%EF%BC%8C%E4%BD%86%E6%9C%AC%E5%9C%B0%E7%B3%BB%E7%BB%9F%E4%B8%8D%E6%94%AF%E6%8C%81%E5%9F%BA%E4%BA%8E%20BPF%2Fcgroup%20%E7%9A%84%E9%98%B2%E7%81%AB%E5%A2%99%E2%80%9D%EF%BC%9F.png)
从我用自定义重新编译的内核启动时.config,我收到以下 kmsg(即。dmesg)消息:
systemd[1]: File /usr/lib/systemd/system/systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
.config我需要 哪些内核选项来解决这个问题?
答案1
首先启用CONFIG_BPF_SYSCALL=y
┌── Enable bpf() system call ─────────────────────────────────┐
│ │
│ CONFIG_BPF_SYSCALL: │
│ │
│ Enable the bpf() system call that allows to manipulate eBPF │
│ programs and maps via file descriptors. │
│ │
│ Symbol: BPF_SYSCALL [=y] │
│ Type : bool │
│ Prompt: Enable bpf() system call │
│ Location: │
│ -> General setup │
│ Defined at init/Kconfig:1414 │
│ Selects: ANON_INODES [=y] && BPF [=y] && IRQ_WORK [=y] │
│ Selected by [n]: │
│ - AF_KCM [=n] && NET [=y] && INET [=y] │
└─────────────────────────────────────────────────────────────┘
^ 然后您还可以启用CONFIG_CGROUP_BPF=y:
┌── Support for eBPF programs attached to cgroups ─────────────────┐
│ │
│ CONFIG_CGROUP_BPF: │
│ │
│ Allow attaching eBPF programs to a cgroup using the bpf(2) │
│ syscall command BPF_PROG_ATTACH. │
│ │
│ In which context these programs are accessed depends on the type │
│ of attachment. For instance, programs that are attached using │
│ BPF_CGROUP_INET_INGRESS will be executed on the ingress path of │
│ inet sockets. │
│ │
│ Symbol: CGROUP_BPF [=y] │
│ Type : bool │
│ Prompt: Support for eBPF programs attached to cgroups │
│ Location: │
│ -> General setup │
│ -> Control Group support (CGROUPS [=y]) │
│ Defined at init/Kconfig:845 │
│ Depends on: CGROUPS [=y] && BPF_SYSCALL [=y] │
│ Selects: SOCK_CGROUP_DATA [=y] │
└──────────────────────────────────────────────────────────────────┘
systemd这就是让这些消息消失 所必需的。
当您选择上述内容时,将发生以下情况.config:
之前:
# CONFIG_BPF_SYSCALL is not set
后:
CONFIG_BPF_SYSCALL=y
# CONFIG_XDP_SOCKETS is not set
# CONFIG_BPF_STREAM_PARSER is not set
CONFIG_CGROUP_BPF=y
CONFIG_BPF_EVENTS=y
还有两个选项可用:CONFIG_XDP_SOCKETS和CONFIG_BPF_STREAM_PARSER但没有必要启用它们。但如果你想知道它们是关于什么的:
┌── XDP sockets ────────────────────────────────────────┐
│ │
│ CONFIG_XDP_SOCKETS: │
│ │
│ XDP sockets allows a channel between XDP programs and │
│ userspace applications. │
│ │
│ Symbol: XDP_SOCKETS [=n] │
│ Type : bool │
│ Prompt: XDP sockets │
│ Location: │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ Defined at net/xdp/Kconfig:1 │
│ Depends on: NET [=y] && BPF_SYSCALL [=y] │
└───────────────────────────────────────────────────────┘
┌── enable BPF STREAM_PARSER ───────────────────────────────────────────┐
│ │
│ CONFIG_BPF_STREAM_PARSER: │
│ │
│ Enabling this allows a stream parser to be used with │
│ BPF_MAP_TYPE_SOCKMAP. │
│ │
│ BPF_MAP_TYPE_SOCKMAP provides a map type to use with network sockets. │
│ It can be used to enforce socket policy, implement socket redirects, │
│ etc. │
│ │
│ Symbol: BPF_STREAM_PARSER [=n] │
│ Type : bool │
│ Prompt: enable BPF STREAM_PARSER │
│ Location: │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ Defined at net/Kconfig:301 │
│ Depends on: NET [=y] && BPF_SYSCALL [=y] │
│ Selects: STREAM_PARSER [=m] │
└───────────────────────────────────────────────────────────────────────┘
如果想知道为什么CONFIG_BPF_EVENTS=y:
┌── Search Results ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ │
│ Symbol: BPF_EVENTS [=y] │
│ Type : bool │
│ Defined at kernel/trace/Kconfig:476 │
│ Depends on: TRACING_SUPPORT [=y] && FTRACE [=y] && BPF_SYSCALL [=y] && (KPROBE_EVENTS [=n] || UPROBE_EVENTS [=y]) && PERF_EVENTS [=y] │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
内核在 Qubes OS 4.0 内的 Fedora 28 AppVM 上测试了 4.18.5
答案2
如果以上所有选项均已设置,请尝试将 systemd.unified_cgroup_hierarchy=1 添加到内核命令行中。
这使得 cgroups v2 能够在 BPF 中启用 IP 防火墙并消除 dmesg 日志中的错误,而 cgroups v2 是缺少的部分(至少对于我的设置而言)。