-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BPF issue on amazon linux 2 since we upgraded from 0.29.1 to 0.30 (not working on all kernel 4.1X and 5.X and using clang 7 or clang 11) #130
Comments
Hi! Thanks for opening this bug report. Note that
is the kernel verifier that is rejecting eBPF probe bytecode! Moreover, i recently pushed some fixes to support down to clang 5: #109. All of this just to say (scream): "that's weird!" :D |
The error seems to be the same, just to be sure with you, here is how I build the bpf module.
then I am applying the patch by replacing the file located at:
and then I make bpf from /falco-repo/build Looks right to you (according to my understanding of the MakeFiles it seems correct). |
Yes, it looks right! Thanks!
Are you sure it is still about
? I'd expect |
Ah sorry it is sys_send_x, here is the entire message:
|
Nice! So the good thing is we found the guilty function. Bad thing is that now i will have to provide "pseudo random" patches to try to fix it :) |
A couple of PRs:
Let me know if any of these works (ie: if they pass the verifier; they disable a feature indeed, but this is needed to better locate the issue!) EDIT: please apply any patch that i send you starting with a clean libs (ie: from master)! Thanks! |
disable
Same output for disable |
Mmh did you reverted to master before applying the patches?
This error is weird though, but let's first focus on the kernel verifier (this error can be caused by the use of new bpf probe against an old falco version, i guess. 'Old' here means a falco version that originally had another libs version). |
I did revert from master the file filler_helpers.h. But for the libs we are using commit version 1ed3e2a as mentioned in the cmake command ahead. About potential old bpf probe version asked by falco this is possible, we are using falco 0.30 release (not master) but libs currently we fetch+build from commit 1ed3e2a, to bypass probe version check, in our dockerfile we do override the PROBE_VERSION variable from /falco-repo/cmake/modules/falcosecurity-libs.cmake in order to match the version that falco 0.30 is wanting (in this case this is commit 3aa7a83) |
Once the kernel verifier issue is fixed, we will try to understand the error you are getting about the invalid filler. Edit: btw thanks for your time! |
I guess that if you use an older version of libs the
message will disappear :) |
Hey @JoupainMD Could you provide us the Dockerfile (or the docker image) you have used as init container? I think this is the only way for us to exactly reproduce your issue so we can then debug it. Currently, I haven't been able to reproduce it. Thanks in advance! 🙏 |
Hello, the Dockerfile The entrypoint.sh patch_falco I use to change it with the latest patch you provide. |
Hi @JoupainMD good news: i was able to reproduce your issue! |
I opened a PR; can you test? @JoupainMD Thanks! (obviously it did fix the issue for me!) |
Hello @FedeDP I tested it on our environment but unfortunately I am still getting the same error here is the exact version of ami we use : ami-02e17a76e494a9e99 |
This is an error coming from libsinsp, ie: it has nothing to do with kernel eBPF verifier (that is now satisfied!). |
Ok that's clear I'll try that asap I'll keep you posted 🙏 |
Working on 5.4.149-73.259.amzn2.x86_64 as well. |
Top! Thanks for your time! |
I noticed some warnings on 5.4.149-73.259.amzn2.x86_64 (I am not sure it was present or not before your patch). see here. |
I think you can safely ignore them. Are you building with clang11 or clang7? Btw if you could double check that they were present before my patch too, it would be great :) (i am 100% sure they were though, but a double check is worth the time!) |
Yep you are right, already here in 0.29.1, we didn't notice (only on 5.X kernels it looks like). |
…ted as <NA> (falcosecurity#130) Port falcosecurity#734 Also port falcosecurity@b52ca996 to avoid conflict at sync time
Describe the bug
We are encountering issue with the BPF module since we upgrade from falco 0.29.1 to 0.30.
We are building the bpf probe using our own docker image (as an init container), we have been using the default clang llvm version for long (11) and we had to switch to clang7 since 0.29 if my memory is correct.
But now, it does not seems to work with both clang version
We are getting some stacktrace like this
How to reproduce it
Using EKS v1.18 with amazon linux 2 and clang 7 or clang 11 (latest from amazon repo)
Environment
OS: amazon linux 2 (kernel : 4.14.219-161.340.amzn2.x86_64 but we also use 5.X kernel and the issue is the same)
Using EKS (AWS kubernetes) 1.18
Clang + LLVM : 7 and 11 (from amazon package repo)
Additional context
We also tried to use the latest version of this repository, especially following this issue
The text was updated successfully, but these errors were encountered: