Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing Falco-0.24.0 kernel probe for 5.4.50 kernel - bottlerocket os #1411

Closed
faarshad opened this issue Sep 22, 2020 · 2 comments
Closed

Failing Falco-0.24.0 kernel probe for 5.4.50 kernel - bottlerocket os #1411

faarshad opened this issue Sep 22, 2020 · 2 comments
Labels
kind/bug

Comments

@faarshad
Copy link

faarshad commented Sep 22, 2020
edited
Loading

Bug Description
I am trying to compile the driver for falco-0.24.0 for 5.4.50 kernel and it is giving me the following error:

Setup:
Building the driver from inside of Amazon Linux 2 container image running on top of Bottlerocket OS 1.0.1(aws-k8s-1.16)
gcc/g++ version= 7.3.1-9
cmake version = 3.10.0

Errors during compilation:

/usr/local/bin/cmake -H/tmp/falco -B/tmp/falco/build --check-build-system CMakeFiles/Makefile.cmake 0
make -f CMakeFiles/Makefile2 driver
make[1]: Entering directory `/tmp/falco/build'
/usr/local/bin/cmake -H/tmp/falco -B/tmp/falco/build --check-build-system CMakeFiles/Makefile.cmake 0
/usr/local/bin/cmake -E cmake_progress_start /tmp/falco/build/CMakeFiles 0
make -f CMakeFiles/Makefile2 driver/CMakeFiles/driver.dir/all
make[2]: Entering directory `/tmp/falco/build'
make -f driver/CMakeFiles/driver.dir/build.make driver/CMakeFiles/driver.dir/depend
make[3]: Entering directory `/tmp/falco/build'
cd /tmp/falco/build && /usr/local/bin/cmake -E cmake_depends "Unix Makefiles" /tmp/falco /tmp/falco/build/sysdig-repo/sysdig-prefix/src/sysdig/driver /tmp/falco/build /tmp/falco/build/driver /tmp/falco/build/driver/CMakeFiles/driver.dir/DependInfo.cmake --color=
make[3]: Leaving directory `/tmp/falco/build'
make -f driver/CMakeFiles/driver.dir/build.make driver/CMakeFiles/driver.dir/build
make[3]: Entering directory `/tmp/falco/build'
cd /tmp/falco/build/driver/src && make
make[4]: Entering directory `/tmp/falco/build/driver/src'
make -C /lib/modules/5.4.50/build M=/tmp/falco/build/driver/src modules
make[5]: Entering directory `/usr/src/kernels/5.4.50'
  CC [M]  /tmp/falco/build/driver/src/main.o
In file included from <command-line>:0:0:
./arch/x86/include/asm/segment.h: In function 'vdso_read_cpunode':
././include/linux/compiler_types.h:210:24: error: expected '(' before '__inline'
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:240:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/segment.h:266:2: note: in expansion of macro 'alternative_io'
  alternative_io ("lsl %[seg],%[p]",
  ^~~~~~~~~~~~~~
In file included from ./arch/x86/include/asm/barrier.h:5:0,
                 from ./include/linux/compiler.h:256,
                 from ./arch/x86/include/asm/current.h:5,
                 from ./include/linux/sched.h:12,
                 from ./arch/x86/include/asm/syscall.h:14,
                 from /tmp/falco/build/driver/src/main.c:19:
./arch/x86/include/asm/alternative.h:108:2: error: expected identifier or '(' before string constant
  "# ALT: oldnstr\n"      \
  ^
./arch/x86/include/asm/alternative.h:159:2: note: in expansion of macro 'OLDINSTR'
  OLDINSTR(oldinstr, 1)      \
  ^~~~~~~~
./arch/x86/include/asm/alternative.h:240:23: note: in expansion of macro 'ALTERNATIVE'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
                       ^~~~~~~~~~~
./arch/x86/include/asm/segment.h:266:2: note: in expansion of macro 'alternative_io'
  alternative_io ("lsl %[seg],%[p]",
  ^~~~~~~~~~~~~~
In file included from <command-line>:0:0:
././include/linux/compiler_types.h:210:24: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:240:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/segment.h:266:2: note: in expansion of macro 'alternative_io'
  alternative_io ("lsl %[seg],%[p]",
  ^~~~~~~~~~~~~~
In file included from <command-line>:0:0:
./arch/x86/include/asm/page_64.h: In function 'clear_page':
././include/linux/compiler_types.h:210:24: error: expected '(' before '__inline'
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:256:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE_2("call %P[old]", "call %P[new1]", feature1,\
  ^~~~~~~~~~
./arch/x86/include/asm/page_64.h:49:2: note: in expansion of macro 'alternative_call_2'
  alternative_call_2(clear_page_orig,
  ^~~~~~~~~~~~~~~~~~
In file included from ./arch/x86/include/asm/barrier.h:5:0,
                 from ./include/linux/compiler.h:256,
