Docs: clarify QUIC BPF operation

[moderation]

Title: Docs: clarify QUIC BPF operation

Description:
Prompted by the Twitter chat at https://twitter.com/mattklein123/status/1378172039870091265 I looked into the runtime flag that allows QUIC routing in the kernal via BPF - https://github.com/envoyproxy/envoy/blob/main/source/common/runtime/runtime_features.cc#L82

layered_runtime:                                                             
  layers:                                                                    
    - name: static-layer                                                     
      static_layer:                                                          
        envoy.reloadable_features.prefer_quic_kernel_bpf_packet_routing: true

Installing BPF rules like this requires one of:

1. Envoy is running as root
2. For kernels >= 5.8, Envoy is running with sudo setcap cap_bpf+ep <envoy binary>
3. For kernels < 5.8, Envoy is running with sudo cap_net_admin,cap_sys_admin+ep <envoy binary>

From initial testing Envoy doesn't display any different output when launched in different modes. QUIC / h3 listeners work whether Envoy was launched with the elevated permissions or not.

It would be good to clarify in the docs what steps need to be taken to enable QUIC BPF kernel routing and what platforms work and don't work. It looks like this is Linux only at the moment. It might be worthwhile logging whether the BPF rule has been installed successfully - https://github.com/envoyproxy/envoy/blob/main/source/common/quic/active_quic_listener.cc#L234-L298

Relevant Links:
Handy reference on determine what Linux Capabilities your system supports - https://linux-audit.com/linux-capabilities-101/

/cc @ggreenway @alyssawilk @danzh2010 @mattklein123

[mattklein123]

Yeah in addition to documentation, I agree we should have logging on which mode, and potentially even have it be configurable with error message if the kernel doesn't support it, not run as root, etc.

[alyssawilk]

I'll throw this Dan's way as part of the docs clean up for Alpha

[alyssawilk]

Actually @DavidSchinazi since you were looking for things to pick up, could you take on logging BPF success/failure to make it clear if it's working or not?

[alyssawilk]

I'm adding some of the above comments to my docs PR, and just tagging moderation as co-author. I think with that and a log message we can close this one off.

[DavidSchinazi]

Adding a log message when that function fails sounds good. @RenjieTang could you take this on please?

[DavidSchinazi]

/assign @RenjieTang