OBI security, permissions, and capabilities
You are viewing the English version of this page because it has not yet been fully translated. Interested in helping out? See Contributing.
OBI needs access to various Linux interfaces to instrument applications, such as reading from the /proc filesystem, loading eBPF programs, and managing network interface filters. Many of these operations require elevated permissions. The simplest solution is to run OBI as root, however this might not work well in setups where full root access isn’t ideal. To address this, OBI is designed to use only the specific Linux kernel capabilities needed for its current configuration.
Linux kernel capabilities
Linux kernel capabilities are a fine-grained system for controlling access to privileged operations. They allow you to grant specific permissions to processes without giving them full superuser or root access, which helps improve security by adhering to the principle of least privilege. Capabilities split privileges typically associated with root into smaller privileged operations in the kernel.
Capabilities are assigned to processes and executable files. By using tools like setcap, administrators can assign specific capabilities to a binary, enabling it to perform only the operations it needs without running as root. For example:
sudo setcap cap_net_admin,cap_net_raw+ep myprogram This example grants the CAP_NET_ADMIN and CAP_NET_RAW capabilities to myprogram, allowing it to manage network settings without requiring full superuser privileges.
By carefully choosing and assigning capabilities you can lower the risk of privilege escalation while still letting processes do what they need to.
More information can be found in the capabilities manual page.
OBI operation modes
OBI can operate in two distinct modes: application observability and network observability. These modes are not mutually exclusive and can be used together as needed. For more details on enabling these modes, refer to the configuration documentation.
OBI reads its configuration and checks for the required capabilities, if any are missing it displays a warning, for example:
time=2025-01-27T17:21:20.197-06:00 level=WARN msg="Required system capabilities not present, OBI may malfunction" error="the following capabilities are required: CAP_DAC_READ_SEARCH, CAP_BPF, CAP_CHECKPOINT_RESTORE" OBI then attempts to continue running, but missing capabilities may lead to errors later on.
You can set OTEL_EBPF_ENFORCE_SYS_CAPS=1, which causes OBI to fail immediately if the required capabilities are not available.
List of capabilities required by OBI
OBI requires the following list of capabilities for its functionality:
| Capability | Usage in OBI |
|---|---|
CAP_BPF | Enables general BPF functionality and socket filter (BPF_PROG_TYPE_SOCK_FILTER) programs, used for capturing network flows in network observability mode. |
CAP_NET_RAW | Used to create AF_PACKET raw sockets, which is the mechanism used to attach socket filter programs used for capturing network flows in network observability mode. |
CAP_NET_ADMIN | Required to load BPF_PROG_TYPE_SCHED_CLS TC programs - these programs are used for capturing network flows and for trace context propagation, both for network and application observability. |
CAP_PERFMON | Used for trace context propagation, general application observability and network flow monitoring. Allows direct packet access by TC programs, loading eBPF probes in the kernel and pointer arithmetic used by these programs. |
CAP_DAC_READ_SEARCH | Access to /proc/self/mem to determine kernel version, used by OBI to determine the appropriate set of supported features to enable. |
CAP_CHECKPOINT_RESTORE | Access to symlinks in the /proc filesystem, used by OBI to obtain various process and system information. |
CAP_SYS_PTRACE | Access to /proc/pid/exe and executable modules, used by OBI to scan executable symbols and instrument different parts of a program. |
CAP_SYS_RESOURCE | Increase the amount of locked memory available, kernels < 5.11 only |
CAP_SYS_ADMIN | Library-level Go trace-context propagation via bpf_probe_write_user() and access to BTF data by the BPF metrics exporter |
Performance monitoring tasks
Access to CAP_PERFMON is subject to perf_events access controls governed by the kernel.perf_event_paranoid kernel setting, which can adjusted via sysctl or by modifying the file /proc/sys/kernel/perf_event_paranoid. The default setting for kernel.perf_event_paranoid is typically 2, which is documented under the perf_event_paranoid section in the kernel documentation and more comprehensively under the perf-security documentation.
Some Linux distributions define higher levels for kernel.perf_event_paranoid, for example Debian based distributions also use kernel.perf_event_paranoid=3, which disallows access to perf_event_open() without CAP_SYS_ADMIN. If you are running on a distribution with kernel.perf_event_paranoid setting higher than 2, you can either modify your configuration to lower it to 2 or use CAP_SYS_ADMIN instead of CAP_PERFMON.
Deploy on AKS/EKS
Both AKS and EKS environments come with kernels that by default set sys.perf_event_paranoid > 1, which means OBI needs CAP_SYS_ADMIN to work, refer to the section on how to monitor task performance for further information.
If you prefer to use just CAP_PERFMON, you can configure your node to set kernel.perf_event_paranoid = 1. We’ve provided a few examples of how to do this, keep in mind that your results may vary depending on your specific setup.