                 from ./arch/x86/include/asm/current.h:5,
                 from ./include/linux/sched.h:12,
                 from ./arch/x86/include/asm/syscall.h:14,
                 from /tmp/falco/build/driver/src/main.c:19:
./arch/x86/include/asm/alternative.h:128:2: error: expected identifier or '(' before string constant
  "# ALT: oldinstr2\n"         \
  ^
./arch/x86/include/asm/alternative.h:168:2: note: in expansion of macro 'OLDINSTR_2'
  OLDINSTR_2(oldinstr, 1, 2)     \
  ^~~~~~~~~~
./arch/x86/include/asm/alternative.h:256:23: note: in expansion of macro 'ALTERNATIVE_2'
  asm_inline volatile (ALTERNATIVE_2("call %P[old]", "call %P[new1]", feature1,\
                       ^~~~~~~~~~~~~
./arch/x86/include/asm/page_64.h:49:2: note: in expansion of macro 'alternative_call_2'
  alternative_call_2(clear_page_orig,
  ^~~~~~~~~~~~~~~~~~
In file included from <command-line>:0:0:
././include/linux/compiler_types.h:210:24: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:256:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE_2("call %P[old]", "call %P[new1]", feature1,\
  ^~~~~~~~~~
./arch/x86/include/asm/page_64.h:49:2: note: in expansion of macro 'alternative_call_2'
  alternative_call_2(clear_page_orig,
  ^~~~~~~~~~~~~~~~~~
./arch/x86/include/asm/special_insns.h: In function 'clflushopt':
././include/linux/compiler_types.h:210:24: error: expected '(' before '__inline'
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:240:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/special_insns.h:205:2: note: in expansion of macro 'alternative_io'
  alternative_io(".byte " __stringify(NOP_DS_PREFIX) "; clflush %P0",
  ^~~~~~~~~~~~~~
In file included from ./arch/x86/include/asm/barrier.h:5:0,
                 from ./include/linux/compiler.h:256,
                 from ./arch/x86/include/asm/current.h:5,
                 from ./include/linux/sched.h:12,
                 from ./arch/x86/include/asm/syscall.h:14,
                 from /tmp/falco/build/driver/src/main.c:19:
./arch/x86/include/asm/alternative.h:108:2: error: expected identifier or '(' before string constant
  "# ALT: oldnstr\n"      \
  ^
./arch/x86/include/asm/alternative.h:159:2: note: in expansion of macro 'OLDINSTR'
  OLDINSTR(oldinstr, 1)      \
  ^~~~~~~~
./arch/x86/include/asm/alternative.h:240:23: note: in expansion of macro 'ALTERNATIVE'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
                       ^~~~~~~~~~~
./arch/x86/include/asm/special_insns.h:205:2: note: in expansion of macro 'alternative_io'
  alternative_io(".byte " __stringify(NOP_DS_PREFIX) "; clflush %P0",
  ^~~~~~~~~~~~~~
In file included from <command-line>:0:0:
././include/linux/compiler_types.h:210:24: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:240:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/special_insns.h:205:2: note: in expansion of macro 'alternative_io'
  alternative_io(".byte " __stringify(NOP_DS_PREFIX) "; clflush %P0",
  ^~~~~~~~~~~~~~
./arch/x86/include/asm/processor.h: In function 'prefetch':
././include/linux/compiler_types.h:210:24: error: expected '(' before '__inline'
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:221:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/processor.h:795:2: note: in expansion of macro 'alternative_input'
  alternative_input(BASE_PREFETCH, "prefetchnta %P1",
  ^~~~~~~~~~~~~~~~~
In file included from ./arch/x86/include/asm/barrier.h:5:0,
                 from ./include/linux/compiler.h:256,
                 from ./arch/x86/include/asm/current.h:5,
                 from ./include/linux/sched.h:12,
                 from ./arch/x86/include/asm/syscall.h:14,
                 from /tmp/falco/build/driver/src/main.c:19:
./arch/x86/include/asm/alternative.h:108:2: error: expected identifier or '(' before string constant
  "# ALT: oldnstr\n"      \
  ^
./arch/x86/include/asm/alternative.h:159:2: note: in expansion of macro 'OLDINSTR'
  OLDINSTR(oldinstr, 1)      \
  ^~~~~~~~
./arch/x86/include/asm/alternative.h:221:23: note: in expansion of macro 'ALTERNATIVE'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
                       ^~~~~~~~~~~
./arch/x86/include/asm/processor.h:795:2: note: in expansion of macro 'alternative_input'
  alternative_input(BASE_PREFETCH, "prefetchnta %P1",
  ^~~~~~~~~~~~~~~~~
