Summary
The OOM Kill integration's Docker configuration documentation instructs users to mount /lib/modules and /usr/src into the Agent container:
-v /lib/modules:/lib/modules
-v /usr/src:/usr/src
When the Linux kernel has BPF compiled in (i.e., the kernel ships with BTF support, as is the often the case with kernels 5.8+) datadog-agent does not require access to /usr/src or /lib/modules.
Steps to reproduce
Run the Agent with /lib/modules and /usr/src omitted on a kernel with BPF built in:
docker run \
--name datadog-agent \
--cap-add CAP_BPF \
--cap-add CAP_PERFMON \
-v /sys/kernel/debug:/sys/kernel/debug \
-e DD_API_KEY=<DD_API_KEY> \
-e DD_HOSTNAME=test-oom-kill \
-e DD_SYSTEM_PROBE_ENABLED=true \
-e DD_SYSTEM_PROBE_CONFIG_ENABLE_OOM_KILL=true \
public.ecr.aws/datadog/agent:latest
Expected behavior
Documentation should note that /lib/modules and /usr/src mounts are only required on kernels that do not have BPF compiled in.
Actual behavior
Documentation unconditionally lists /lib/modules and /usr/src as required mounts, causing unnecessary host filesystem exposure.
Environment
- Kernel: 5.8+ with BTF/BPF built in
- Docker: version 25.0.14, build 0bab007
Summary
The OOM Kill integration's Docker configuration documentation instructs users to mount
/lib/modulesand/usr/srcinto the Agent container:When the Linux kernel has BPF compiled in (i.e., the kernel ships with BTF support, as is the often the case with kernels 5.8+) datadog-agent does not require access to
/usr/srcor/lib/modules.Steps to reproduce
Run the Agent with
/lib/modulesand/usr/srcomitted on a kernel with BPF built in:Expected behavior
Documentation should note that
/lib/modulesand/usr/srcmounts are only required on kernels that do not have BPF compiled in.Actual behavior
Documentation unconditionally lists
/lib/modulesand/usr/srcas required mounts, causing unnecessary host filesystem exposure.Environment