Missing kernel headers for Falco eBPF probe

Hello everyone,

I am trying to install (build) the Falco eBPF probe from Falcosecurity OSS on CoreOS :

  • kernel version 5.18.16-200.fc36.x86_64
  • Falco version 0.32.2

The issue I encounter during the eBPF probe build is :

make[1]: *** /lib/modules/5.18.16-200.fc36.x86_64/build: No such file or directory.  Stop.
make: *** [Makefile:20: all] Error 2

Indeed, this path does not exist on CoreOS stable version’s hosts.

So the first thing I tried is to build again a CoreOS image using the CoreOS Assembler. The objective was adding kernel-devel and kernel-headers by editing the src/config/manifest.yaml file after the init phase like this :

variables:
  stream: stable
  prod: false

releasever: 36

repos:
  - fedora
  - fedora-updates

packages:
  - kernel-devel
  - kernel-headers

include: manifests/fedora-coreos.yaml

And launching the build phase, but it ends with the following error during the fetch phase :

error: Could not depsolve transaction; 1 problem detected:
 Problem: package kernel-devel-5.18.16-200.fc36.x86_64 requires perl-interpreter, but none of the providers can be installed
  - conflicting requests
  - package perl-interpreter-4:5.34.1-486.fc36.x86_64 is filtered out by exclude filtering
error: failed to execute cmd-fetch: exit status 1

So the second thing that I tried was to debug the OS by adding those packages using rpm-ostree directly from a CoreOS virtual machine with the same stable version after boot :

sudo rpm-ostree install kernel-devel
sudo rpm-ostree install kernel-headers
sudo systemctl reboot

But even after the reboot, I ended with no build dir in kernel’s lib modules :

$ sudo ls -al /lib/modules/5.18.16-200.fc36.x86_64/build
lrwxrwxrwx. 3 root root 40 Aug 22 21:01 /lib/modules/5.18.16-200.fc36.x86_64/build -> /usr/src/kernels/5.18.16-200.fc36.x86_64

$ sudo ls -al /usr/src/kernels/5.18.16-200.fc36.x86_64
ls: cannot access '/usr/src/kernels/5.18.16-200.fc36.x86_64': No such file or directory

How can I obtain the proper /lib/modules/5.18.16-200.fc36.x86_64/build directory to build the eBPF probe ? Have you encountered the same kind of issues ?

Thanks for reading all !

We have an extra layer of guarantee in there to make sure perl doesn’t get pulled in since we don’t want it in FCOS. If you’re building your own you can remove it:

Hello Dusty Mabe, thank you for your response !

Indeed, I forgot about the exclusions, thanks !
So according to your response, I tried to debug by removing all the exclusions from fedora-coreos.yaml and adding kernel-devel and kernel-headers in manifest.yaml but ended with another exclusion error :

Resolving dependencies... done
error: Could not depsolve transaction; 1 problem detected:
 Problem: conflicting requests
  - package kernel-devel-5.17.5-300.fc36.x86_64 requires gcc, but none of the providers can be installed
  - package kernel-devel-5.19.6-200.fc36.x86_64 requires gcc, but none of the providers can be installed
  - package gcc-12.0.1-0.16.fc36.x86_64 requires libgomp = 12.0.1-0.16.fc36, but none of the providers can be installed
  - package gcc-12.2.1-1.fc36.x86_64 requires libgomp = 12.2.1-1.fc36, but none of the providers can be installed
  - package gcc-11.2.1-1.fc35.x86_64 is filtered out by exclude filtering
  - package gcc-11.2.1-7.fc35.x86_64 is filtered out by exclude filtering
  - package gcc-11.2.1-7.fc36.x86_64 is filtered out by exclude filtering
  - package gcc-11.2.1-9.fc35.x86_64 is filtered out by exclude filtering
  - package gcc-11.3.1-2.fc35.x86_64 is filtered out by exclude filtering
  - package gcc-12.0.1-0.12.fc36.x86_64 is filtered out by exclude filtering
  - package gcc-12.0.1-0.16.fc36.x86_64 is filtered out by exclude filtering
  - package gcc-12.1.1-1.fc36.x86_64 is filtered out by exclude filtering
  - package gcc-12.2.1-1.fc36.x86_64 is filtered out by exclude filtering
  - package libgomp-12.0.1-0.16.fc36.x86_64 is filtered out by exclude filtering
  - package libgomp-12.2.1-1.fc36.x86_64 is filtered out by exclude filtering
  - package libgomp-12.0.1-0.16.fc36.i686 is filtered out by exclude filtering
  - package libgomp-12.2.1-1.fc36.i686 is filtered out by exclude filtering
error: failed to execute cmd-fetch: exit status 1

But I cannot find any exclusion concerning libgomp and libgcc. Is there another filter that I am not aware of ?

Works for me with:

diff --git a/manifest.yaml b/manifest.yaml
index ca74f3d4..7c3f79de 100644
--- a/manifest.yaml
+++ b/manifest.yaml
@@ -13,3 +13,7 @@ repos:
   - fedora-updates
 
 include: manifests/fedora-coreos.yaml
+
+packages:
+  - kernel-devel
+  - kernel-headers
diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
index 0315d2c5..5cdf65b9 100644
--- a/manifests/fedora-coreos.yaml
+++ b/manifests/fedora-coreos.yaml
@@ -153,21 +153,3 @@ remove-files:
 # Things we don't expect to ship on the host.  We currently
 # have recommends: false so these could only come in via
 # hard requirement, in which case the build will fail.
-exclude-packages:
-  - python
-  - python2
-  - python2-libs
-  - python3
-  - python3-libs
-  - perl
-  - perl-interpreter
-  - nodejs
-  - dnf
-  - grubby
-  - cowsay  # Just in case
-  # Let's make sure initscripts doesn't get pulled back in
-  # https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
-  - initscripts
-  # For (datacenter/cloud oriented) servers, we want to see the details by default.
-  # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
-  - plymouth

Maybe you need to cosa fetch before you cosa build?

Yes I tried starting from scratch, using the cosa container.
The error occurs during the fetch command :

cosa init --branch stable "https://github.com/coreos/fedora-coreos-config"
# > modify manifest.yaml + manifests/fedora-coreos.yaml
cosa fetch
---> the former error

manifest.yaml

variables:
  stream: stable
  prod: false

releasever: 36

repos:
  - fedora
  - fedora-updates

packages:
  - kernel-devel
  - kernel-headers

and removing the excluded packages in manifests/fedora-coreos.yaml like in your previous message.
Maybe I am missing something that ignores my modifications in fedora-coreos.yaml file ?

EDIT

Ok so it just worked with the stream testing-devel like you said.
I was initiating my config with the stream stable, then I was modifying the config before fetch but it seems this is the error’s cause.
Can you confirm that using the stream testing-devel is the only way to compile the image with the kernel-devel and kernel-headers packages ?

Anyway, thank you very much for your time Dusty Mabe !

It’s slightly complicated. In short we maintain a separate pool of packages that represent what we have included in FCOS. Since all the deps for kernel-devel and kernel-headers aren’t in that repo cosa is trying to pull them from the fedora repos (which you added in the manifest file), but the specific versions of deps that are required aren’t in the latest repos (i.e. probably older versions are needed or something).

TL;DR, yes, use testing-devel if you can.

I would strongly recommend building the module in a toolbox with the matching kernel versions from the node instead of building your own version of Fedora CoreOS.

Hello @siosm,

Very good point here, so I worked on it the last few days.

First of all, running toolbox create on a Fedora CoreOS 36 (stable) version and compiling the kernel module from the fc36 container fails in the same conditions as in my previous messages.
Because /lib/modules/5.18.16-200.fc36.x86_64/build is a broken link in fc36, the problem remains the same without modifying the image.
Any idea why this link is broken ?

BUT I wonder what happens if I create a fc36 container on a Fedora 36 distribution, bind the /lib/modules dir on this container and finally compile the falco probe ?
Does anyone already tried this ? Can I compile a binary for a targeted kernel from another one using toobox ?
I will try it but I’m interested from your experience about this case.

Just install the kernel packages that you need (the ones that match the kernel your system is running) in the toolbox container. It’s heavyweight, but should work.

As for the broken symlink. You’re missing the kernel-devel package that matches your running kernel.

Hello @dustymabe, sorry for the late answer but I was busy last week.

I installed kernel-devel and kernel-headers inside the toolbox container running on fc36 but even if the installation succeeded, the /lib/modules/<kernel> directory has not been created :

⬢[fedora@toolbox ~]$ sudo dnf list installed | grep 'kernel-devel\|kernel-headers'
kernel-devel.x86_64                      5.19.9-200.fc36            @updates        
kernel-headers.x86_64                    5.19.4-200.fc36            @updates        
⬢[fedora@toolbox ~]$ sudo ls -al /lib/modules
total 0
drwxr-xr-x. 1 root root  6 Jan 20  2022 .
dr-xr-xr-x. 1 root root 99 Sep 19 07:26 ..

Is it possible to use toolbox and add easily a volume mount to /lib/modules between the host and the container, without debugging the podman command line executed by toolbox and re-create it myself ?