In file included from <command-line>:0:0:
././include/linux/compiler_types.h:210:24: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:221:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/processor.h:795:2: note: in expansion of macro 'alternative_input'
  alternative_input(BASE_PREFETCH, "prefetchnta %P1",
  ^~~~~~~~~~~~~~~~~
./arch/x86/include/asm/processor.h: In function 'prefetchw':
././include/linux/compiler_types.h:210:24: error: expected '(' before '__inline'
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:221:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/processor.h:807:2: note: in expansion of macro 'alternative_input'
  alternative_input(BASE_PREFETCH, "prefetchw %P1",
  ^~~~~~~~~~~~~~~~~
In file included from ./arch/x86/include/asm/barrier.h:5:0,
                 from ./include/linux/compiler.h:256,
                 from ./arch/x86/include/asm/current.h:5,
                 from ./include/linux/sched.h:12,
                 from ./arch/x86/include/asm/syscall.h:14,
                 from /tmp/falco/build/driver/src/main.c:19:
./arch/x86/include/asm/alternative.h:108:2: error: expected identifier or '(' before string constant
  "# ALT: oldnstr\n"      \
  ^
./arch/x86/include/asm/alternative.h:159:2: note: in expansion of macro 'OLDINSTR'
  OLDINSTR(oldinstr, 1)      \
  ^~~~~~~~
./arch/x86/include/asm/alternative.h:221:23: note: in expansion of macro 'ALTERNATIVE'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
                       ^~~~~~~~~~~
./arch/x86/include/asm/processor.h:807:2: note: in expansion of macro 'alternative_input'
  alternative_input(BASE_PREFETCH, "prefetchw %P1",
  ^~~~~~~~~~~~~~~~~
In file included from <command-line>:0:0:
././include/linux/compiler_types.h:210:24: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/alternative.h:221:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile (ALTERNATIVE(oldinstr, newinstr, feature) \
  ^~~~~~~~~~
./arch/x86/include/asm/processor.h:807:2: note: in expansion of macro 'alternative_input'
  alternative_input(BASE_PREFETCH, "prefetchw %P1",
  ^~~~~~~~~~~~~~~~~
./include/linux/thread_info.h: In function 'copy_overflow':
././include/linux/compiler_types.h:210:24: error: expected '(' before '__inline'
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/bug.h:35:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile("1:\t" ins "\n"    \
  ^~~~~~~~~~
./arch/x86/include/asm/bug.h:79:2: note: in expansion of macro '_BUG_FLAGS'
  _BUG_FLAGS(ASM_UD2, BUGFLAG_WARNING|(flags));  \
  ^~~~~~~~~~
./include/asm-generic/bug.h:93:3: note: in expansion of macro '__WARN_FLAGS'
   __WARN_FLAGS(BUGFLAG_NO_CUT_HERE | BUGFLAG_TAINT(taint));\
   ^~~~~~~~~~~~
./include/asm-generic/bug.h:124:3: note: in expansion of macro '__WARN_printf'
   __WARN_printf(TAINT_WARN, format);   \
   ^~~~~~~~~~~~~
./include/linux/thread_info.h:134:2: note: in expansion of macro 'WARN'
  WARN(1, "Buffer overflow detected (%d < %lu)!\n", size, count);
  ^~~~
...
...
In file included from <command-line>:0:0:
././include/linux/compiler_types.h:210:24: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
 #define asm_inline asm __inline
                        ^
./arch/x86/include/asm/bug.h:35:2: note: in expansion of macro 'asm_inline'
  asm_inline volatile("1:\t" ins "\n"    \
  ^~~~~~~~~~
./arch/x86/include/asm/bug.h:79:2: note: in expansion of macro '_BUG_FLAGS'
  _BUG_FLAGS(ASM_UD2, BUGFLAG_WARNING|(flags));  \
  ^~~~~~~~~~
./include/asm-generic/bug.h:98:3: note: in expansion of macro '__WARN_FLAGS'
   __WARN_FLAGS(BUGFLAG_ONCE |   \
   ^~~~~~~~~~~~
./include/net/request_sock.h:119:2: note: in expansion of macro 'WARN_ON_ONCE'
  WARN_ON_ONCE(refcount_read(&req->rsk_refcnt) != 0);
  ^~~~~~~~~~~~
make[7]: *** [/tmp/falco/build/driver/src/main.o] Error 1
make[6]: *** [/tmp/falco/build/driver/src] Error 2
make[5]: *** [sub-make] Error 2
make[5]: Leaving directory `/usr/src/kernels/5.4.50'
make[4]: *** [all] Error 2
make[4]: Leaving directory `/tmp/falco/build/driver/src'
make[3]: *** [driver/CMakeFiles/driver] Error 2
make[3]: Leaving directory `/tmp/falco/build'
make[2]: *** [driver/CMakeFiles/driver.dir/all] Error 2
make[2]: Leaving directory `/tmp/falco/build'
make[1]: *** [driver/CMakeFiles/driver.dir/rule] Error 2
make[1]: Leaving directory `/tmp/falco/build'
make: *** [driver] Error 2

