From: Remi Gacogne Date: Wed, 7 Jul 2021 10:04:24 +0000 (+0200) Subject: dnsdist: Document how raising LimitMEMLOCK might be needed for eBPF X-Git-Tag: dnsdist-1.7.0-alpha1~98^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6327980dd58eb0c4ff9ef41090a282aa69f2bc2d;p=thirdparty%2Fpdns.git dnsdist: Document how raising LimitMEMLOCK might be needed for eBPF --- diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 4fdbbb4115..3e521f22a8 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -18,8 +18,10 @@ TimeoutStopSec=5 StartLimitInterval=0 # Tuning -LimitNOFILE=16384 TasksMax=8192 +LimitNOFILE=16384 +# Note: increasing the amount of lockable memory is required to use eBPF support +# LimitMEMLOCK=infinity # Sandboxing # Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support, diff --git a/pdns/dnsdistdist/docs/advanced/ebpf.rst b/pdns/dnsdistdist/docs/advanced/ebpf.rst index 446a52b82d..488480406e 100644 --- a/pdns/dnsdistdist/docs/advanced/ebpf.rst +++ b/pdns/dnsdistdist/docs/advanced/ebpf.rst @@ -67,4 +67,4 @@ Since 1.6.0, the default BPF filter set via :func:`setDefaultBPFFilter` will aut That feature might require an increase of the memory limit associated to a socket, via the sysctl setting ``net.core.optmem_max``. When attaching an eBPF program to a socket, the size of the program is checked against this limit, and the default value might not be enough. -Large map sizes might also require an increase of ``RLIMIT_MEMLOCK``. +Large map sizes might also require an increase of ``RLIMIT_MEMLOCK``, which can be done by adding ``LimitMEMLOCK=infinity`` in the systemd unit file.