tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[BUG] Tracee needs to build its non-CORE eBPF object!

Open B3ns44d opened this issue 3 years ago • 4 comments

Prerequisites

  • [x] I can reproduce the issue in latest released version.
  • [ ] I can reproduce the issue in development version (from source tree).
  • [x] I checked the documentation and found no answer.
  • [x] There isn't an issue describing the bug.

Bug description

This is how I'm executing tracee (cmdline):

docker run --name tracee --rm -it \    
     --pid=host --cgroupns=host --privileged \
     -v /etc/os-release:/etc/os-release-host:ro \
     -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \        
     -v /usr/src:/usr/src:ro \
     -v /lib/modules:/lib/modules:ro \
     -v /tmp/tracee:/tmp/tracee:rw \
     mirror-forge.dev.beyond.cegedim.cloud/aquasec/tracee:full

This is the error I'm getting:

INFO: probing tracee-ebpf capabilities...
ERROR:
ERROR: Tracee needs to build its non-CORE eBPF object!
ERROR: You need to bind mount /usr/src and /lib/modules.
ERROR:
ERROR: Run docker with:
ERROR:     -v /usr/src:/usr/src:ro
ERROR:     -v /lib/modules:/lib/modules:ro
ERROR:

Steps to reproduce

Steps to reproduce the issue:

  1. docker run --name tracee --rm -it \
    --pid=host --cgroupns=host --privileged
    -v /etc/os-release:/etc/os-release-host:ro
    -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
    -v /usr/src:/usr/src:ro
    -v /lib/modules:/lib/modules:ro
    -v /tmp/tracee:/tmp/tracee:rw
    mirror-forge.dev.beyond.cegedim.cloud/aquasec/tracee:full

Context

Relevant information about my setup:

  • Linux version: Ubuntu 20.04.3 LTS
  • Linux kernel version: Linux 5.10.16.3-microsoft-standard-WSL2 x86_64
  • Tracee version (or commit id of your tree): aquasec/tracee:full
  • LLVM version: -
  • Golang version: -

Additional Information (files, logs, etc)

image

B3ns44d avatar Jul 18 '22 10:07 B3ns44d

i think that by default, eBPF tools can't run on wsl2 due to required kernel modules missing.

B3ns44d avatar Jul 18 '22 10:07 B3ns44d 

➜  ~ docker run \
>     --name tracee --rm -it \
>     --pid=host --cgroupns=host --privileged \
>     -v /etc/os-release:/etc/os-release-host:ro \
>     -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
> aquasec/tracee:latest
INFO: probing tracee-ebpf capabilities...
INFO:
INFO: You should try the FULL tracee container image, it supports  
INFO: building, based on your host environment, needed eBPF objects
INFO: so tracee-ebpf may work.
INFO:

B3ns44d avatar Jul 18 '22 10:07 B3ns44d

Hi @B3ns44d sorry for the late response, but what happens when you try running the full container image?

docker run \
>     --name tracee --rm -it \
>     --pid=host --cgroupns=host --privileged \
>     -v /etc/os-release:/etc/os-release-host:ro \
>     -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
> aquasec/tracee:full

grantseltzer avatar Aug 02 '22 15:08 grantseltzer

And to add a bit more context, we have a similar situation when using docker in OSX, for example, their default kernel does not support embedded BTF information so we need to use the full docker image and compile it before runtime.

https://aquasecurity.github.io/tracee/v0.8.0/building/macosx/#obtaining-docker-kernel-headers

It might be a similar issue with WSL2, you might need WSL2 kernel headers available OR generate the BTF file for it, and for sure tracee won't work in WSL1 due to kernel emulation from windows.

rafaeldtinoco avatar Aug 03 '22 03:08 rafaeldtinoco

This is not a bug, but missing requirements to run Tracee.

yanivagman avatar Oct 26 '22 20:10 yanivagman