How to reproduce it
On bottlerocket-os, login into the admin container which is a amazon-linux-2 container & execute the following for installing the build toolchain and then building the falco probe:

#Build tool chain
yum install gcc gcc-c++ git make autoconf automake pkg-config patch ncurses-devel libtool glibc-static libstdc++-static elfutils-libelf-devel libcurl libcurl-devel wget openssl-devel which -y

cd /tmp/ && wget https://cmake.org/files/v3.10/cmake-3.10.0.tar.gz && tar zxvf cmake-3.10.0.tar.gz && cd cmake-3.10.0 && ./bootstrap --system-curl && make && make install

#Build falco:
cd /tmp && git clone https://github.com/falcosecurity/falco.git ;cd falco; git checkout 0.24.0; mkdir -p build;cd build;cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_VERBOSE_MAKEFILE=On ..

make driver

Expected behaviour
A kernel module built in build/driver/src/falco.ko

Environment

  • Falco version: 0.24.0
  • System info:
  • Cloud provider or hardware configuration: aws Bottlerocket OS 1.0.1 aws-k8s-1.16 BUILD_ID=2a181156
  • OS: Linux 5.4.50 Digwatch compiler #1 SMP Thu Sep 3 20:21:47 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • Kernel:5.4.50
  • Installation method: from source

Additional context

This issue seems similar to #1405
Also, Missing support for asm_inline in Linux 5.4 could be the issue.
@faarshad
Copy link
Author

I was able to build the falco probe by installing gcc-9.2.0 from source on amazon linux 2 admin container of bottlerocket. I followed the procedure listed here to install gcc-9.2.0.

