Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tracee fails to load in kernels >= 6.6 #3768

Closed
NDStrahilevitz opened this issue Dec 18, 2023 · 2 comments · Fixed by #3769
Closed

Tracee fails to load in kernels >= 6.6 #3768

NDStrahilevitz opened this issue Dec 18, 2023 · 2 comments · Fixed by #3769
Assignees
@NDStrahilevitz
Labels
kind/bug
Milestone
v0.20.0

Comments

@NDStrahilevitz
Copy link
Collaborator

Description

Run tracee image from docker registry and get the following result:

failed to resolve CO-RE relocation <byte_off> [446] struct inode.i_ctime (0:3 @ offset 24)
processed 2373 insns (limit 1000000) max_states_per_insn 1 total_states 164 peak_states 164 mark_read 146
-- END PROG LOAD LOG --
{"level":"warn","ts":1702915044.6681516,"msg":"libbpf: prog 'tracepoint__sched__sched_process_exec': failed to load: -22"}
{"level":"warn","ts":1702915044.682566,"msg":"libbpf: failed to load object ''"}
{"level":"fatal","ts":1702915044.6954486,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: invalid argument"}

Output of tracee version:

Tracee version: "v0.19.0"

Output of uname -a:

Linux ip-10-0-6-198 6.6.3-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 28 19:11:52 UTC 2023 x86_64 GNU/Linux

Additional details
@NDStrahilevitz NDStrahilevitz self-assigned this Dec 18, 2023
@NDStrahilevitz
Copy link
Collaborator Author

Seems like in kernel 6.6 the i_ctime field was changed to __i_ctime: https://elixir.bootlin.com/linux/latest/source/include/linux/fs.h#L676. So this probably affects all kernels with version >= 6.6.

@NDStrahilevitz NDStrahilevitz changed the title Tracee fails to load in fedora39 Tracee fails to load in kernels >= 6.6 Dec 18, 2023
@NDStrahilevitz NDStrahilevitz added this to the v0.20.0 milestone Dec 18, 2023
@NDStrahilevitz
Copy link
Collaborator Author

I believe we should backport this to v0.19.0 @josedonizetti @itaysk

@NDStrahilevitz NDStrahilevitz mentioned this issue Dec 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NDStrahilevitz NDStrahilevitz

Labels
kind/bug
Projects
None yet
Milestone
v0.20.0
Development

Successfully merging a pull request may close this issue.

fix(ebpf): adjust inode struct to kernel v6.6 NDStrahilevitz/tracee
1 participant
@NDStrahilevitz