From 6327980dd58eb0c4ff9ef41090a282aa69f2bc2d Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 7 Jul 2021 12:04:24 +0200 Subject: [PATCH] dnsdist: Document how raising LimitMEMLOCK might be needed for eBPF --- pdns/dnsdistdist/dnsdist.service.in | 4 +++- pdns/dnsdistdist/docs/advanced/ebpf.rst | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 4fdbbb4115..3e521f22a8 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -18,8 +18,10 @@ TimeoutStopSec=5 StartLimitInterval=0 # Tuning -LimitNOFILE=16384 TasksMax=8192 +LimitNOFILE=16384 +# Note: increasing the amount of lockable memory is required to use eBPF support +# LimitMEMLOCK=infinity # Sandboxing # Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support, diff --git a/pdns/dnsdistdist/docs/advanced/ebpf.rst b/pdns/dnsdistdist/docs/advanced/ebpf.rst index 446a52b82d..488480406e 100644 --- a/pdns/dnsdistdist/docs/advanced/ebpf.rst +++ b/pdns/dnsdistdist/docs/advanced/ebpf.rst @@ -67,4 +67,4 @@ Since 1.6.0, the default BPF filter set via :func:`setDefaultBPFFilter` will aut That feature might require an increase of the memory limit associated to a socket, via the sysctl setting ``net.core.optmem_max``. When attaching an eBPF program to a socket, the size of the program is checked against this limit, and the default value might not be enough. -Large map sizes might also require an increase of ``RLIMIT_MEMLOCK``. +Large map sizes might also require an increase of ``RLIMIT_MEMLOCK``, which can be done by adding ``LimitMEMLOCK=infinity`` in the systemd unit file. -- 2.47.2