Following logs show that falco driver was built:

bash-4.2# make driver
/usr/local/bin/cmake -H/tmp/falco -B/tmp/falco/build --check-build-system CMakeFiles/Makefile.cmake 0
make -f CMakeFiles/Makefile2 driver
make[1]: Entering directory `/tmp/falco/build'
/usr/local/bin/cmake -H/tmp/falco -B/tmp/falco/build --check-build-system CMakeFiles/Makefile.cmake 0
/usr/local/bin/cmake -E cmake_progress_start /tmp/falco/build/CMakeFiles 0
make -f CMakeFiles/Makefile2 driver/CMakeFiles/driver.dir/all
make[2]: Entering directory `/tmp/falco/build'
make -f driver/CMakeFiles/driver.dir/build.make driver/CMakeFiles/driver.dir/depend
make[3]: Entering directory `/tmp/falco/build'
cd /tmp/falco/build && /usr/local/bin/cmake -E cmake_depends "Unix Makefiles" /tmp/falco /tmp/falco/build/sysdig-repo/sysdig-prefix/src/sysdig/driver /tmp/falco/build /tmp/falco/build/driver
/tmp/falco/build/driver/CMakeFiles/driver.dir/DependInfo.cmake --color=
Scanning dependencies of target driver
make[3]: Leaving directory `/tmp/falco/build'
make -f driver/CMakeFiles/driver.dir/build.make driver/CMakeFiles/driver.dir/build
make[3]: Entering directory `/tmp/falco/build'
cd /tmp/falco/build/driver/src && make
make[4]: Entering directory `/tmp/falco/build/driver/src'
make -C /lib/modules/5.4.50/build M=/tmp/falco/build/driver/src modules
make[5]: Entering directory `/usr/src/kernels/5.4.50'
  CC [M]  /tmp/falco/build/driver/src/main.o
  CC [M]  /tmp/falco/build/driver/src/dynamic_params_table.o
  CC [M]  /tmp/falco/build/driver/src/fillers_table.o
  CC [M]  /tmp/falco/build/driver/src/flags_table.o
  CC [M]  /tmp/falco/build/driver/src/ppm_events.o
  CC [M]  /tmp/falco/build/driver/src/ppm_fillers.o
  CC [M]  /tmp/falco/build/driver/src/event_table.o
  CC [M]  /tmp/falco/build/driver/src/syscall_table.o
  CC [M]  /tmp/falco/build/driver/src/ppm_cputime.o
  LD [M]  /tmp/falco/build/driver/src/falco.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC [M]  /tmp/falco/build/driver/src/falco.mod.o
  LD [M]  /tmp/falco/build/driver/src/falco.ko
make[5]: Leaving directory `/usr/src/kernels/5.4.50'
make[4]: Leaving directory `/tmp/falco/build/driver/src'
cd /tmp/falco/build/driver/src && /usr/local/bin/cmake -E copy_if_different falco.ko /tmp/falco/build/driver
make[3]: Leaving directory `/tmp/falco/build'
Built target driver
make[2]: Leaving directory `/tmp/falco/build'
/usr/local/bin/cmake -E cmake_progress_start /tmp/falco/build/CMakeFiles 0
make[1]: Leaving directory `/tmp/falco/build'

Load the driver in bottlerocket-os by using sudo sheltie and insmod from admin container

sudo sheltie
insmod /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/falco/build/driver/src/falco.ko

It might take some time to get the module loaded into the kernel. Verify my running lsmod

bash-5.0# lsmod | more
Module                  Size  Used by
falco                 638976  2

@faarshad faarshad changed the title Failing Falco-0.24.0 kernel probe for 5.4.50 kernel Failing Falco-0.24.0 kernel probe for 5.4.50 kernel - bottlerocket os Sep 22, 2020
@axot
Copy link

axot commented May 25, 2021

I think this issue keep happening, is there a plan to fix this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@axot @faarshad