search

deepfence / ThreatMapper

Open Source Cloud Native Application Protection Platform (CNAPP)
https://deepfence.io
Apache License 2.0
4.84k stars 584 forks source link

eBPF tracking is sometimes disabled #269

Closed noboruma closed 2 years ago

noboruma commented 2 years ago

Describe the bug When starting probe, we sometimes get this message:

<probe> WARN: 2022/01/25 15:03:36.666483 Error setting up the eBPF tracker, falling back to proc scanning: cannot write "p:ptcp_v4_connect tcp_v4_connect\n" to kprobe_events: write /sys/kernel/debug/tracing/kprobe_events: file exists

To Reproduce Steps to reproduce the behavior:

  1. Start the agent
  2. Kill it abruptly with a SIGTERM
  3. Start the agent again

Expected behavior eBPF tracking should be starting

Components/Services affected

noboruma commented 2 years ago

The file exists error happens because we try to add the same entry twice to the /sys/kernel/debug/tracing/kprobe_events. The reason why the entry was not cleaned up properly needs to be further investigated. My assumption is we might are calling the Close function correctly here but it somehow never gets called (because of signals)

noboruma commented 2 years ago

Fix for enabling eBPF tracker even if the entry is already present: c90f416

ibreakthecloud commented 2 years ago

Closing this, reopen if required.