Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rocky Linux 9.4] can't build eBPF probe #3366

Open
Sartigan opened this issue Oct 4, 2024 · 1 comment
Open

[Rocky Linux 9.4] can't build eBPF probe #3366

Sartigan opened this issue Oct 4, 2024 · 1 comment

Comments

@Sartigan
Copy link

Sartigan commented Oct 4, 2024

Describe the bug

eBPF probe can't be built with Rocky Linux 9.4

I can not reproduce the issue with Rocky Linux 8.9

falcoctl driver config --type ebpf
2024-10-04 18:46:04 INFO  Running falcoctl driver config
                      ├ name: falco
                      ├ version: 7.3.0+driver
                      ├ type: ebpf
                      ├ host-root: /
                      └ repos: https://download.falco.org/driver
2024-10-04 18:46:04 INFO  Committing driver config to specialized configuration file under directory: /etc/falco/config.d
2024-10-04 18:46:04 INFO  Storing falcoctl driver config

falcoctl driver install
2024-10-04 18:46:08 INFO  Running falcoctl driver install
                      ├ driver version: 7.3.0+driver
                      ├ driver type: ebpf
                      ├ driver name: falco
                      ├ compile: true
                      ├ download: true
                      ├ target: rocky
                      ├ arch: x86_64
                      ├ kernel release: 5.14.0-427.37.1.el9_4.x86_64
                      └ kernel version: #1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024
2024-10-04 18:46:08 INFO  Removing eBPF probe symlink path: /root/.falco/falco-bpf.o
2024-10-04 18:46:08 INFO  Trying to download a driver.
                      └ url: https://download.falco.org/driver/7.3.0%2Bdriver/x86_64/falco_rocky_5.14.0-427.37.1.el9_4.x86_64_1.o
2024-10-04 18:46:09 WARN  Non-200 response from url. code: 404
2024-10-04 18:46:09 WARN  unable to find a prebuilt driver
2024-10-04 18:46:09 INFO  Trying to compile the requested driver
2024-10-04 18:46:09 INFO  Trying automatic kernel headers download.
2024-10-04 18:46:17 INFO  Setting KERNELDIR env var. path: /tmp/kernel
2024-10-04 18:46:17 INFO  Trying to build eBPF probe.
+ cd /usr/src/falco-7.3.0+driver
+ echo '* Building eBPF probe'
* Building eBPF probe
+ '[' '!' -d /sys/kernel/debug/tracing ']'
+ cd bpf
+ make
make -C /tmp/kernel M=$PWD
make[1]: Entering directory '/tmp/kernel'
/bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied
/bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied
[configure-bpf] Including /usr/src/falco-7.3.0+driver/bpf//configure/RSS_STAT_ARRAY/Makefile.inc
[configure-bpf] Build output for HAS_RSS_STAT_ARRAY:
[configure-bpf] make: Entering directory '/usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY' make -C /tmp/kernel M=$PWD make[1]: Entering directory '/tmp/kernel' /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied clang -I./arch/x86/include -I./arch/x86/include/generated  -I./include -I./arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I./include/uapi -I./include/generated/uapi -include ./include/linux/compiler-version.h -include ./include/linux/kconfig.h \  -D__KERNEL__ -fmacro-prefix-map=./= \    \      -D__KERNEL__ \  -D__BPF_TRACING__ \     -Wno-gnu-variable-sized-type-not-at-end \       -Wno-address-of-packed-member \         -fno-jump-tables \      -fno-stack-protector \  -Wno-tautological-compare \     -Wno-unknown-attributes \       -O2 -g -emit-llvm -c /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.c -o /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.ll In file included from /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.c:22: In file included from ./include/linux/mm_types.h:5: In file included from ./include/linux/mm_types_task.h:14: In file included from ./include/linux/cpumask.h:12: In file included from ./include/linux/bitmap.h:11: In file included from ./include/linux/string.h:254: ./include/linux/fortify-string.h:154:17: warning: passing 'unsigned char *' to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]   154 |         size_t p_len = __compiletime_strlen(p);       |
         ^~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/fortify-string.h:27:29: note: expanded from macro '__compiletime_strlen'    27 |                         __ret = __builtin_strlen(__p);          \       |                                                  ^~~ 1 warning generated. llc -march=bpf -filetype=obj -o /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.o /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.ll /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied   MODPOST /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/Module.symvers /bin/sh: line 1: scripts/mod/modpost: Permission denied make[2]: *** [scripts/Makefile.modpost:134: /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/Module.symvers] Error 126 make[1]: *** [Makefile:1850: modules] Error 2 make[1]: Leaving directory '/tmp/kernel' make: *** [Makefile:26: all] Error 2 make: Leaving directory '/usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY'
clang -I./arch/x86/include -I./arch/x86/include/generated  -I./include -I./arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I./include/uapi -I./include/generated/uapi -include ./include/linux/compiler-version.h -include ./include/linux/kconfig.h \
        -D__KERNEL__ -fmacro-prefix-map=./= \
         \
         \
        -D__KERNEL__ \
        -D__BPF_TRACING__ \
        -Wno-gnu-variable-sized-type-not-at-end \
        -Wno-address-of-packed-member \
        -fno-jump-tables \
        -fno-stack-protector \
        -Wno-tautological-compare \
        -Wno-unknown-attributes \
        -O2 -g -emit-llvm -c /usr/src/falco-7.3.0+driver/bpf/probe.c -o /usr/src/falco-7.3.0+driver/bpf/probe.ll
In file included from /usr/src/falco-7.3.0+driver/bpf/probe.c:17:
In file included from ./include/linux/sched.h:14:
In file included from ./include/linux/pid.h:5:
In file included from ./include/linux/rculist.h:11:
In file included from ./include/linux/rcupdate.h:27:
In file included from ./include/linux/preempt.h:79:
In file included from ./arch/x86/include/asm/preempt.h:9:
In file included from ./include/linux/thread_info.h:60:
In file included from ./arch/x86/include/asm/thread_info.h:53:
In file included from ./arch/x86/include/asm/cpufeature.h:5:
In file included from ./arch/x86/include/asm/processor.h:23:
In file included from ./arch/x86/include/asm/msr.h:11:
In file included from ./arch/x86/include/asm/cpumask.h:5:
In file included from ./include/linux/cpumask.h:12:
In file included from ./include/linux/bitmap.h:11:
In file included from ./include/linux/string.h:254:
./include/linux/fortify-string.h:154:17: warning: passing 'unsigned char *' to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
  154 |         size_t p_len = __compiletime_strlen(p);
      |                        ^~~~~~~~~~~~~~~~~~~~~~~
./include/linux/fortify-string.h:27:29: note: expanded from macro '__compiletime_strlen'
   27 |                         __ret = __builtin_strlen(__p);          \
      |                                                  ^~~
In file included from /usr/src/falco-7.3.0+driver/bpf/probe.c:27:
/usr/src/falco-7.3.0+driver/bpf/fillers.h:873:56: error: member reference base type 'struct percpu_counter[4]' is not a structure or union
  873 |         bpf_probe_read_kernel(&val, sizeof(val), &mm->rss_stat.count[member]);
      |                                                   ~~~~~~~~~~~~^~~~~~
/usr/src/falco-7.3.0+driver/bpf/fillers.h:2285:48: warning: passing 'volatile long *' to parameter of type 'long *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
 2285 |                 res = bpf_accumulate_argv_or_env(data, argv, &args_len);
      |                                                              ^~~~~~~~~
/usr/src/falco-7.3.0+driver/bpf/fillers.h:1895:61: note: passing argument to parameter 'args_len' here
 1895 |                                                       long *args_len) {
      |                                                             ^
2 warnings and 1 error generated.
make[2]: *** [/usr/src/falco-7.3.0+driver/bpf/Makefile:74: /usr/src/falco-7.3.0+driver/bpf/probe.o] Error 1
make[1]: *** [Makefile:1936: /usr/src/falco-7.3.0+driver/bpf] Error 2
make[1]: Leaving directory '/tmp/kernel'
make: *** [Makefile:23: all] Error 2
2024-10-04 18:46:21 ERROR failed: failed to build all requested drivers

