Docker desktop macOS running Ubuntu 20 and hitting operation not permitted with bpf

Question

Setup details:

macoS 12.1, docker desktop: 4.3.2
Linux nsipsecinst-0 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Form within container

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:    20.04
Codename:   focal

I am running the container with privilege and CAP_NET_ADMIN + CAP_SYS_ADMIN

"CapAdd": [
                "NET_ADMIN",
                "SYS_ADMIN"
            ],
            "CapDrop": null,
            "CgroupnsMode": "private",

Now when i try to load a simple bpf program, i get the following error in the container

bpf_prog_load() failed: [1] Operation not permitted

When i run the exact same code on a VM running kernel 5.4, it works well. Am not sure what else is needed to make this work. What do you suggest? I am not able to glean anything useful from docker or linuxkit documentation that might help here.

score 0 · Answer 1 · answered Jan 25 '22 at 12:40

0

According to https://man7.org/linux/man-pages/man8/ip-vrf.8.html you need CAP_SYS_ADMIN CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities.

Also you may need to mount cgroup inside to your container

answered Jan 25 '22 at 12:40

135

56
3

I was already using NET_ADMIN and SYS_ADMIN. Appending them with DAC_OVERRIDE didnt work. Will be attempting with cgroup in container and see how it goes. – vtewari Feb 15 '22 at 19:15
vtewari, let me know about results. – 135 Feb 16 '22 at 11:01

Docker desktop macOS running Ubuntu 20 and hitting operation not permitted with bpf

1 Answers1