Basic 01 - permission denied for xdp_pass_user - solved with RLIMIT_INFINITY

[sevagh]

Hello. When following the tutorial, in basic 01, I can load xdp_pass_kern.o using the provided ip commands:

shanssian:basic01-xdp-pass $ sudo ip link set dev lo xdpgeneric obj xdp_p
ass_kern.o sec xdp
shanssian:basic01-xdp-pass $
shanssian:basic01-xdp-pass $
shanssian:basic01-xdp-pass $ sudo bpftool net list dev lo
xdp:
lo(1) generic id 40

tc:

flow_dissector:

With the xdp_pass_user program, I was getting a permission denied error:

shanssian:basic01-xdp-pass $ sudo ./xdp_pass_user --dev lo -A -F
libbpf: Error in bpf_object__probe_name():Operation not permitted(1). Couldn't load basic 'r0 = 0' BPF program.
libbpf: Error in bpf_object__probe_global_data():Operation not permitted(1). Couldn't create simple array map.
libbpf: load bpf program failed: Operation not permitted
libbpf: failed to load program 'xdp'
libbpf: failed to load object 'xdp_pass_kern.o'
ERR: loading BPF-OBJ file(xdp_pass_kern.o) (-22): Invalid argument
ERR: loading file: xdp_pass_kern.o

I found this workaround by searching the error message: https://www.spinics.net/lists/netdev/msg548481.html

Applied, it looks like:

diff --git a/basic01-xdp-pass/xdp_pass_user.c b/basic01-xdp-pass/xdp_pass_user.c
index 41b4ba2..1e934c3 100644
--- a/basic01-xdp-pass/xdp_pass_user.c
+++ b/basic01-xdp-pass/xdp_pass_user.c
@@ -6,6 +6,7 @@ static const char *__doc__ = "Simple XDP prog doing XDP_PASS\n";
 #include <string.h>
 #include <errno.h>
 #include <getopt.h>
+#include <sys/resource.h>

 #include <bpf/bpf.h>
 #include <bpf/libbpf.h>
@@ -125,6 +126,13 @@ int xdp_link_attach(int ifindex, __u32 xdp_flags, int prog_fd)

 int main(int argc, char **argv)
 {
+       struct rlimit r = {RLIM_INFINITY, RLIM_INFINITY};
+
+       if (setrlimit(RLIMIT_MEMLOCK, &r)) {
+               perror("setrlimit(RLIMIT_MEMLOCK)");
+               return 1;
+       }
+

After recompiling, xdp_pass_user works:

shanssian:basic01-xdp-pass $ sudo ./xdp_pass_user --dev lo -A -F
Success: Loading XDP prog name:xdp_prog_simple(id:43) on device:lo(ifindex:1)

[sevagh]

I'm using Fedora 30 with kernel 5.2.7-200.fc30.x86_64.

[tohojo]

Sevag Hanssian notifications@github.com writes:

I'm using Fedora 30 with kernel 5.2.7-200.fc30.x86_64.

Yeah, the "locked memory" limit is a known issue on fedora. We already raise it in the testenv.sh script: https://github.com/xdp-project/xdp-tutorial/blob/master/testenv/testenv.sh#L69

Not sure if we should be setting it in the loader instead; feels a bit iffy to just remove the limit entirely. But on the other hand, iproute2 seems to do exactly that... :/

[netoptimizer]

Not sure if we should be setting it in the loader instead; feels a bit iffy to just remove the limit entirely. But on the other hand, iproute2 seems to do exactly that... :/

I think RLIM_INFINITY is a bad value and example, if anything we should set a reasonable value instead, as an example. If everybody want to use "unlimited" then we should send a kernel patch and remove this memory limit protection feature.

That reminds me that the kernel feedback -EPERM sucks: Operation not permitted But upstream Alexei would not allow me to change this to -ENOMEM: Not enough space/cannot allocate memory. As this is now UABI.

[tohojo]

Jesper Dangaard Brouer notifications@github.com writes:

Not sure if we should be setting it in the loader instead; feels a bit iffy to just remove the limit entirely. But on the other hand, iproute2 seems to do exactly that... :/

I think RLIM_INFINITY is a bad value and example, if anything we should set a reasonable value instead, as an example. If everybody want to use "unlimited" then we should send a kernel patch and remove this memory limit protection feature.

Yeah, that's my feeling as well. Nonetheless:

https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/tree/lib/bpf.c#n1365

[sevagh]

Thanks for confirming. I'll defer to the maintainers' opinions on the change I made.

On the other hand, as a beginner stepping through the tutorial, maybe https://github.com/xdp-project/xdp-tutorial/blob/master/setup_dependencies.org is a good place to mention this Fedora limitation?