Allow BPF in privileged containers on ringtail
NixOS defaults kernel.unprivileged_bpf_disabled=2, which blocks BPF syscalls outside the init namespace even with CAP_BPF. Set to 1 so privileged containers (Beyla/Alloy tracing) can create BPF maps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
24f3f9b24a
commit
3a2913ba1f
1 changed files with 5 additions and 0 deletions
|
|
@ -157,6 +157,11 @@ in
|
||||||
# call setrlimit(RLIMIT_MEMLOCK, unlimited) inside privileged containers.
|
# call setrlimit(RLIMIT_MEMLOCK, unlimited) inside privileged containers.
|
||||||
systemd.services.k3s.serviceConfig.LimitMEMLOCK = "infinity";
|
systemd.services.k3s.serviceConfig.LimitMEMLOCK = "infinity";
|
||||||
|
|
||||||
|
# Allow BPF in privileged containers (Beyla eBPF tracing). NixOS defaults
|
||||||
|
# to 2 (block BPF outside init namespace even with CAP_BPF). Value 1 allows
|
||||||
|
# BPF for processes with CAP_BPF/CAP_SYS_ADMIN in any namespace.
|
||||||
|
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = 1;
|
||||||
|
|
||||||
# K3s containerd registry mirrors (pull through Zot on indri)
|
# K3s containerd registry mirrors (pull through Zot on indri)
|
||||||
environment.etc."rancher/k3s/registries.yaml".source = ./k3s-registries.yaml;
|
environment.etc."rancher/k3s/registries.yaml".source = ./k3s-registries.yaml;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue