/proc/sys/net/core in LXC priviledged container not populating everything from host

[nmorgowicz]

Hello, I've run into an issue that I'm not sure how to fix and need some assistance.

I've set up BPF on my proxmox host so that my LXC's can use it. So on the host, i can see the following files under /proc/sys/net/core:

total 0
dr-xr-xr-x 1 root root 0 Apr 23 07:26 .
dr-xr-xr-x 1 root root 0 Apr 23 07:26 ..
-rw-r--r-- 1 root root 0 Apr 23 07:26 bpf_jit_enable
-rw------- 1 root root 0 Apr 23 07:26 bpf_jit_harden
-rw------- 1 root root 0 Apr 23 07:26 bpf_jit_kallsyms
-rw------- 1 root root 0 Apr 23 07:26 bpf_jit_limit
-rw-r--r-- 1 root root 0 Apr 23 07:26 busy_poll
-rw-r--r-- 1 root root 0 Apr 23 07:26 busy_read
-rw-r--r-- 1 root root 0 Apr 23 07:26 default_qdisc
-rw-r--r-- 1 root root 0 Apr 23 07:26 devconf_inherit_init_net
-rw-r--r-- 1 root root 0 Apr 23 07:26 dev_weight
-rw-r--r-- 1 root root 0 Apr 23 07:26 dev_weight_rx_bias
-rw-r--r-- 1 root root 0 Apr 23 07:26 dev_weight_tx_bias
-rw-r--r-- 1 root root 0 Apr 23 07:26 fb_tunnels_only_for_init_net
-rw-r--r-- 1 root root 0 Apr 23 07:26 flow_limit_cpu_bitmap
-rw-r--r-- 1 root root 0 Apr 23 07:26 flow_limit_table_len
-rw-r--r-- 1 root root 0 Apr 23 07:26 gro_normal_batch
-rw-r--r-- 1 root root 0 Apr 23 07:26 high_order_alloc_disable
-rw-r--r-- 1 root root 0 Apr 23 07:26 max_skb_frags
-rw-r--r-- 1 root root 0 Apr 23 07:26 message_burst
-rw-r--r-- 1 root root 0 Apr 23 07:26 message_cost
-rw-r--r-- 1 root root 0 Apr 23 07:26 netdev_budget
-rw-r--r-- 1 root root 0 Apr 23 07:26 netdev_budget_usecs
-rw-r--r-- 1 root root 0 Apr 23 07:26 netdev_max_backlog
-r--r--r-- 1 root root 0 Apr 23 07:26 netdev_rss_key
-rw-r--r-- 1 root root 0 Apr 23 07:26 netdev_tstamp_prequeue
-rw-r--r-- 1 root root 0 Apr 23 07:26 netdev_unregister_timeout_secs
-rw-r--r-- 1 root root 0 Apr 23 07:26 optmem_max
-rw-r--r-- 1 root root 0 Apr 23 07:26 rmem_default
-rw-r--r-- 1 root root 0 Apr 23 07:26 rmem_max
-rw-r--r-- 1 root root 0 Apr 23 07:26 rps_default_mask
-rw-r--r-- 1 root root 0 Apr 23 07:26 rps_sock_flow_entries
-rw-r--r-- 1 root root 0 Apr 23 07:26 skb_defer_max
-rw-r--r-- 1 root root 0 Apr 23 07:26 somaxconn
-rw-r--r-- 1 root root 0 Apr 23 07:26 tstamp_allow_data
-rw-r--r-- 1 root root 0 Apr 23 07:26 txrehash
-rw-r--r-- 1 root root 0 Apr 23 07:26 warnings
-rw-r--r-- 1 root root 0 Apr 23 07:26 wmem_default
-rw-r--r-- 1 root root 0 Apr 23 07:26 wmem_max
-rw-r--r-- 1 root root 0 Apr 23 07:26 xfrm_acq_expires
-rw-r--r-- 1 root root 0 Apr 23 07:26 xfrm_aevent_etime
-rw-r--r-- 1 root root 0 Apr 23 07:26 xfrm_aevent_rseqth
-rw-r--r-- 1 root root 0 Apr 23 07:26 xfrm_larval_drop

The important ones i need to the LXC guest are the bpf_jit_*

My LXC config for my guest looks like this:

arch: amd64
cores: 2
features: nesting=1
hostname: xxxxx
memory: 4096
mp0: local-lvm:vm-108-disk-2,mp=/var/openebs/local,backup=1,size=100G
net0: name=eth0,bridge=vmbr0,gw=x.x.x.x,hwaddr=xx:xx:xx:xx:xx:xx,ip=x.x.x.x/24,tag=10,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-108-disk-0,size=20G
startup: order=2,up=30
swap: 0
lxc.cgroup2.devices.allow: a
lxc.cap.drop:
lxc.cgroup2.devices.allow: c 188:* rwm
lxc.cgroup2.devices.allow: c 189:* rwm
lxc.mount.auto: "proc:rw sys:rw"
lxc.apparmor.profile: unconfined

But the only items i have under /proc/sys/net/core on the guest are the following:

root@xxxx:/proc/sys/net/core# ls -al
total 0
dr-xr-xr-x 1 root root 0 Apr 23 07:31 .
dr-xr-xr-x 1 root root 0 Apr 23 07:31 ..
-rw-r--r-- 1 root root 0 Apr 23 07:34 rps_default_mask
-rw-r--r-- 1 root root 0 Apr 23 07:31 somaxconn
-rw-r--r-- 1 root root 0 Apr 23 07:34 txrehash
-rw-r--r-- 1 root root 0 Apr 23 07:34 xfrm_acq_expires
-rw-r--r-- 1 root root 0 Apr 23 07:34 xfrm_aevent_etime
-rw-r--r-- 1 root root 0 Apr 23 07:34 xfrm_aevent_rseqth
-rw-r--r-- 1 root root 0 Apr 23 07:34 xfrm_larval_drop

Is there something I'm missing in the lxc config that would prevent all of those kernel modules from showing up under /proc?

As a test, i also tried to specify lxc.mount.entry values to force map the proc, proc/sys, and proc/sys/net into the LXC and it didn't change the directory contents at all - it's like LXC is ignoring most of the stuff in the host's /proc/sys/net/core.

I was hoping to be able to use containers for my kubernetes w/cilium testbed, but without the ability to hit those BPF proc values, it won't work.