Running telegraf within VRF

Trying to run service monitoring telegraf process within vrf. I did the following with service configuration:

    ExecStart=ip vrf exec oam /usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegra
f/telegraf.d $TELEGRAF_OPTS
And in override config:
    Delegate=true  
    #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN
    AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_BPF

i see that unprivileged BPF is not disabled within the kernel

    # sysctl kernel.unprivileged_bpf_disabled
    kernel.unprivileged_bpf_disabled = 0

But there is still error starting the service:

    Aug 25 11:27:23 ip[3031]: Failed to load BPF prog: 'Operation not permitted'
    Aug 25 11:27:23 systemd[1]: vyos-telegraf.service: Main process exited, code=exited, status=255/EXCEPTION
    Aug 25 11:27:23 systemd[1]: vyos-telegraf.service: Failed with result 'exit-code'.

The same configuration works for me on pure Debian 11 installation with kernel
Linux deb11 5.10.0-17-amd64 #1 SMP Debian 5.10.136-1 (2022-08-13) x86_64 GNU/Linux
but not here on VyOS 1.4 1.4-rolling-202208150815
Linux vyos-lns-1 5.10.136-amd64-vyos #1 SMP Thu Aug 11 17:18:31 UTC 2022 x86_64 GNU/Linux

So can you guys suggest how to find the difference? The feature for running monitoring process within OAM vrf is in a great demand on production system. There is an appropriate feature request ⚓ T4617 VRF specification is needed for telegraf prometheus-client listen-address <address>

Will be implemented in the next rolling ISO Starting 2022-08-26.

1 Like

Great news, Christian.
Thank you.
What did i wrong getting bpf operations blocked?

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.