ThreatMapper icon indicating copy to clipboard operation
ThreatMapper copied to clipboard
verified publisher icon deepfence

eBPF tracking is sometimes disabled

Open noboruma opened this issue 3 years ago • 2 comments

Describe the bug When starting probe, we sometimes get this message:

<probe> WARN: 2022/01/25 15:03:36.666483 Error setting up the eBPF tracker, falling back to proc scanning: cannot write "p:ptcp_v4_connect tcp_v4_connect\n" to kprobe_events: write /sys/kernel/debug/tracing/kprobe_events: file exists

To Reproduce Steps to reproduce the behavior:

  1. Start the agent
  2. Kill it abruptly with a SIGTERM
  3. Start the agent again

Expected behavior eBPF tracking should be starting

Components/Services affected

  • [ ] UI/Frontend
  • [ ] API/Backend
  • [x] Agent
  • [ ] Deployment/YAMLs
  • [ ] CI/CD Integration
  • [ ] Other (specify)

noboruma avatar Feb 11 '22 02:02 noboruma

The file exists error happens because we try to add the same entry twice to the /sys/kernel/debug/tracing/kprobe_events. The reason why the entry was not cleaned up properly needs to be further investigated. My assumption is we might are calling the Close function correctly here but it somehow never gets called (because of signals)

noboruma avatar Feb 11 '22 02:02 noboruma

Fix for enabling eBPF tracker even if the entry is already present: c90f416

noboruma avatar Feb 11 '22 02:02 noboruma

Closing this, reopen if required.

ibreakthecloud avatar Sep 29 '22 10:09 ibreakthecloud