Before installing Cilium, please ensure that your system meets the minimum requirements below. Most modern Linux distributions already do.
When running Cilium using the container image
cilium/cilium, the host
system must meet these requirements:
When running Cilium as a native process on your host (i.e. not running the
cilium/cilium container image) these additional requirements must be met:
|Requirement||Minimum Version||In cilium container|
|Linux kernel||>= 4.9.17||no|
|Key-Value store (etcd)||>= 3.1.0||no|
|Key-Value store (consul)||>= 0.6.4||no|
Linux Distribution Compatibility Matrix¶
The following table lists Linux distributions that are known to work well with Cilium.
|CoreOS||stable (>= 1298.5.0)|
|Debian||>= 9 Stretch|
|Fedora Atomic/Core||>= 25|
|Ubuntu||>= 16.04.2, >= 16.10|
|Opensuse||Tumbleweed, >=Leap 15.0|
The above list is based on feedback by users. If you find an unlisted Linux distribution that works well, please let us know by opening a GitHub issue or by creating a pull request that updates this guide.
Cilium leverages and builds on the kernel BPF functionality as well as various subsystems which integrate with BPF. Therefore, host systems are required to run Linux kernel version 4.8.0 or later to run a Cilium agent. More recent kernels may provide additional BPF functionality that Cilium will automatically detect and use on agent start.
In order for the BPF feature to be enabled properly, the following kernel configuration options must be enabled. This is typically the case with distribution kernels. When an option can be built as a module or statically linked, either choice is valid.
CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_NET_CLS_BPF=y CONFIG_BPF_JIT=y CONFIG_NET_CLS_ACT=y CONFIG_NET_SCH_INGRESS=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_USER_API_HASH=y
Users running Linux 4.10 or earlier with Cilium CIDR policies may face Restrictions on unique prefix lengths for CIDR policy rules.
Cilium uses a distributed Key-Value store to manage, synchronize and distribute security identities across all cluster nodes. The following Key-Value stores are currently supported:
- etcd >= 3.1.0
- consul >= 0.6.4
See Key-Value Store for details on how to configure the
cilium-agent to use a Key-Value store.
This requirement is only needed if you run
If you are using the Cilium container image
clang+LLVM is included in the container image.
LLVM is the compiler suite that Cilium uses to generate BPF bytecode programs
to be loaded into the Linux kernel. The minimum supported version of LLVM
cilium-agent should be >=3.7.1. The version of clang installed
must be compiled with the BPF backend enabled.
See https://releases.llvm.org/ for information on how to download and install LLVM.
Beginning with clang 3.9.x, the minimum kernel version is >= 4.9.17.
iproute2 is only needed if you run
cilium-agent directly on the
host machine. iproute2 is included in the
iproute2 is a low level tool used to configure various networking related
subsystems of the Linux kernel. Cilium uses iproute2 to configure networking
tc, which is part of iproute2, to load BPF programs into the kernel.
The minimum version of iproute2 must be >= 4.8.0. Please see https://www.kernel.org/pub/linux/utils/net/iproute2/ for documentation on how to install iproute2.