How to reproduce it

dnf -y --quiet install kernel-headers-$(uname -r)
dnf -y --quiet install kernel-devel-$(uname -r)
dnf -y --quiet install clang llvm
dnf -y --quiet install falco-0.39.0
falcoctl driver config --type ebpf
falcoctl driver install

Expected behaviour

eBPF probe should be installed succesfully

  • Falco version:
falco --version
Fri Oct  4 18:49:51 2024: Falco version: 0.39.0 (x86_64)
Fri Oct  4 18:49:51 2024: Falco initialized with configuration files:
Fri Oct  4 18:49:51 2024:    /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok
Fri Oct  4 18:49:51 2024:    /etc/falco/falco.yaml | schema validation: ok
Fri Oct  4 18:49:51 2024: System info: Linux version 5.14.0-427.37.1.el9_4.x86_64 ([email protected]) (gcc (GCC) 11.4.1 20231218 (Red Hat 11.4.1-3), GNU ld version 2.35.2-43.el9) #1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024
Falco version: 0.39.0
Libs version:  0.18.1
Plugin API:    3.7.0
Engine:        0.43.0
Driver:
  API version:    8.0.0
  Schema version: 2.0.0
  Default driver: 7.3.0+driver
  • System info:
falco --support | jq .system_info
Fri Oct  4 18:50:36 2024: Falco version: 0.39.0 (x86_64)
Fri Oct  4 18:50:36 2024: Falco initialized with configuration files:
Fri Oct  4 18:50:36 2024:    /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok
Fri Oct  4 18:50:36 2024:    /etc/falco/falco.yaml | schema validation: ok
Fri Oct  4 18:50:36 2024: System info: Linux version 5.14.0-427.37.1.el9_4.x86_64 ([email protected]) (gcc (GCC) 11.4.1 20231218 (Red Hat 11.4.1-3), GNU ld version 2.35.2-43.el9) #1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024
Fri Oct  4 18:50:36 2024: Loading rules from:
Fri Oct  4 18:50:36 2024:    /etc/falco/falco_rules.yaml | schema validation: ok
Fri Oct  4 18:50:36 2024:    /etc/falco/falco_rules.local.yaml | schema validation: none
{
  "machine": "x86_64",
  "nodename": "winner-03",
  "release": "5.14.0-427.37.1.el9_4.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024"
}
  • Installation method: RPM
@poiana
Copy link
Contributor

poiana commented Jan 2, 2025

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants