From c96b7dff018b7cf0433bfa0cf46fe33df98d9bab Mon Sep 17 00:00:00 2001 From: Rafael Roquetto Date: Wed, 29 Jan 2025 15:09:28 -0600 Subject: [PATCH 1/2] Tweak capabilities detection --- pkg/beyla/os.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/beyla/os.go b/pkg/beyla/os.go index eebc4d2c3..4ef03437c 100644 --- a/pkg/beyla/os.go +++ b/pkg/beyla/os.go @@ -82,7 +82,10 @@ func testAndSet(caps *helpers.OSCapabilities, capError *osCapabilitiesError, c h func checkCapabilitiesForSetOptions(config *Config, caps *helpers.OSCapabilities, capError *osCapabilitiesError) { if config.Enabled(FeatureAppO11y) { testAndSet(caps, capError, unix.CAP_CHECKPOINT_RESTORE) + testAndSet(caps, capError, unix.CAP_DAC_READ_SEARCH) testAndSet(caps, capError, unix.CAP_SYS_PTRACE) + testAndSet(caps, capError, unix.CAP_PERFMON) + testAndSet(caps, capError, unix.CAP_NET_RAW) if config.EBPF.ContextPropagationEnabled || config.EBPF.UseTCForL7CP { testAndSet(caps, capError, unix.CAP_NET_ADMIN) @@ -90,9 +93,11 @@ func checkCapabilitiesForSetOptions(config *Config, caps *helpers.OSCapabilities } if config.Enabled(FeatureNetO11y) { - // test for net raw only if we don't have net admin - if !caps.Has(unix.CAP_NET_ADMIN) { + if config.NetworkFlows.Source == EbpfSourceSock { testAndSet(caps, capError, unix.CAP_NET_RAW) + } else if config.NetworkFlows.Source == EbpfSourceTC { + testAndSet(caps, capError, unix.CAP_PERFMON) + testAndSet(caps, capError, unix.CAP_NET_ADMIN) } } } @@ -126,8 +131,6 @@ func CheckOSCapabilities(config *Config) error { // core capabilities testAndSet(caps, &capError, unix.CAP_BPF) - testAndSet(caps, &capError, unix.CAP_PERFMON) - testAndSet(caps, &capError, unix.CAP_DAC_READ_SEARCH) // CAP_SYS_RESOURCE is only required on kernels < 5.11 if (major == 5 && minor < 11) || (major < 5) { From 54bc7aa94c14d4c3361a2b2d7ce530967f922d77 Mon Sep 17 00:00:00 2001 From: Rafael Roquetto Date: Wed, 29 Jan 2025 15:42:36 -0600 Subject: [PATCH 2/2] Fix tests --- pkg/beyla/os_test.go | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/pkg/beyla/os_test.go b/pkg/beyla/os_test.go index 8b6db04dc..843dc0f72 100644 --- a/pkg/beyla/os_test.go +++ b/pkg/beyla/os_test.go @@ -10,6 +10,7 @@ import ( "github.com/stretchr/testify/assert" "golang.org/x/sys/unix" + "github.com/grafana/beyla/pkg/config" "github.com/grafana/beyla/pkg/internal/helpers" "github.com/grafana/beyla/pkg/services" ) @@ -102,17 +103,25 @@ type capTestData struct { class capClass kernMaj int kernMin int + useTC bool } var capTests = []capTestData{ - {osCap: unix.CAP_BPF, class: capCore, kernMaj: 6, kernMin: 10}, - {osCap: unix.CAP_PERFMON, class: capCore, kernMaj: 6, kernMin: 10}, - {osCap: unix.CAP_DAC_READ_SEARCH, class: capCore, kernMaj: 6, kernMin: 10}, - {osCap: unix.CAP_SYS_RESOURCE, class: capCore, kernMaj: 5, kernMin: 10}, - {osCap: unix.CAP_SYS_ADMIN, class: capCore, kernMaj: 4, kernMin: 11}, - {osCap: unix.CAP_CHECKPOINT_RESTORE, class: capApp, kernMaj: 6, kernMin: 10}, - {osCap: unix.CAP_SYS_PTRACE, class: capApp, kernMaj: 6, kernMin: 10}, - {osCap: unix.CAP_NET_RAW, class: capNet, kernMaj: 6, kernMin: 10}, + // core + {osCap: unix.CAP_BPF, class: capCore, kernMaj: 6, kernMin: 10, useTC: false}, + + // app o11y + {osCap: unix.CAP_CHECKPOINT_RESTORE, class: capApp, kernMaj: 6, kernMin: 10, useTC: false}, + {osCap: unix.CAP_DAC_READ_SEARCH, class: capApp, kernMaj: 6, kernMin: 10, useTC: false}, + {osCap: unix.CAP_SYS_PTRACE, class: capApp, kernMaj: 6, kernMin: 10, useTC: false}, + {osCap: unix.CAP_PERFMON, class: capApp, kernMaj: 6, kernMin: 10, useTC: false}, + {osCap: unix.CAP_NET_RAW, class: capApp, kernMaj: 6, kernMin: 10, useTC: false}, + {osCap: unix.CAP_NET_ADMIN, class: capApp, kernMaj: 6, kernMin: 10, useTC: true}, + + // net o11y + {osCap: unix.CAP_NET_RAW, class: capNet, kernMaj: 6, kernMin: 10, useTC: false}, + {osCap: unix.CAP_PERFMON, class: capNet, kernMaj: 6, kernMin: 10, useTC: true}, + {osCap: unix.CAP_NET_ADMIN, class: capNet, kernMaj: 6, kernMin: 10, useTC: true}, } func TestCheckOSCapabilities(t *testing.T) { @@ -129,9 +138,18 @@ func TestCheckOSCapabilities(t *testing.T) { test := func(data *capTestData) { overrideKernelVersion(testCase{data.kernMaj, data.kernMin}) + netSource := func(useTC bool) string { + if useTC { + return EbpfSourceTC + } + + return EbpfSourceSock + } + cfg := Config{ - NetworkFlows: NetworkConfig{Enable: data.class == capNet}, + NetworkFlows: NetworkConfig{Enable: data.class == capNet, Source: netSource(data.useTC)}, Discovery: services.DiscoveryConfig{SystemWide: data.class == capApp}, + EBPF: config.EBPFTracer{ContextPropagationEnabled: data.useTC}, } err := CheckOSCapabilities(&cfg)