Trying to run service monitoring telegraf process within vrf. I did the following with service configuration:
ExecStart=ip vrf exec oam /usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegra
f/telegraf.d $TELEGRAF_OPTS
And in override config:
Delegate=true
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_BPF
i see that unprivileged BPF is not disabled within the kernel
# sysctl kernel.unprivileged_bpf_disabled
kernel.unprivileged_bpf_disabled = 0
But there is still error starting the service:
Aug 25 11:27:23 ip[3031]: Failed to load BPF prog: 'Operation not permitted'
Aug 25 11:27:23 systemd[1]: vyos-telegraf.service: Main process exited, code=exited, status=255/EXCEPTION
Aug 25 11:27:23 systemd[1]: vyos-telegraf.service: Failed with result 'exit-code'.
The same configuration works for me on pure Debian 11 installation with kernel
Linux deb11 5.10.0-17-amd64 #1 SMP Debian 5.10.136-1 (2022-08-13) x86_64 GNU/Linux
but not here on VyOS 1.4 1.4-rolling-202208150815
Linux vyos-lns-1 5.10.136-amd64-vyos #1 SMP Thu Aug 11 17:18:31 UTC 2022 x86_64 GNU/Linux
So can you guys suggest how to find the difference? The feature for running monitoring process within OAM vrf is in a great demand on production system. There is an appropriate feature request ⚓ T4617 VRF specification is needed for telegraf prometheus-client listen-address <address>