metropolis/node/core: mount /sys/fs/bpf Required for BPF maps. Currently only used by specific customer workloads which run inside the host network namespace. Change-Id: Ib948c76ff5eecbc4f8b76d6b48e0eb5ce2e1b1ae Reviewed-on: https://review.monogon.dev/c/monogon/+/3249 Reviewed-by: Serge Bazanski <serge@monogon.tech> Reviewed-by: Lorenz Brun <lorenz@monogon.tech> Tested-by: Jenkins CI

commit: 201b527e632caec8480500bc1cca5d8ab0f5896b [log] [tgz]
author: Leopold Schabel <leo@monogon.tech> Wed Jul 24 16:31:42 2024 +0000
committer: Leopold Schabel <leo@monogon.tech> Thu Jul 25 12:02:52 2024 +0000
tree: b57aa1b85cfa8ab5878809bf286b713f360da831
parent: f65898347121ef898f7efcaacfd7f2063045132a [diff]
diff --git a/metropolis/node/core/mounts.go b/metropolis/node/core/mounts.go
index 02173c5..db8529c 100644
--- a/metropolis/node/core/mounts.go
+++ b/metropolis/node/core/mounts.go

@@ -38,6 +38,9 @@
 		{"/sys/kernel/tracing", "tracefs", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
 		{"/sys/firmware/efi/efivars", "efivarfs", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
 		{"/sys/fs/pstore", "pstore", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
+		// Nothing in Metropolis currently requires BPF maps,
+		// but some privileged customer applications do.
+		{"/sys/fs/bpf", "bpf", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
 		{"/proc", "proc", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
 		{"/dev", "devtmpfs", unix.MS_NOEXEC | unix.MS_NOSUID},
 		{"/dev/pts", "devpts", unix.MS_NOEXEC | unix.MS_NOSUID},
commit	201b527e632caec8480500bc1cca5d8ab0f5896b	[log] [tgz]
author	Leopold Schabel <leo@monogon.tech>	Wed Jul 24 16:31:42 2024 +0000
committer	Leopold Schabel <leo@monogon.tech>	Thu Jul 25 12:02:52 2024 +0000
tree	b57aa1b85cfa8ab5878809bf286b713f360da831
parent	f65898347121ef898f7efcaacfd7f2063045132a [diff]