Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ContainerMonitor: use libbpf instead of bcc #38

Closed
nam-jaehyun opened this issue Jan 6, 2021 · 3 comments · Fixed by #677
Closed

ContainerMonitor: use libbpf instead of bcc #38

nam-jaehyun opened this issue Jan 6, 2021 · 3 comments · Fixed by #677
Assignees
@daemon1024
Labels
important improvement Updates in existing features
Milestone
v0.6

Comments

@nam-jaehyun
Copy link
Collaborator

bcc requires kernel headers and it seems unstable when we test KubeArmor on several environments (with different kernel versions). Thus, we're planning to change the base of the container monitor from bcc to libbpf.
@nam-jaehyun nam-jaehyun added the improvement Updates in existing features label Jan 6, 2021
@oneiro-naut
Copy link
Contributor

oneiro-naut commented Jul 8, 2021
edited
Loading

@nam-jaehyun It seems to be a bcc issue(#195) because of which passing enableHostPolicy=true to kubearmor fails with error:

vagrant@kubearmor-dev:~/KubeArmor/KubeArmor$ kubectl logs -n kube-system kubearmor-dwg4h
2021-07-08 09:26:38.617147	INFO	Started to serve gRPC-based log feeds
2021-07-08 09:26:38.619524	INFO	Initializing an eBPF program
2021-07-08 09:26:47.890546	INFO	Initialized the eBPF program
cannot attach kprobe, Resource busy
2021-07-08 09:26:48.153857	ERROR	Failed to initialize the system monitor
github.com/kubearmor/KubeArmor/KubeArmor/log.Err
	/usr/src/KubeArmor/KubeArmor/log/logger.go:99
github.com/kubearmor/KubeArmor/KubeArmor/feeder.(*Feeder).Err
	/usr/src/KubeArmor/KubeArmor/feeder/feeder.go:423
github.com/kubearmor/KubeArmor/KubeArmor/core.KubeArmor
	/usr/src/KubeArmor/KubeArmor/core/kubeArmor.go:354
main.main
	/usr/src/KubeArmor/KubeArmor/main.go:60
runtime.main
	/usr/local/go/src/runtime/proc.go:204

The issue seems to be fixed now in bcc. Strangely its happening in our case.

@nam-jaehyun nam-jaehyun removed the v1.1 label Aug 3, 2021
@geyslan
Copy link
Contributor

geyslan commented Aug 19, 2021

For this, we already have a codepath with libbpf: https://github.com/kubearmor/KubeArmor/tree/event-auditor/KubeArmor/eventAuditor/BPF

And as I've mentioned here #270 (comment), it can be moved to other path.

@akshatagarwl
Copy link
Contributor

@nam-jaehyun Can I work on this?

@nam-jaehyun nam-jaehyun mentioned this issue Nov 15, 2021
Merged
2 tasks
@oneiro-naut oneiro-naut mentioned this issue Nov 20, 2021
Closed
@h3llix h3llix mentioned this issue Dec 10, 2021
Merged
@daemon1024 daemon1024 mentioned this issue Mar 2, 2022
Merged
@daemon1024 daemon1024 self-assigned this Apr 1, 2022
@daemon1024 daemon1024 mentioned this issue May 3, 2022
Merged
3 tasks
@nyrahul nyrahul added this to the v0.5 milestone May 19, 2022
@nyrahul nyrahul modified the milestones: v0.5, v0.6 Jul 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@daemon1024 daemon1024

Labels
important improvement Updates in existing features
Projects
None yet
Milestone
v0.6
Development

Successfully merging a pull request may close this issue.

migrate bcc based system monitor to libbpf and cilium/ebpf daemon1024/KubeArmor
6 participants
@geyslan @nyrahul @oneiro-naut @daemon1024 @akshatagarwl @nam-jaehyun