Add eBPF support to ubuntu:22.04 -kvm variant kernel
Bug #2073973 reported by
Thomas Parrott
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
New
|
Undecided
|
Unassigned | ||
linux-kvm (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Low
|
Thibf |
Bug Description
[ Impact ]
Unable to run k8s and other software relying on Cilium.
[ Fix ]
Enable required configs and prerequisite.
Which consist of:
CONFIG_BPF_JIT
CONFIG_
CONFIG_NET_EGRESS
CONFIG_NET_SCHED
CONFIG_
CONFIG_NET_CLS
CONFIG_
CONFIG_NET_CLS_BPF
CONFIG_NET_CLS_ACT
CONFIG_NET_SCH_FIFO
CONFIG_
CONFIG_
CONFIG_SCHEDSTATS
These configs are already enabled in generic kernel.
[ Test Plan ]
Tested with Cilium successfully.
[ Where problems could occur ]
eBPF misbehavior.
Network regression due to enable network configuration.
CVE References
Changed in linux-kvm (Ubuntu Jammy): | |
assignee: | nobody → Thibf (thibf) |
Changed in linux-kvm (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu Jammy): | |
importance: | Undecided → Low |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-jammy-linux-kvm removed: verification-needed-jammy-linux-kvm |
To post a comment you must log in.
@tomparrot I see there is also other BPF options that are diverging from generic and disabled. BPF_STREAM_ PARSER BPF_KPROBE_ OVERRIDE IPV6_SEG6_ BPF USERMODE_ DRIVER
Can you share if any of them would be needed ?
As we are in SRU context, I want to keep the minimal set of changes.
- CONFIG_BPF_LSM
Enable BPF LSM Instrumentation
- CONFIG_
enable BPF STREAM_PARSER
- CONFIG_
Enable BPF programs to override a kprobed function
- CONFIG_
- CONFIG_NET_ACT_BPF
Say Y here to execute BPF code on packets. The BPF code will decide
if the packet should be dropped or not.
- CONFIG_NET_CLS_BPF
If you say Y here, you will be able to classify packets based on
programmable BPF (JIT'ed) filters as an alternative to ematches.
- CONFIG_
This builds kernel module with several embedded BPF programs that are
pinned into BPF FS mount point as human readable files that are
useful in debugging and introspection of BPF programs and maps.
By default I would enable all network ones, but your opinion would be appreciated.