From 24f3f9b24ad8f161fa777e89825bce63085e2788 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 18 Apr 2026 08:27:07 -0700
Subject: [PATCH] Raise k3s memlock rlimit for eBPF tracing on ringtail

Beyla (alloy-tracing) has been failing since April 13 with
"failed to set memlock rlimit: operation not permitted" because k3s
inherits the default 8MB memlock limit. Set LimitMEMLOCK=infinity on
the k3s systemd service so privileged containers can use eBPF.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 nixos/ringtail/configuration.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nixos/ringtail/configuration.nix b/nixos/ringtail/configuration.nix
index c350d04..4349154 100644
--- a/nixos/ringtail/configuration.nix
+++ b/nixos/ringtail/configuration.nix
@@ -153,6 +153,10 @@ in
     '';
   };
 
+  # Raise memlock rlimit for k3s so eBPF workloads (Beyla/Alloy tracing) can
+  # call setrlimit(RLIMIT_MEMLOCK, unlimited) inside privileged containers.
+  systemd.services.k3s.serviceConfig.LimitMEMLOCK = "infinity";
+
   # K3s containerd registry mirrors (pull through Zot on indri)
   environment.etc."rancher/k3s/registries.yaml".source = ./k3s-registries.yaml;