Allow BPF in privileged containers on ringtail

NixOS defaults kernel.unprivileged_bpf_disabled=2, which blocks BPF syscalls outside the init namespace even with CAP_BPF. Set to 1 so privileged containers (Beyla/Alloy tracing) can create BPF maps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-18 08:32:30 -07:00 · 2026-04-18 08:32:30 -07:00 · 3a2913ba1f
commit 3a2913ba1f
parent 24f3f9b24a
1 changed files with 5 additions and 0 deletions
--- a/nixos/ringtail/configuration.nix
+++ b/nixos/ringtail/configuration.nix
@ -157,6 +157,11 @@ in
  # call setrlimit(RLIMIT_MEMLOCK, unlimited) inside privileged containers.
  systemd.services.k3s.serviceConfig.LimitMEMLOCK = "infinity";

+  # Allow BPF in privileged containers (Beyla eBPF tracing). NixOS defaults
+  # to 2 (block BPF outside init namespace even with CAP_BPF). Value 1 allows
+  # BPF for processes with CAP_BPF/CAP_SYS_ADMIN in any namespace.
+  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = 1;
+
  # K3s containerd registry mirrors (pull through Zot on indri)
  environment.etc."rancher/k3s/registries.yaml".source = ./k3s-registries.yaml;