Skip to content

Mount eBPF filesystem by default on 1.27+ #1223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Mar 29, 2023
Merged

Mount eBPF filesystem by default on 1.27+ #1223

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
10ba835
Mount eBPF filesystem by default
cartermckinnon Mar 17, 2023
776dc2b
Set up mount at runtime
cartermckinnon Mar 20, 2023
0325011
Add missed mount-bpf-fs helper
cartermckinnon Mar 20, 2023
ab099eb
Fix lint findings
cartermckinnon Mar 20, 2023
a4839b0
Fix unit tests
cartermckinnon Mar 21, 2023
bcabab8
Fix lint findings
cartermckinnon Mar 21, 2023
76ea560
Use correct unit name for systemctl commands
cartermckinnon Mar 22, 2023
be9551b
Improve checks a bit
cartermckinnon Mar 23, 2023
6bf7c5b
Default to true only on 1.26+
cartermckinnon Mar 28, 2023
8f5f056
Default to true on 1.27+
cartermckinnon Mar 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions files/bin/mount-bpf-fs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/usr/bin/env bash

set -o errexit
set -o nounset

SYSTEMD_UNIT="/etc/systemd/system/sys-fs-bpf.mount"
MOUNT_POINT="/sys/fs/bpf"
FS_TYPE="bpf"

MOUNT_BPF_FS_DEBUG=${MOUNT_BPF_FS_DEBUG:-false}
function debug() {
if [ "$MOUNT_BPF_FS_DEBUG" = "true" ]; then
echo >&2 "DEBUG:" "$@"
fi
}

if mount | grep "type $FS_TYPE"; then
debug "$FS_TYPE filesystem already mounted!"
exit 0
elif mount | grep "$MOUNT_POINT"; then
debug "mount point at $MOUNT_POINT already exists!"
exit 0
elif [ -f "$SYSTEMD_UNIT" ]; then
debug "systemd unit at $SYSTEMD_UNIT already exists!"
exit 0
fi

cat > "$SYSTEMD_UNIT" << EOL
[Unit]
Description=BPF mounts
Documentation=https://docs.kernel.org/bpf/index.html
DefaultDependencies=no
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=bpffs
Where=$MOUNT_POINT
Type=bpf
Options=rw,nosuid,nodev,noexec,relatime,mode=700

[Install]
WantedBy=multi-user.target
EOL

systemctl enable "$SYSTEMD_UNIT"
systemctl start "$SYSTEMD_UNIT"
30 changes: 21 additions & 9 deletions files/bootstrap.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,24 @@ function print_help {
echo "Bootstraps an instance into an EKS cluster"
echo ""
echo "-h,--help print this help"
echo "--use-max-pods Sets --max-pods for the kubelet when true. (default: true)"
echo "--b64-cluster-ca The base64 encoded cluster CA content. Only valid when used with --apiserver-endpoint. Bypasses calling \"aws eks describe-cluster\""
echo
echo "--apiserver-endpoint The EKS cluster API Server endpoint. Only valid when used with --b64-cluster-ca. Bypasses calling \"aws eks describe-cluster\""
echo "--kubelet-extra-args Extra arguments to add to the kubelet. Useful for adding labels or taints."
echo "--enable-docker-bridge Restores the docker default bridge network. (default: false)"
echo "--aws-api-retry-attempts Number of retry attempts for AWS API call (DescribeCluster) (default: 3)"
echo "--docker-config-json The contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI"
echo "--b64-cluster-ca The base64 encoded cluster CA content. Only valid when used with --apiserver-endpoint. Bypasses calling \"aws eks describe-cluster\""
echo "--cluster-id Specify the id of EKS cluster"
echo "--container-runtime Specify a container runtime (default: dockerd)"
echo "--containerd-config-file File containing the containerd configuration to be used in place of AMI defaults."
echo "--dns-cluster-ip Overrides the IP address to use for DNS queries within the cluster. Defaults to 10.100.0.10 or 172.20.0.10 based on the IP address of the primary interface"
echo "--docker-config-json The contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI"
echo "--enable-docker-bridge Restores the docker default bridge network. (default: false)"
echo "--enable-local-outpost Enable support for worker nodes to communicate with the local control plane when running on a disconnected Outpost. (true or false)"
echo "--ip-family Specify ip family of the cluster"
echo "--kubelet-extra-args Extra arguments to add to the kubelet. Useful for adding labels or taints."
echo "--mount-bfs-fs Mount a bpffs at /sys/fs/bpf (default: true)"
echo "--pause-container-account The AWS account (number) to pull the pause container from"
echo "--pause-container-version The tag of the pause container"
echo "--container-runtime Specify a container runtime (default: dockerd)"
echo "--ip-family Specify ip family of the cluster"
echo "--service-ipv6-cidr ipv6 cidr range of the cluster"
echo "--enable-local-outpost Enable support for worker nodes to communicate with the local control plane when running on a disconnected Outpost. (true or false)"
echo "--cluster-id Specify the id of EKS cluster"
echo "--use-max-pods Sets --max-pods for the kubelet when true. (default: true)"
}

