SysinternalsEBPF icon indicating copy to clipboard operation
SysinternalsEBPF copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

Is RHEL7 supported?

Open aka0 opened this issue 4 years ago • 7 comments

While RHEL7 rpm is posted, has anyone installed it successfully? RHEL7 bundles glibc 2.17 therefore dependencies check will fail.

$ rpm -Uvh sysinternalsebpf-1.0.0-1.x86_64.rpm 
error: Failed dependencies:
libc.so.6(GLIBC_2.22)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
libc.so.6(GLIBC_2.26)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
libjson-glib-1.0.so.0()(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)

$ rpm -qa|grep glibc
glibc-2.17-292.el7.x86_64
glibc-common-2.17-292.el7.x86_64
glibc-devel-2.17-292.el7.x86_64
glibc-headers-2.17-292.el7.x86_64

If it's not supported then perhaps reference to RHEL7 (and CentOS7) should be removed.

aka0 avatar Oct 15 '21 16:10 aka0

I'm also having this issue installing from rpm package on Centos 7.

jordaneyres avatar Oct 16 '21 13:10 jordaneyres

@aka0 I was able to make from source on Centos 7. However, If you're looking to use this with Sysmon for Linux, I'm hitting issues getting sysmon for linux to compile. eBPF was backported to the 3.10 kernel, but apparently it's not the full deal. Will be opening an issue over at the Sysmon for Linux repo if of interest.

jordaneyres avatar Oct 17 '21 13:10 jordaneyres

I was able to make from source on Centos 7.

I'll give it a try.

Will be opening an issue over at the Sysmon for Linux repo if of interest.

Please do. Thanks.

aka0 avatar Oct 18 '21 17:10 aka0 

#  rpm -Uvh sysinternalsebpf-1.0.0-1.x86_64.rpm
error: Failed dependencies:
        libc.so.6(GLIBC_2.22)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
        libc.so.6(GLIBC_2.26)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
        libjson-glib-1.0.so.0()(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
# rpm -qa|grep glibc
glibc-devel-2.17-323.0.1.el7_9.x86_64
glibc-common-2.17-323.0.1.el7_9.x86_64
glibc-utils-2.17-323.0.1.el7_9.x86_64
glibc-2.17-323.0.1.el7_9.x86_64
glibc-headers-2.17-323.0.1.el7_9.x86_64
glibc-2.17-323.0.1.el7_9.i686
#  cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)

Also can't build from source.

fluidum avatar Oct 22 '21 18:10 fluidum

We logged a Premier Support call with Microsoft, and this is the reply,

Support for Red Hat 7 is limited currently and the inclusion in the INSTALL.md was mainly for future versions. They plan on updating the doc to reflect this. Please note that Red Hat 8 support is also experimental at this point.

robingarner-scu avatar Oct 28 '21 23:10 robingarner-scu

RHEL 7 and 8 support are on the list. RHEL 8 will be easier and quicker as the problems are minor. RHEL 7 might be tricky depending on how much eBPF is available in their backport.

kesheldr avatar Nov 03 '21 15:11 kesheldr

I've pushed a fix that should resolve the issue on RHEL8. You will have to run getOffsets (https://github.com/Sysinternals/SysinternalsEBPF/tree/main/getOffsets) to get this to work.

MarioHewardt avatar Jan 20 '23 02:01 MarioHewardt