AKS
Create AKS configuration file
{ "sysctls": { "kernel.sys_paranoid": "1" } } Create or update your AKS cluster
az aks create --name myAKSCluster --resource-group myResourceGroup --linux-os-config ./linuxosconfig.json For more information, see “Customize node configuration for Azure Kubernetes Service (AKS) node pools”
EKS (using EKS Anywhere Configuration)
Create EKS Anywhere configuration file
apiVersion: anywhere.eks.amazonaws.com/v1alpha1 kind: VSphereMachineConfig metadata: name: machine-config spec: hostOSConfiguration: kernel: sysctlSettings: kernel.sys_paranoid: '1' Deploy or update your EKS Anywhere cluster
eksctl create cluster --config-file hostosconfig.yaml EKS (modifying node group settings)
Update the node group
apiVersion: eks.eks.amazonaws.com/v1beta1 kind: ClusterConfig ... nodeGroups: - ... os: Bottlerocket eksconfig: ... sysctls: kernel.sys_paranoid: "1" Use the AWS Management Console, AWS CLI, or eksctl to apply the updated configuration to your EKS cluster.
For more information refer to the EKS host OS configuration documentation.
Example scenarios
The following example scenarios showcases how to run OBI as a non-root user:
Network metrics via a socket filter
Required capabilities:
CAP_BPFCAP_NET_RAW
Set the required capabilities and start OBI:
sudo setcap cap_bpf,cap_net_raw+ep ./bin/obi OTEL_EBPF_NETWORK_METRICS=1 OTEL_EBPF_NETWORK_PRINT_FLOWS=1 bin/obi Network metrics via traffic control
Required capabilities:
CAP_BPFCAP_NET_ADMINCAP_PERFMON
Set the required capabilities and start OBI:
sudo setcap cap_bpf,cap_net_admin,cap_perfmon+ep ./bin/obi OTEL_EBPF_NETWORK_METRICS=1 OTEL_EBPF_NETWORK_PRINT_FLOWS=1 OTEL_EBPF_NETWORK_SOURCE=tc bin/obi Application observability
Required capabilities:
CAP_BPFCAP_DAC_READ_SEARCHCAP_CHECKPOINT_RESTORECAP_PERFMONCAP_NET_RAWCAP_SYS_PTRACE
Set the required capabilities and start OBI:
sudo setcap cap_bpf,cap_dac_read_search,cap_perfmon,cap_net_raw,cap_sys_ptrace+ep ./bin/obi OTEL_EBPF_OPEN_PORT=8080 OTEL_EBPF_TRACE_PRINTER=text bin/obi Application observability with trace context propagation
Required capabilities:
CAP_BPFCAP_DAC_READ_SEARCHCAP_CHECKPOINT_RESTORECAP_PERFMONCAP_NET_RAWCAP_SYS_PTRACECAP_NET_ADMIN
Set the required capabilities and start OBI:
sudo setcap cap_bpf,cap_dac_read_search,cap_perfmon,cap_net_raw,cap_sys_ptrace,cap_net_admin+ep ./bin/obi OTEL_EBPF_CONTEXT_PROPAGATION=all OTEL_EBPF_OPEN_PORT=8080 OTEL_EBPF_TRACE_PRINTER=text bin/obi Internal eBPF tracer capability requirement reference
OBI uses tracers, a set of eBPF programs that implement the underlying functionality. A tracer may load and use different kinds of eBPF programs, each requiring their own set of capabilities.
The list below maps each internal tracer to their required capabilities, intended to serve as a reference for developers, contributors, and those interested in the internals of OBI:
(Network observability) Socket flow fetcher:
CAP_BPF: forBPF_PROG_TYPE_SOCK_FILTERCAP_NET_RAW: to createAF_PACKETsocket and attaching socket filters to a network interface
(Network observability) Flow fetcher (tc):
CAP_BPFCAP_NET_ADMIN: for loadingPROG_TYPE_SCHED_CLSeBPF TC programs, used for inspecting network trafficCAP_PERFMON: for direct access to packet memory viastruct __sk_buff::dataand to allow pointer arithmetic in eBPF programs
(Application observability) Watcher:
CAP_BPFCAP_CHECKPOINT_RESTORECAP_DAC_READ_SEARCH: for access to/proc/self/memto determine kernel versionCAP_PERFMON: for loadingBPF_PROG_TYPE_KPROBEeBPF programs that require pointer arithmetic
(Application observability) Support for languages other than Go:
CAP_BPFCAP_DAC_READ_SEARCHCAP_CHECKPOINT_RESTORECAP_PERFMONCAP_NET_RAW: to createAF_PACKETsocket used to attachobi_socket__http_filterto network interfacesCAP_SYS_PTRACE: for access to/proc/pid/exeand other nodes in/proc
(Application and network observability) network monitoring in TC mode and context propagation:
CAP_BPFCAP_DAC_READ_SEARCHCAP_PERFMONCAP_NET_ADMIN: allows loadingBPF_PROG_TYPE_SCHED_CLS,BPF_PROG_TYPE_SOCK_OPSandBPF_PROG_TYPE_SK_MSG, all used by trace context propagation and network monitoring
(Application observability) GO tracer:
CAP_BPFCAP_DAC_READ_SEARCHCAP_CHECKPOINT_RESTORECAP_PERFMONCAP_NET_RAW: to createAF_PACKETsocket used to attachobi_socket__http_filterto network interfacesCAP_SYS_PTRACE: for access to/proc/pid/exeand other nodes in/procCAP_SYS_ADMIN: for probe based (bpf_probe_write_user()) library level context propagation
フィードバック
このページは役に立ちましたか?
Thank you. Your feedback is appreciated!
Please let us know how we can improve this page. Your feedback is appreciated!