ebpf icon indicating copy to clipboard operation
ebpf copied to clipboard
verified publisher icon cilium

Kernel version detection does not work with vDSO disabled

Open Vyom-Yadav opened this issue 1 year ago • 6 comments

Describe the bug

Automatic detection of Kernel Version is not supported without vDSO.

How to reproduce

  • Disable vDSO on a machine.
  • Reboot the machine.
root@docker-vdso-test:~/ebpf-main# go test -v ./internal -run TestCurrentKernelVersion
=== RUN   TestCurrentKernelVersion
    version_test.go:53: finding vDSO memory address: no vdso address found in auxv
--- FAIL: TestCurrentKernelVersion (0.00s)
FAIL
FAIL	github.com/cilium/ebpf/internal	0.004s
FAIL

Version information

main

Vyom-Yadav avatar Mar 30 '24 13:03 Vyom-Yadav

For why support without vDSO is required, see: https://github.com/cilium/ebpf/pull/1399

Vyom-Yadav avatar Mar 30 '24 13:03 Vyom-Yadav

Can you explain how you disable vDSO please?

lmb avatar Apr 02 '24 09:04 lmb

I referred to this: https://stackoverflow.com/q/8280014

On Tue, 2 Apr 2024, 2:38 pm Lorenz Bauer, @.***> wrote:

Can you explain how you disable vDSO please?

— Reply to this email directly, view it on GitHub https://github.com/cilium/ebpf/issues/1408#issuecomment-2031467052, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARTVXPKBUGZQJV7MIWMVTUDY3JYSFAVCNFSM6AAAAABFPSE43CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZRGQ3DOMBVGI . You are receiving this because you authored the thread.Message ID: @.***>

Vyom-Yadav avatar Apr 02 '24 09:04 Vyom-Yadav

There are three different ways of "disabling" vDSO in that post. One of them strips the auxv, which is what we use. I need to know which one you're using / expect to work.

lmb avatar Apr 02 '24 09:04 lmb

In Ubuntu 16.04 vDSO can be disabled system-wide by adding the kernel parameter vdso=0 in /etc/default/grub under the parameter: GRUB_CMDLINE_LINUX_DEFAULT

I used this method.

On Tue, 2 Apr 2024, 2:51 pm Lorenz Bauer, @.***> wrote:

There are three different ways of "disabling" vDSO in that post. One of them strips the auxv, which is what we use. I need to know which one you're using / expect to work.

— Reply to this email directly, view it on GitHub https://github.com/cilium/ebpf/issues/1408#issuecomment-2031495944, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARTVXPNSJAMIKTQXEHJ47C3Y3J2DBAVCNFSM6AAAAABFPSE43CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZRGQ4TKOJUGQ . You are receiving this because you authored the thread.Message ID: @.***>

Vyom-Yadav avatar Apr 02 '24 09:04 Vyom-Yadav

Seems like vdso=0 causes the kernel to omit AT_SYSINFO_EHDR on am64. On arm64 the header is emitted unconditionally (maybe because arm64 doesn't allow turning of the vdso?)

My conclusion is that turning off the vdso is still kind of esoteric, and not something I want to spend a lot of effort supporting. I definitely don't want to bring back uname parsing. It also seems like it's possible to intercept gettimeofday using ltrace, so there is at least one possible work around.

If you really want this to work with vDSO off I can only offer you a partial work around. You can adjust https://github.com/cilium/ebpf/blob/a330a78da8cbdbc75d55afac577f92dc0da4bc90/prog.go#L253 to only call internal.KernelVersion on old kernels (< 5.0) by writing a feature test (see haveProgRun in prog.go for inspiration) which checks whether the kernel requires KernelVersion to be present for Kprobes.

lmb avatar Apr 02 '24 09:04 lmb

Sorry, this situation is unlikely to change until we drop support for pre-5.0 kernels. If there are any other ideas aside from uname parsing, I'm all ears. Closing for now.

ti-mo avatar Sep 05 '24 13:09 ti-mo