falcosecurity
[Rocky Linux 9.4] can't build eBPF probe
Describe the bug
eBPF probe can't be built with Rocky Linux 9.4
I can not reproduce the issue with Rocky Linux 8.9
falcoctl driver config --type ebpf
2024-10-04 18:46:04 INFO Running falcoctl driver config
├ name: falco
├ version: 7.3.0+driver
├ type: ebpf
├ host-root: /
└ repos: https://download.falco.org/driver
2024-10-04 18:46:04 INFO Committing driver config to specialized configuration file under directory: /etc/falco/config.d
2024-10-04 18:46:04 INFO Storing falcoctl driver config
falcoctl driver install
2024-10-04 18:46:08 INFO Running falcoctl driver install
├ driver version: 7.3.0+driver
├ driver type: ebpf
├ driver name: falco
├ compile: true
├ download: true
├ target: rocky
├ arch: x86_64
├ kernel release: 5.14.0-427.37.1.el9_4.x86_64
└ kernel version: #1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024
2024-10-04 18:46:08 INFO Removing eBPF probe symlink path: /root/.falco/falco-bpf.o
2024-10-04 18:46:08 INFO Trying to download a driver.
└ url: https://download.falco.org/driver/7.3.0%2Bdriver/x86_64/falco_rocky_5.14.0-427.37.1.el9_4.x86_64_1.o
2024-10-04 18:46:09 WARN Non-200 response from url. code: 404
2024-10-04 18:46:09 WARN unable to find a prebuilt driver
2024-10-04 18:46:09 INFO Trying to compile the requested driver
2024-10-04 18:46:09 INFO Trying automatic kernel headers download.
2024-10-04 18:46:17 INFO Setting KERNELDIR env var. path: /tmp/kernel
2024-10-04 18:46:17 INFO Trying to build eBPF probe.
+ cd /usr/src/falco-7.3.0+driver
+ echo '* Building eBPF probe'
* Building eBPF probe
+ '[' '!' -d /sys/kernel/debug/tracing ']'
+ cd bpf
+ make
make -C /tmp/kernel M=$PWD
make[1]: Entering directory '/tmp/kernel'
/bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied
/bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied
[configure-bpf] Including /usr/src/falco-7.3.0+driver/bpf//configure/RSS_STAT_ARRAY/Makefile.inc
[configure-bpf] Build output for HAS_RSS_STAT_ARRAY:
[configure-bpf] make: Entering directory '/usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY' make -C /tmp/kernel M=$PWD make[1]: Entering directory '/tmp/kernel' /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied clang -I./arch/x86/include -I./arch/x86/include/generated -I./include -I./arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I./include/uapi -I./include/generated/uapi -include ./include/linux/compiler-version.h -include ./include/linux/kconfig.h \ -D__KERNEL__ -fmacro-prefix-map=./= \ \ -D__KERNEL__ \ -D__BPF_TRACING__ \ -Wno-gnu-variable-sized-type-not-at-end \ -Wno-address-of-packed-member \ -fno-jump-tables \ -fno-stack-protector \ -Wno-tautological-compare \ -Wno-unknown-attributes \ -O2 -g -emit-llvm -c /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.c -o /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.ll In file included from /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.c:22: In file included from ./include/linux/mm_types.h:5: In file included from ./include/linux/mm_types_task.h:14: In file included from ./include/linux/cpumask.h:12: In file included from ./include/linux/bitmap.h:11: In file included from ./include/linux/string.h:254: ./include/linux/fortify-string.h:154:17: warning: passing 'unsigned char *' to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign] 154 | size_t p_len = __compiletime_strlen(p); |
^~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/fortify-string.h:27:29: note: expanded from macro '__compiletime_strlen' 27 | __ret = __builtin_strlen(__p); \ | ^~~ 1 warning generated. llc -march=bpf -filetype=obj -o /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.o /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/test.ll /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied /bin/sh: line 1: ./scripts/pahole-flags.sh: Permission denied MODPOST /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/Module.symvers /bin/sh: line 1: scripts/mod/modpost: Permission denied make[2]: *** [scripts/Makefile.modpost:134: /usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY/Module.symvers] Error 126 make[1]: *** [Makefile:1850: modules] Error 2 make[1]: Leaving directory '/tmp/kernel' make: *** [Makefile:26: all] Error 2 make: Leaving directory '/usr/src/falco-7.3.0+driver/bpf/configure/RSS_STAT_ARRAY'
clang -I./arch/x86/include -I./arch/x86/include/generated -I./include -I./arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I./include/uapi -I./include/generated/uapi -include ./include/linux/compiler-version.h -include ./include/linux/kconfig.h \
-D__KERNEL__ -fmacro-prefix-map=./= \
\
\
-D__KERNEL__ \
-D__BPF_TRACING__ \
-Wno-gnu-variable-sized-type-not-at-end \
-Wno-address-of-packed-member \
-fno-jump-tables \
-fno-stack-protector \
-Wno-tautological-compare \
-Wno-unknown-attributes \