POSITIONAL=()
Expand Down Expand Up @@ -123,6 +125,11 @@ while [[ $# -gt 0 ]]; do
shift
shift
;;
--mount-bpf-fs)
MOUNT_BPF_FS=$2
shift
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
Expand Down Expand Up @@ -177,6 +184,7 @@ IP_FAMILY="${IP_FAMILY:-}"
SERVICE_IPV6_CIDR="${SERVICE_IPV6_CIDR:-}"
ENABLE_LOCAL_OUTPOST="${ENABLE_LOCAL_OUTPOST:-}"
CLUSTER_ID="${CLUSTER_ID:-}"
MOUNT_BPF_FS="${MOUNT_BPF_FS:-true}"

# Helper function which calculates the amount of the given resource (either CPU or memory)
# to reserve in a given resource range, specified by a start and end of the range and a percentage
Expand Down Expand Up @@ -269,6 +277,10 @@ if [[ "$MACHINE" != "x86_64" && "$MACHINE" != "aarch64" ]]; then
exit 1
fi

if [ "$MOUNT_BPF_FS" = "true" ]; then
sudo mount-bpf-fs
fi

ECR_URI=$(/etc/eks/get-ecr-uri.sh "${AWS_DEFAULT_REGION}" "${AWS_SERVICES_DOMAIN}" "${PAUSE_CONTAINER_ACCOUNT:-}")
PAUSE_CONTAINER_IMAGE=${PAUSE_CONTAINER_IMAGE:-$ECR_URI/eks/pause}
PAUSE_CONTAINER="$PAUSE_CONTAINER_IMAGE:$PAUSE_CONTAINER_VERSION"
Expand Down
50 changes: 50 additions & 0 deletions test/cases/mount-bpf-fs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash

set -o nounset
set -o errexit
set -o pipefail

export MOUNT_BPF_FS_DEBUG=true

echo "--> Should succeed if bpf type fs already exists"
function mount() {
echo "none on /foo/bar type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)"
}
export -f mount
EXIT_CODE=0
mount-bpf-fs || EXIT_CODE=$?
if [[ ${EXIT_CODE} -ne 0 ]]; then
echo "❌ Test Failed: expected a zero exit code but got: $EXIT_CODE"
exit 1
fi
export -nf mount

echo "--> Should succeed if mount point already exists"
function mount() {
echo "none on /sys/fs/bpf type foo (rw,nosuid,nodev,noexec,relatime,mode=700)"
}
export -f mount
EXIT_CODE=0
mount-bpf-fs || EXIT_CODE=$?
if [[ ${EXIT_CODE} -ne 0 ]]; then
echo "❌ Test Failed: expected a zero exit code but got: $EXIT_CODE"
exit 1
fi
export -nf mount

echo "--> Should succeed if systemd unit already exists"
function mount() {
echo "foo"
}
export -f mount
SYSTEMD_UNIT=/etc/systemd/system/sys-fs-bpf.mount
mkdir -p $(dirname $SYSTEMD_UNIT)
echo "foo" > $SYSTEMD_UNIT
EXIT_CODE=0
mount-bpf-fs || EXIT_CODE=$?
if [[ ${EXIT_CODE} -ne 0 ]]; then
echo "❌ Test Failed: expected a zero exit code but got: $EXIT_CODE"
exit 1
fi
export -nf mount
rm $SYSTEMD_UNIT