards the “locked memory” limit and tracked and limited through the rlimit mechanism. Therefore, users typically need to increase or disable this rlimit, which requires additional permissions—specifically the <span>CAP_SYS_RESOURCE</span> capability.

cgroup Memory Limits

Starting from kernel v5.11, through a set of patches, the statistics and limiting mechanism for BPF memory switched from rlimit to cgroup. This means:

  • All memory used by BPF maps will count towards the total memory usage of the cgroup to which the process that created the map belongs;
  • There is no longer a need to grant the loader the <span>CAP_SYS_RESOURCE</span> capability;
  • If resource limits need to be adjusted, it should be done by setting the <span>memory.max</span> parameter of that cgroup.

rlimit switched to cgroup patches

https://lore.kernel.org/bpf/[email protected]/

Note that when compiling the kernel, the cgroup-based kernel memory statistics and limiting functionality can be disabled by turning off the <span>MEMCG_KMEM</span> configuration option. This option is enabled by default as <span>y</span>.

Note that starting from v6.3, the kernel introduced a boot parameter <span>cgroup.memory=nobpf</span> that can be used to completely disable cgroup statistics and limits for BPF memory.

Src:

https://docs.ebpf.io/linux/concepts/resource-limit/

Last updated: December 20, 2024

Leave a Comment