New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EPERM for sys_bpf with Ubuntu 18.04 with kernel 5.5 #9988
Comments
Having similar issue centos 7, kernel 5.5.1-1:
|
Unable to create map /sys/fs/bpf/tc/globals/cilium_ep_config_00861: operation not permitted |
@Antiarchitect Thanks for the info. Can you check in your |
@brb - Please check your Slack |
Weirdly enough, after I upgraded my local Cilium dev VM kernel to net-next I'm observing this... but not for the I started digging around in apparmor but I don't think that's it, bpftrace only has a "complain" mode profile, and
Feel free to reach out to me on slack if you have thoughts on what kinds of queries you'd like from that environment. I don't want to flood this thread too much given my issue is more bpftrace-related, but it seems similar enough that there may be some commonality. Weirdly, I see other conflicts of behaviour:
More info with the bpftool command:
This last command is successful on my Ubuntu 19.10 kernel 5.3. |
@borkmann Thanks for tracking this down! |
While trying to update the ubuntu-next VM image in the CI to run with the latest kernel (#9657), we discovered that after cilium-agent has been installed,
bpf(2)
fails withEPERM
which results in endpoint regeneration failures.Creating a dummy map neither from the cilium-agent nor the host works:
SELinux is not installed, and the kernel doesn't have the lockdown.
Also, the
EPERM
problem starts to occur after cilium-agent has been started on the node. I've setulimit -a unlimited
, but it didn't help. After ftracing, it might be thatEPERM
is returned bysecurity_bpf()
, as a probe forbpf_get_file_flag()
was not fired, and there are no relevant calls in-between (unfortunately I was not able to get$retval
for a kretprobe ofsecurity_bpf()
).Might be related to #9402.
The text was updated successfully, but these errors were encountered: