Do not build eBPF non CO-RE object during tracee-ebpf execution #1273
Conversation
|
I think that adding the builder image (Dockerfile) should be part of this PR (or a different PR that will be merged before this one) as we are now removing this functionality here. WDYT? |
|
Also, this one can safely close #959 |
Yes, I'm currently working on that as we speak (will finish tomorrow most likely). I should have kept this as draft, sorry. But it's good for an initial screening anyways. |
|
I still need to add the build logic (to generate tracee container AND a builder container, capable of compiling tracee.bpf.noncore.o. |
There was a problem hiding this comment.
👋 @rafaeldtinoco LGTM! Except fakeCapabilities and tests for unused methods. See my comment.
From now on, it is the user responsibility to have the non CO-RE eBPF
object correctly placed in "/tmp/tracee" directory. Tracee will load
it, instead of CO-RE eBPF object, as a last resource if there is no:
1. BTF file pointed by TRACEE_BTF_FILE environment variable
2. Embedded BTF available in running kernel (/sys/kernel/btf/vmlinux)
3. BTF file embedded into "tracee-ebpf" binary (from BTFhub)
User might use "make" to install the non CO-RE object:
$ make -f Makefile.one install-bpf-nocore
And observe BPF object from /tmp/tracee being used, if needed, just like:
$ sudo ./dist/tracee-ebpf --debug --trace 'event!=sched*'
OSInfo: ARCH: x86_64
OSInfo: VERSION: "20.04.3 LTS (Focal Fossa)"
OSInfo: ID: ubuntu
OSInfo: ID_LIKE: debian
OSInfo: PRETTY_NAME: "Ubuntu 20.04.3 LTS"
OSInfo: VERSION_ID: "20.04"
OSInfo: VERSION_CODENAME: focal
OSInfo: KERNEL_RELEASE: 5.8.0-63-generic
BTF: bpfenv = false, btfenv = false, vmlinux = false
BPF: no BTF file was found or provided, trying non CO-RE eBPF at
/tmp/tracee/tracee.bpf.5_8_0-63-generic.v0_6_5-20-g3353501.o
If you're willing to generate the non CO-RE eBPF object using the
tracee-make container, you're able to by doing:
$ make -f builder/Makefile.docker alpine-prepare # use ubuntu also
$ make -f builder/Makefile.docker alpine-shell # use ubuntu also
and then, inside the docker container:
tracee@f65bab137305[/tracee]$ make -f Makefile.one clean
tracee@f65bab137305[/tracee]$ make -f Makefile.one tracee-ebpf
tracee@f65bab137305[/tracee]$ make -f Makefile.one install-bpf-nocore
tracee@f65bab137305[/tracee]$ sudo ./dist/tracee-ebpf --debug --trace 'event!=sched*'
KConfig: warning: could not check enabled kconfig features
(could not read /boot/config-5.8.0-63-generic: ...)
KConfig: warning: assuming kconfig values, might have unexpected behavior
OSInfo: KERNEL_RELEASE: 5.8.0-63-generic
OSInfo: ARCH: x86_64
OSInfo: VERSION: "21.04 (Hirsute Hippo)"
OSInfo: ID: ubuntu
OSInfo: ID_LIKE: debian
OSInfo: PRETTY_NAME: "Ubuntu 21.04"
OSInfo: VERSION_ID: "21.04"
OSInfo: VERSION_CODENAME: hirsute
BTF: bpfenv = false, btfenv = false, vmlinux = false
BPF: no BTF file was found or provided
BPF: trying non CO-RE eBPF at /tmp/tracee/tracee.bpf.5_8_0-63-generic.v0_6_5-20-g0b921b1.o
KConfig: warning: assuming kconfig values, might have unexpected behavior
TIME UID COMM PID TID RET ...
Dockerfile to build tracee-core & tracee-nocore containers.
This change allows the creation of a Makefile.tracee which will be responsible for creating tracee containers.
Create a Makefile for tracee container creation. These containers will, eventually, become the default containers for distribution (once Makefile.one becomes standard building mechanism).
This upgrade is needed since we've bumped minimum golang version from 1.16 to 1.17. I'm using the default versions that either come with alpine or ubuntu, so we just need upgrade the "tracee-make" environment.
This change makes it possible to have 3 containers generated: 1. tracee # uses CO-RE by default 2. tracee-btfhub # uses CO-RE by default and has embedded BTFs 3. tracee-nocore # does not use CO-RE eBPF object (builds it) The "tracee" container is the "slim" version and "tracee-nocore" is the fat version of tracee (sort of speak). If you want to execute "tracee-ebpf" instead of full tracee, those 3 flavors allow you to do so by exporting: TRACEE_EBPF_ONLY=1 environment variable to docker. With that, the entrypoint will be changed automatically to execute "tracee-ebpf" instead of "tracee".
|
@danielpacak I have fixed the test you pointed out. I have included a tiny fix for "test-tracee-rules" build target (missing a \ at end of line). |
Agree. I also think it is a little confusing that a makefile named builder/Makefile.tracee is used to build the containers as the name doesn't imply it (while builder/Makefile.tracee-make is used for a regular build). |
|
Sorry for my late comment, but I think that README-no-CORE.md file should be part of the documentation, as it is a "breaking change" for some environments. |
|
@yanivagman agreed. I still have to "document" the new building schema in an "official way". Adding an issue (to include @danielpacak and his drawing as well). |
|
One more thing - we probably don't need to embed the bpf sources anymore, right? |
With this commit we have 2 different Makefiles:
In all of them you can opt to execute "tracee" (tracee-ebpf + tracee-rules) by default OR to export a TRACEE_EBPF_ONLY=1 variable and have them running as "tracee-ebpf" only.
Regarding the Makefile.tracee (responsible for the container images generation), here is an example on how it works: