beyla is trying to write the root filesystem

[esara]

following k8s security best practices - for example https://cloud.google.com/architecture/best-practices-for-building-containers#file_system_security - if you run beyla with

  securityContext:
    privileged: true
    readOnlyRootFilesystem: true

you get

$ kubectl logs -f beyla-75jgp
time=2024-02-01T02:13:57.589Z level=INFO msg="Grafana Beyla" Version=0da32eb2 "OpenTelemetry SDK Version"=1.18.0
time=2024-02-01T02:13:57.798Z level=ERROR msg="cant start process tracer. Stopping it" component=discover.TraceAttacher error="can't mount BPF filesystem: creating directory /var/run/beyla/beyla-13430: mkdir /var/run/beyla: read-only file system"
time=2024-02-01T02:13:57.798Z level=ERROR msg="Beyla couldn't find target process" error="couldn't start Process Finder: can't instantiate discovery.ProcessFinder pipeline: instantiating terminal instance \"TraceAttacher\": can't mount BPF filesystem: creating directory /var/run/beyla/beyla-13430: mkdir /var/run/beyla: read-only file system"

As a potential solution, we can mount an emptydir in the example - happy to create a pr for the docs

[mariomac]

Thank you very much! We will explain this in our documentation.

[grcevski]

I think we can improve this as you mentioned. We need a location to store the pinned eBPF maps, but we make our own file system that's eBPF based, so technically it doesn't have to be in /var/run/...

[marctc]

related #1144

[marevers]

Unprivileged example (and the Helm chart privileged: false option) are already using emptyDir instead of root file system: https://github.com/grafana/beyla/blob/2f9cf727494d3a449d6e9b79e21ac6f556c16abc/examples/k8s/unprivileged.yaml#L179-L181

Therefore they can run with readOnlyRootFilesystem: true. Maybe this can be closed?