Check if required capabilities are available

[rafaelroquetto]

This patch checks if the required Linux capabilities for beyla are present, based on the present configuration (e.g. NetO11y does not require all of the listed capabilities below).

These are:

• CAP_BPF
• CAP_PERFMON
• CAP_DAC_READ_SEARCH
• CAP_SYS_RESOURCE
• CAP_CHECKPOINT_RESTORE
• CAP_SYS_PTRACE
• CAP_NET_RAW

(see here for more info)

It also introduces a new config option called enforce_sys_caps, defaulted to true. When that option is set to true, Beyla will not continue starting up if the required capabilities are not present and print the list of missing capabilities. Otherwise, startup will continue and the missing capabilities will be listed as a warning (allowing for easy backwards compatibility).

In addition to the capabilities listed above, Beyla startup will now check for the presence of CAP_SYS_ADMIN. This capability is required when mounting the bpf filesystem and for the context propagation functionality(*). When this capability isn't present, Beyla will error gracefully in the former case, whereas it will disable the context propagation probes and resume starting up on the latter.

(*) kernel_probe_write_user(), which is used to inject context data, requires this capability.

Resolves: #246

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 82.50000% with 14 lines in your changes missing coverage. Please review.

Project coverage is 81.85%. Comparing base (f88413a) to head (f173656).
Report is 2 commits behind head on main.

Files	Patch %	Lines
cmd/beyla/main.go	0.00%	4 Missing and 1 partial ⚠️
pkg/internal/ebpf/common/common.go	50.00%	2 Missing and 1 partial ⚠️
pkg/beyla/os.go	95.23%	1 Missing and 1 partial ⚠️
pkg/internal/discover/attacher_linux.go	33.33%	1 Missing and 1 partial ⚠️
pkg/internal/helpers/capabilities.go	90.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1067      +/-   ##
==========================================
- Coverage   81.90%   81.85%   -0.06%     
==========================================
  Files         139      140       +1     
  Lines       11329    11407      +78     
==========================================
+ Hits         9279     9337      +58     
- Misses       1534     1547      +13     
- Partials      516      523       +7     

Flag	Coverage Δ
integration-test	56.79% <43.75%> (-0.13%)	⬇️
k8s-integration-test	59.10% <38.75%> (-0.23%)	⬇️
oats-test	36.86% <36.25%> (-0.06%)	⬇️
unittests	52.05% <70.00%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mariomac]

Thanks for the PR! The code looks good (I have few minor suggestions) but I have some questions:

• I'd say that the required capabilities for Network metrics are lower than the capabilities for Application metrics (at least when using the Traffic Control Network probes). We should allow users to specify the minimum capabilities to their specific use case.

• I observed that some environments (e.g. virtual machine with Kind) require also the CAP_SYS_ADMIN capabilities. Don't know why and how to check it programmatically. I guess it's fine if we don't demand CAP_SYS_ADMIN but Beyla fails later.

[mariomac]

LGTM! Good job.

I left some minor comments but you can just ignore them, or address them but you don't need to wait for a reapproval.

[grafsean]

Left a comment with suggested copy change.