-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to enable QUIC eBPF routing. #841
Comments
What OS and docker engine you're running on? It works with just Fails with just |
@thresheek, I'm using |
Hi @lazerl0rd, yes, |
Hi @lazerl0rd, have you been able to sort out your podman setup? |
Hey, @thresheek. I couldn't get it working even when running the container privileged. Unfortunately, the server has had a disk error and I haven't got round to resolving that and am unable to test further at the moment. |
I did a quick test with docker. The following works for me:
|
Describe the bug
Attempting to utilise quic_bpf results in the following error:
I've attempted to set an unlimited
RLIMIT_MEMLOCK
, assign the relevant capabilities as defined at https://docs.nginx.com/nginx-service-mesh/reference/permissions (CAP_NET_ADMIN
,CAP_NET_RAW
,CAP_SYS_RESOURCE
, andCAP_SYS_ADMIN
), use thehost
network, pass the--privileged
, unconfine Seccomp (--security-opt seccomp=unconfined
), run NGINX as root (within the container), and all the above together but still receive the same error.Running on the host seems to work fine, however.
To reproduce
Steps to reproduce the behavior:
podman run -d --name nginx -p 80:80/tcp -p 443:443/tcp -p 443:443/udp -v /srv/nginx:/etc/nginx -v /etc/letsencrypt:/etc/letsencrypt --restart unless-stopped --cap-add NET_ADMIN,NET_RAW,SYS_RESOURCE,BPF,PERFMON --net <REDACTED> --ulimit memlock=-1:-1 library/nginx:mainline
(potentially including the flags mentioned above).Expected behavior
Following a provision of the relevant capabilities and spare
RLIMIT_MEMLOCK
resources, QUIC eBPF routing should work fine.Your environment
podman version 4.6.2
nginx:mainline
Additional context
n/a
The text was updated successfully, but these errors were encountered: