search

milas / rock5-talos

[**DEPRECATED** - see link for replacement!] Friendly fork of Talos Linux for the Radxa Rock 5 SBCs
https://github.com/milas/talos-sbc-rk3588
Mozilla Public License 2.0
16 stars 3 forks source link

eBPF kernel build flags #8

Closed mister2d closed 1 year ago

mister2d commented 1 year ago

Feature Request

Enable BSP kernel to run Cilium CNI with basic eBPF functionality. It would be nice to have Layer 7 policy functionality as well.

Description

As per Cilium documentation: https://docs.cilium.io/en/stable/operations/system_requirements/#base-requirements

Linux kernel base requirements:

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_NET_CLS_BPF=y
CONFIG_BPF_JIT=y
CONFIG_NET_CLS_ACT=y
CONFIG_NET_SCH_INGRESS=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_BPF=y
CONFIG_PERF_EVENTS=y

Requirements for L7 and FQDN Policies:

CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m

Legacy ARM64 Github issue

milas commented 1 year ago

Thanks for giving all the defconfig options ❤️

We were just missing a couple, they're added now. I'll update here with an image you can do a talosctl upgrade once CI is done and test out (it'll be a couple hours)

milas commented 1 year ago

Okay, give this image a shot if you can:

docker.io/milas/rock5-talos:v1.4.4-2-g11083163c-rock-5b@sha256:3f0f6c93e952d1fda51f90c1a08a14b5503872df3c3be33a4e9c380d802eb3ab
mister2d commented 1 year ago

Cilium 1.13.2 now deploys successfully. Thanks!

# cilium status --verbose
KVStore:                Ok   Disabled
Kubernetes:             Ok   1.27 (v1.27.1) [linux/amd64]
Kubernetes APIs:        ["cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Namespace", "core/v1::Node", "core/v1::Pods", "core/v1::Service", "discovery/v1::EndpointSlice", "networking.k8s.io/v1::NetworkPolicy"]
KubeProxyReplacement:   Strict   [eth0 10.0.1.26]
Host firewall:          Disabled
CNI Chaining:           none
CNI Config file:        CNI configuration file management disabled
Cilium:                 Ok   1.13.2 (v1.13.2-8cb94c70)
NodeMonitor:            Listening for events on 2 CPUs with 64x4096 of shared memory
Cilium health daemon:   Ok   
IPAM:                   IPv4: 4/254 allocated from 10.244.2.0/24, 
Allocated addresses:
  10.244.2.217 (kube-system/coredns-d779cc7ff-5jkbn)
  10.244.2.248 (health)
  10.244.2.62 (kube-system/coredns-d779cc7ff-nxgmh)
  10.244.2.90 (router)
ClusterMesh:            0/0 clusters ready, 0 global-services
IPv6 BIG TCP:           Disabled
BandwidthManager:       Disabled
Host Routing:           Legacy
Masquerading:           IPTables [IPv4: Enabled, IPv6: Disabled]
Clock Source for BPF:   ktime
Controller Status:      27/27 healthy
  Name                                  Last success   Last error   Count   Message
  bpf-map-sync-cilium_lxc               7s ago         never        0       no error   
  cilium-health-ep                      26s ago        never        0       no error   
  dns-garbage-collector-job             38s ago        never        0       no error   
  endpoint-1228-regeneration-recovery   never          never        0       no error   
  endpoint-2122-regeneration-recovery   never          never        0       no error   
  endpoint-3926-regeneration-recovery   never          never        0       no error   
  endpoint-884-regeneration-recovery    never          never        0       no error   
  endpoint-gc                           4m38s ago      never        0       no error   
  ipcache-inject-labels                 4m29s ago      4m36s ago    0       no error   
  k8s-heartbeat                         8s ago         never        0       no error   
  link-cache                            12s ago        never        0       no error   
  metricsmap-bpf-prom-sync              3s ago         never        0       no error   
  resolve-identity-1228                 4m27s ago      never        0       no error   
  resolve-identity-2122                 4m27s ago      never        0       no error   
  resolve-identity-3926                 4m27s ago      never        0       no error   
  resolve-identity-884                  4m26s ago      never        0       no error   
  sync-endpoints-and-host-ips           27s ago        never        0       no error   
  sync-lb-maps-with-k8s-services        4m27s ago      never        0       no error   
  sync-policymap-1228                   25s ago        never        0       no error   
  sync-policymap-2122                   23s ago        never        0       no error   
  sync-policymap-3926                   25s ago        never        0       no error   
  sync-policymap-884                    24s ago        never        0       no error   
  sync-to-k8s-ciliumendpoint (1228)     7s ago         never        0       no error   
  sync-to-k8s-ciliumendpoint (2122)     7s ago         never        0       no error   
  sync-to-k8s-ciliumendpoint (3926)     7s ago         never        0       no error   
  sync-to-k8s-ciliumendpoint (884)      6s ago         never        0       no error   
  template-dir-watcher                  never          never        0       no error   
Proxy Status:            No managed proxy redirect
Global Identity Range:   min 256, max 65535
Hubble:                  Ok   Current/Max Flows: 1440/4095 (35.16%), Flows/s: 5.34   Metrics: Ok
KubeProxyReplacement Details:
  Status:                 Strict
  Socket LB:              Enabled
  Socket LB Tracing:      Enabled
  Socket LB Coverage:     Full
  Devices:                eth0 10.0.1.26
  Mode:                   SNAT
  Backend Selection:      Random
  Session Affinity:       Enabled
  Graceful Termination:   Enabled
  NAT46/64 Support:       Disabled
  XDP Acceleration:       Disabled
  Services:
  - ClusterIP:      Enabled
  - NodePort:       Enabled (Range: 30000-32767) 
  - LoadBalancer:   Enabled 
  - externalIPs:    Enabled 
  - HostPort:       Enabled
BPF Maps:   dynamic sizing: on (ratio: 0.002500)
  Name                          Size
  Non-TCP connection tracking   65536
  TCP connection tracking       131072
  Endpoint policy               65535
  Events                        2
  IP cache                      512000
  IP masquerading agent         16384
  IPv4 fragmentation            8192
  IPv4 service                  65536
  IPv6 service                  65536
  IPv4 service backend          65536
  IPv6 service backend          65536
  IPv4 service reverse NAT      65536
  IPv6 service reverse NAT      65536
  Metrics                       1024
  NAT                           131072
  Neighbor table                131072
  Global policy                 16384
  Per endpoint policy           65536
  Session affinity              65536
  Signal                        2
  Sockmap                       65535
  Sock reverse NAT              65536
  Tunnel                        65536
Encryption:                              Disabled
Cluster health:                          4/4 reachable   (2023-05-15T05:19:26Z)
  Name                                   IP              Node        Endpoints
  rockluster/talos-2xr-akv (localhost)   10.0.1.26       reachable   reachable
  rockluster/talos-ebo-vs4               10.0.1.101      reachable   reachable
  rockluster/talos-ff8-oel               10.0.1.102      reachable   reachable
  rockluster/talos-yn3-7z3               10.0.1.103      reachable   reachable