Attaching an eBPF program to a container cgroup

Question

I would like to attach an eBPF program to a cgroup associated with an envoy container (running on host namespace, --net=host) in order to monitor and mark its packets:

// bpf.c
SEC("cgroup_skb/egress")
int mark_egress_packets(struct __sk_buff *skb) {
    bpf_printk("Got here...\n");
    return 1;
}

char _license[] SEC("license") = "GPL";

// userspace code using Cilium:
cgroupPath, err := cgroup.DetectCgroupPath(containerName)
if err != nil {
    log.Fatal(err)
}

// Link the mark_egress_packets program to the cgroup.
l, err := link.AttachCgroup(link.CgroupOptions{
    Path:    cgroupPath,
    Attach:  ebpf.AttachCGroupInetEgress,
    Program: objs.MarkEgressPackets,
})
if err != nil {
    return nil, err
}

However I am not entirely sure what is the cgroup fs I should mount to, having tried both /sys/fs/cgroup/unified/docker/<container_id> which succesfuly mounts but shows no prints in trace_pipe..

As well as /sys/fs/cgroup/net_cls/docker/<container_id> which returns the following error: cgroup: can't attach program: bad file descriptor.

What should I do? Its not clear what is the best path forward.

P.S The output of cat /proc/<container_pid>/cgroup is:

12:hugetlb:/docker/<container_id>
11:freezer:/docker/<container_id>
10:perf_event:/docker/<container_id>
9:memory:/docker/<container_id>
8:net_cls,net_prio:/docker/<container_id>
7:blkio:/docker/<container_id>
6:pids:/docker/<container_id>
5:rdma:/docker/<container_id>
4:cpu,cpuacct:/docker/<container_id>
3:cpuset:/docker/<container_id>
2:devices:/docker/<container_id>
1:name=systemd:/docker/<container_id>
0::/docker/<container_id>