-O2 -g -emit-llvm -c /usr/src/falco-7.3.0+driver/bpf/probe.c -o /usr/src/falco-7.3.0+driver/bpf/probe.ll
In file included from /usr/src/falco-7.3.0+driver/bpf/probe.c:17:
In file included from ./include/linux/sched.h:14:
In file included from ./include/linux/pid.h:5:
In file included from ./include/linux/rculist.h:11:
In file included from ./include/linux/rcupdate.h:27:
In file included from ./include/linux/preempt.h:79:
In file included from ./arch/x86/include/asm/preempt.h:9:
In file included from ./include/linux/thread_info.h:60:
In file included from ./arch/x86/include/asm/thread_info.h:53:
In file included from ./arch/x86/include/asm/cpufeature.h:5:
In file included from ./arch/x86/include/asm/processor.h:23:
In file included from ./arch/x86/include/asm/msr.h:11:
In file included from ./arch/x86/include/asm/cpumask.h:5:
In file included from ./include/linux/cpumask.h:12:
In file included from ./include/linux/bitmap.h:11:
In file included from ./include/linux/string.h:254:
./include/linux/fortify-string.h:154:17: warning: passing 'unsigned char *' to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
154 | size_t p_len = __compiletime_strlen(p);
| ^~~~~~~~~~~~~~~~~~~~~~~
./include/linux/fortify-string.h:27:29: note: expanded from macro '__compiletime_strlen'
27 | __ret = __builtin_strlen(__p); \
| ^~~
In file included from /usr/src/falco-7.3.0+driver/bpf/probe.c:27:
/usr/src/falco-7.3.0+driver/bpf/fillers.h:873:56: error: member reference base type 'struct percpu_counter[4]' is not a structure or union
873 | bpf_probe_read_kernel(&val, sizeof(val), &mm->rss_stat.count[member]);
| ~~~~~~~~~~~~^~~~~~
/usr/src/falco-7.3.0+driver/bpf/fillers.h:2285:48: warning: passing 'volatile long *' to parameter of type 'long *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
2285 | res = bpf_accumulate_argv_or_env(data, argv, &args_len);
| ^~~~~~~~~
/usr/src/falco-7.3.0+driver/bpf/fillers.h:1895:61: note: passing argument to parameter 'args_len' here
1895 | long *args_len) {
| ^
2 warnings and 1 error generated.
make[2]: *** [/usr/src/falco-7.3.0+driver/bpf/Makefile:74: /usr/src/falco-7.3.0+driver/bpf/probe.o] Error 1
make[1]: *** [Makefile:1936: /usr/src/falco-7.3.0+driver/bpf] Error 2
make[1]: Leaving directory '/tmp/kernel'
make: *** [Makefile:23: all] Error 2
2024-10-04 18:46:21 ERROR failed: failed to build all requested drivers
How to reproduce it
dnf -y --quiet install kernel-headers-$(uname -r)
dnf -y --quiet install kernel-devel-$(uname -r)
dnf -y --quiet install clang llvm
dnf -y --quiet install falco-0.39.0
falcoctl driver config --type ebpf
falcoctl driver install
Expected behaviour
eBPF probe should be installed succesfully
- Falco version:
falco --version
Fri Oct 4 18:49:51 2024: Falco version: 0.39.0 (x86_64)
Fri Oct 4 18:49:51 2024: Falco initialized with configuration files:
Fri Oct 4 18:49:51 2024: /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok
Fri Oct 4 18:49:51 2024: /etc/falco/falco.yaml | schema validation: ok
Fri Oct 4 18:49:51 2024: System info: Linux version 5.14.0-427.37.1.el9_4.x86_64 ([email protected]) (gcc (GCC) 11.4.1 20231218 (Red Hat 11.4.1-3), GNU ld version 2.35.2-43.el9) #1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024
Falco version: 0.39.0
Libs version: 0.18.1
Plugin API: 3.7.0
Engine: 0.43.0
Driver:
API version: 8.0.0
Schema version: 2.0.0
Default driver: 7.3.0+driver
- System info:
falco --support | jq .system_info
Fri Oct 4 18:50:36 2024: Falco version: 0.39.0 (x86_64)
Fri Oct 4 18:50:36 2024: Falco initialized with configuration files:
Fri Oct 4 18:50:36 2024: /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok
Fri Oct 4 18:50:36 2024: /etc/falco/falco.yaml | schema validation: ok
Fri Oct 4 18:50:36 2024: System info: Linux version 5.14.0-427.37.1.el9_4.x86_64 ([email protected]) (gcc (GCC) 11.4.1 20231218 (Red Hat 11.4.1-3), GNU ld version 2.35.2-43.el9) #1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024
Fri Oct 4 18:50:36 2024: Loading rules from:
Fri Oct 4 18:50:36 2024: /etc/falco/falco_rules.yaml | schema validation: ok
Fri Oct 4 18:50:36 2024: /etc/falco/falco_rules.local.yaml | schema validation: none
{
"machine": "x86_64",
"nodename": "winner-03",
"release": "5.14.0-427.37.1.el9_4.x86_64",
"sysname": "Linux",
"version": "#1 SMP PREEMPT_DYNAMIC Wed Sep 25 11:51:41 UTC 2024"
}
- Installation method: RPM
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@groundsada: You can't reopen an issue/PR unless you authored it or you are a collaborator.
In response to this:
/reopen
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@Sartigan: Reopened this issue.
In response to this:
/reopen
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@groundsada We ended up using the modern eBPF since this was the only way. I have reopened this issue for you.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.