Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build header files into kernel #454

Closed
bcressey opened this issue Oct 24, 2019 · 5 comments
Closed

build header files into kernel #454

bcressey opened this issue Oct 24, 2019 · 5 comments
Assignees
@sam-aws

Comments

@bcressey
Copy link
Contributor

In 5.2 an option was added to build headers into the kernel.

See here for background:
https://lwn.net/Articles/783578/

We should look at backporting it to our 4.19 kernel and enabling it to see if it helps with the out-of-tree module and BPF use cases.
@sam-aws sam-aws self-assigned this Oct 24, 2019
@sam-aws
Copy link
Contributor

sam-aws commented Oct 24, 2019

The backport isn't too painful, and voila:

[ec2-user@ip-192-168-44-27 ~]$ ls -lsh /proc/kheaders.tar.xz
0 -r--r--r-- 1 root root 3.2M Oct 24 20:56 /proc/kheaders.tar.xz

Although where-ever we access this from will need something to decompress it :)
I suppose our alternate method here is to build and install the kernel headers ourselves, but we'll want to compress that anyway rather than increase the size of the root image even more.
A user could include headers in THAR-DATA as well but that feels needlessly painful.

@bcressey
Copy link
Contributor Author

I'd prefer to leave usage up to the container that's building the module, but we should confirm that it actually works.

falco is the one of immediate interest as a PoC:
https://github.com/falcosecurity/falco/tree/dev/docker/kernel/linuxkit

@bcressey
Copy link
Contributor Author

Should also look at the eBPF form of sysdig:
https://github.com/draios/sysdig/wiki/eBPF#requirements

@sam-aws
Copy link
Contributor

sam-aws commented Oct 31, 2019

Both the module and eBPF form sysdig should work in Thar - I haven't loaded the eBPF probe yet but we have the correct dependencies already.
The annoying part is having sysdig compile either version itself automatically. the eBPF probe can almost do this with just kheaders but sysdig still depends on having the kernel Makefiles. I don't think this is technically necessary however.

On the other hand Falco/sysdig supports setting a URL to a pre-compiled probe to use instead, and compiling the probe manually isn't too much work. It can be done in the admin container by installing a few build tools and copying a configured kernel tree across. If we end up blocked on the header issue we could provide instructions/scripts to precompile the probe instead.

@sam-aws sam-aws mentioned this issue Nov 6, 2019
Merged
@sam-aws sam-aws mentioned this issue Nov 22, 2019
Merged
@iliana
Copy link
Contributor

iliana commented Jan 23, 2020

We do now build kernel headers in the kernel, but that's not good enough for some out-of-tree models. kernel-devel is built, but not distributed, and #680 tracks that.

@iliana iliana closed this as completed Jan 23, 2020
@zmarouf zmarouf mentioned this issue Mar 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sam-aws sam-aws

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iliana @bcressey @sam-aws