Building eBPF module for RHEL 4.18.0-553.el8_10.x86_64 #2273
Comments
|
Hi! So, i can reproduce the issue but am not sure about how to proceed; i don't think the old ebpf probe is meant to be loaded through bpftool, since it predates it and is loaded through manual libelf magic. Also, note that you most probably could also try to use the modern_bpf driver that does not require building any artifact. EDIT: for future people (or future me), this is the patch that introduced the check: libbpf/libbpf@aead9af |
Ok, that makes since. I limited to 4.18 kernel version which doesn't support modern ebpf. How would load the compiled object through Falco? |
|
Indeed the modern bpf support depends upon kernel features and as far as I know your redhat-patched kernel might support the required features(ie: they backported them). I'd give it a try before trying anything else since it is the default and simplest deployment method. |
|
Hello! As Fede says, RHEL has backported kernels that have more features, they usually just freeze the Major/minor/patch versions and follow upstream relatively closely. From testing we've done, RHEL 8.6+ runs the modern probe with no issues. |
Describe the bug
I am getting the following bug when trying to build the ebpf module for RHEL 4.18.0-553.el8_10.x86_64
raw_tracepoint/filler/terminate_filler': program 'bpf_terminate_filler' is static and not supported
There isn't supported modules for RHEL to my knowledge so I am building from source. I need to compile due to deployment restrictions of it being an isolated system.
How to reproduce it
Run the following Ansible playbook:
Build env. is AWS ec2 instance running kernel: 4.18.0-553.el8_10.x86_64
name: Install and configure Falco eBPF module
hosts: localhost
become: yes
vars:
falco_version: "0.39.2"
kernel_version: "{{ ansible_kernel }}"
tasks:
name: Ensure the user is root
ansible.builtin.assert:
that:
- ansible_user_id == 'root'
fail_msg: "This playbook must be run as root"
success_msg: "Running as root user"
name: Install build dependencies
ansible.builtin.package:
name:
- clang
- llvm
- curl
- gcc
- gcc-c++
- git
- make
- cmake
- elfutils-libelf-devel
- perl-IPC-Cmd
- bpftool
- "kernel-devel-{{ kernel_version }}"
state: present
name: Ensure BPF filesystem is mounted
ansible.builtin.command:
cmd: "mount -t bpf bpf /sys/fs/bpf"
args:
creates: "/sys/fs/bpf"
name: Create /falco_build directory
ansible.builtin.file:
path: /falco_build
state: directory
mode: '0755'
name: Download Falco source tarball (version {{ falco_version }})
ansible.builtin.get_url:
url: "https://github.com/falcosecurity/falco/archive/refs/tags/{{ falco_version }}.tar.gz"
dest: "/falco_build/falco-{{ falco_version }}.tar.gz"
name: Extract Falco source
ansible.builtin.unarchive:
src: "/falco_build/falco-{{ falco_version }}.tar.gz"
dest: "/falco_build"
remote_src: yes
extra_opts:
- "--strip-components=1"
name: Ensure clean build directory
ansible.builtin.file:
path: "/falco_build/build"
state: absent
name: Create a new build directory
ansible.builtin.file:
path: "/falco_build/build"
state: directory
mode: '0755'
name: Configure the build with CMake
ansible.builtin.command:
cmd: "cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_BPF=ON .."
args:
chdir: "/falco_build/build"
name: Compile the Falco eBPF module
ansible.builtin.command:
cmd: "make bpf"
args:
chdir: "/falco_build/build"
register: make_output
failed_when: "'Error' in make_output.stderr"
name: Verify probe.o exists after compilation
ansible.builtin.stat:
path: "/falco_build/build/driver/bpf/probe.o"
register: probe_o_file
name: Rename probe.o to test_falco.o
ansible.builtin.command:
cmd: "mv /falco_build/build/driver/bpf/probe.o /falco_build/build/driver/bpf/test_falco.o"
when: probe_o_file.stat.exists
name: Load the eBPF program into the kernel
ansible.builtin.command:
cmd: "bpftool prog load /falco_build/build/driver/bpf/test_falco.o /sys/fs/bpf/falco"
name: Find program ID of loaded eBPF program
ansible.builtin.command:
cmd: "bpftool prog show | grep falco"
register: falco_prog_info
name: Extract program ID
ansible.builtin.set_fact:
falco_prog_id: "{{ falco_prog_info.stdout_lines[0].split(':')[0] }}"
name: Attach eBPF program to tracepoint sys_enter_execve
ansible.builtin.command:
cmd: "bpftool prog attach {{ falco_prog_id }} tracepoint sys_enter_execve"
name: Verify loaded eBPF programs
ansible.builtin.command:
cmd: "bpftool prog show"
register: ebpf_status
name: List pinned eBPF programs
ansible.builtin.command:
cmd: "bpftool prog list | grep falco"
register: ebpf_pinned
Expected behaviour
Expected result is the load the ebpf module using bpftool
Screenshots
Debugging: bpftool prog load /falco_build/build/driver/bpf/test_falco.o /sys/fs/bpf/falco
Environment
0.39.2
NAME="Red Hat Enterprise Linux"
VERSION="8.10 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.10"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.10"
4.18.0-553.el8_10.x86_64 update: delete notices about chisels #1 SMP Fri May 10 15:19:13 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
Installed via binary running as systemd process
Additional context
Building for an isolated system and need to build probe and have the probe be pulled in when Falco is deployed via helm chart.
The text was updated successfully, but these errors were encountered: