install problem

[stevenlee87]

uname -r 3.10.0-1160.62.1.el7.x86_64

cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core)

yum -y install sysdig Loaded plugins: langpacks draios | 3.0 kB 00:00:00 draios/x86_64/primary_db | 36 kB 00:00:03 Resolving Dependencies --> Running transaction check ---> Package sysdig.x86_64 0:0.29.1-1 will be installed --> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================================================================================================== Installing: sysdig x86_64 0.29.1-1 draios 12 M

Transaction Summary ================================================================================================================================================================================================================== Install 1 Package

Total download size: 12 M Installed size: 37 M Downloading packages: sysdig-0.29.1-x86_64.rpm | 12 MB 00:00:08 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : sysdig-0.29.1-1.x86_64 1/1 Creating symlink /var/lib/dkms/scap/e5c53d648f3c4694385bbe488e7d47eaa36c229a/source -> /usr/src/scap-e5c53d648f3c4694385bbe488e7d47eaa36c229a

Building module: cleaning build area... make -j24 KERNELRELEASE=3.10.0-1160.62.1.el7.x86_64 -C /lib/modules/3.10.0-1160.62.1.el7.x86_64/build M=/var/lib/dkms/scap/e5c53d648f3c4694385bbe488e7d47eaa36c229a/build...(bad exit status: 2) Error! Bad return status for module build on kernel: 3.10.0-1160.62.1.el7.x86_64 (x86_64) Consult /var/lib/dkms/scap/e5c53d648f3c4694385bbe488e7d47eaa36c229a/build/make.log for more information.

Building module: cleaning build area... make -j24 KERNELRELEASE=3.10.0-1160.62.1.el7.x86_64 -C /lib/modules/3.10.0-1160.62.1.el7.x86_64/build M=/var/lib/dkms/scap/e5c53d648f3c4694385bbe488e7d47eaa36c229a/build...(bad exit status: 2) Error! Bad return status for module build on kernel: 3.10.0-1160.62.1.el7.x86_64 (x86_64) Consult /var/lib/dkms/scap/e5c53d648f3c4694385bbe488e7d47eaa36c229a/build/make.log for more information. warning: %post(sysdig-0.29.1-1.x86_64) scriptlet failed, exit status 10 Non-fatal POSTIN scriptlet failure in rpm package sysdig-0.29.1-1.x86_64 Verifying : sysdig-0.29.1-1.x86_64 1/1

Installed:

▽ sysdig.x86_64 0:0.29.1-1

Complete!

sysdig Unable to load the driver error opening device /dev/scap0. Make sure you have root credentials and that the scap module is loaded.

[stevenlee87]

cat /var/lib/dkms/scap/e5c53d648f3c4694385bbe488e7d47eaa36c229a/build/make.log DKMS make.log for scap-e5c53d648f3c4694385bbe488e7d47eaa36c229a for kernel 3.10.0-1160.62.1.el7.x86_64 (x86_64) Thu Apr 21 18:18:54 CST 2022 make: Entering directory /usr/src/kernels/3.10.0-1160.62.1.el7.x86_64' arch/x86/Makefile:166: *** CONFIG_RETPOLINE=y, but not supported by the compiler. Compiler update recommended.. Stop. make: Leaving directory/usr/src/kernels/3.10.0-1160.62.1.el7.x86_64'

[ghost]

got same message error opening device /dev/scap0. Make sure you have root credentials and that the scap module is loaded. today from the sysdig container. on a debian 5.10

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[therealbobo]

Hi @stevenlee87! Looks like the kernel module didn't load up! Could you try to rerun the scap-driver-loader? 😄

[ubuitrago]

I am having the same issue on my Centos 7, RHEL 8, and even Ubuntu 22.04 VMs when running the sysdig/sysdig docker container. They all fail to pull the compiled scap driver module from the sysdig URL: download.sysdig.com/scap-drivers. Curl is returning a 404. Do we need to have an API key of sorts? I have installed the kernel headers for my respective VMs above and ran the docker container with the command provided in the Readme. One caveat is that I don't have a "/src" folder on the host VMs. Any guidance on what to do next?

[therealbobo]

Hi @ubuitrago! Sadly we don't have prebuilt drivers for RHEL distro: to access their repo an account is needed. For centos and ubuntu we have prebuilt driver... could you share the output of scap-driver-loader --download. I think I know what's the problem 😄

[ubuitrago]

@therealbobo It seems to not be an issue on CentOS 7 running an older Kernel version: [root@yuri /]# uname -r 3.10.0-1160.90.1.el7.x86_64 [root@yuri /]# [root@yuri /]# uname -r 3.10.0-1160.90.1.el7.x86_64 [root@yuri /]# scap-driver-loader --download

• Running scap-driver-loader for: driver version=4.0.1+driver, arch=x86_64, kernel release=3.10.0-1160.90.1.el7.x86_64, kernel version=1
• Running scap-driver-loader with: driver=module, compile=no, download=yes

================ Cleaning phase ================

• 1. Check if kernel module 'scap' is still loaded:

• Kernel module 'scap' is still loaded.

• Trying to unload it with 'rmmod scap'...

• OK! Unloading 'scap' module succeeded.

• 2. Check all versions of kernel module 'scap' in dkms:

• OK! There are no 'scap' module versions in dkms.

[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

• Looking for a scap module locally (kernel 3.10.0-1160.90.1.el7.x86_64)
• Filename 'scap_centos_3.10.0-1160.90.1.el7.x86_64_1.ko' is composed of:
  • driver name: scap
  • target identifier: centos
  • kernel release: 3.10.0-1160.90.1.el7.x86_64
  • kernel version: 1
• Found a prebuilt scap module at /root/.scap/4.0.1+driver/x86_64/scap_centos_3.10.0-1160.90.1.el7.x86_64_1.ko, loading it
• Success: scap module found and inserted

[therealbobo]

Hey @ubuitrago! Could you please try the latest version of sysdig (0.32.0)? I think that the problem is that sysdig was trying to download the 4.0.0 driver no longer present in the repo. The output you just showed, on the other hand, shows that sysdig is trying to download the 4.0.1 driver. Let me know! 😄

[ubuitrago]

@therealbobo This is output on a more recent kernel version. It is indeed trying to pull the 4.0.1 driver

root@yuri /]# uname -r 5.4.248-1.el7.elrepo.x86_64 [root@yuri /]# scap-driver-loader --download

• Running scap-driver-loader for: driver version=4.0.1+driver, arch=x86_64, kernel release=5.4.248-1.el7.elrepo.x86_64, kernel version=1
• Running scap-driver-loader with: driver=module, compile=no, download=yes

================ Cleaning phase ================

• 1. Check if kernel module 'scap' is still loaded:

• OK! There is no 'scap' module loaded.

• 2. Check all versions of kernel module 'scap' in dkms:

• There are some versions of 'scap' module in dkms.

• 3. Removing all the following versions from dkms: 4.0.1+driver

• Removing 4.0.1+driver...

---

Deleting module version: 4.0.1+driver completely from the DKMS tree.

Done.

• OK! Removing '4.0.1+driver' succeeded.

[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

• Looking for a scap module locally (kernel 5.4.248-1.el7.elrepo.x86_64)
• Filename 'scap_centos_5.4.248-1.el7.elrepo.x86_64_1.ko' is composed of:
  • driver name: scap
  • target identifier: centos
  • kernel release: 5.4.248-1.el7.elrepo.x86_64
  • kernel version: 1
• Trying to download a prebuilt scap module from https://download.sysdig.com/scap-drivers/4.0.1%2Bdriver/x86_64/scap_centos_5.4.248-1.el7.elrepo.x86_64_1.ko curl: (22) The requested URL returned error: 404 Unable to find a prebuilt scap module
• Trying to load a system scap module, if present Consider compiling your own scap driver and loading it or getting in touch with the Sysdig community

[root@yuri /]# sysdig --version sysdig version 0.31.5

Ok I will try with sysdig 0.32.0 next.

[ubuitrago]

@therealbobo docker.io/sysdig/sysdig:0.32.0 is trying to pull the 5.0.1 scap driver but fails to on CentOS 7.

• Setting up /usr/src links from host
• Running scap-driver-loader for: driver version=5.0.1+driver, arch=x86_64, kernel release=5.4.248-1.el7.elrepo.x86_64, kernel version=1
• Running scap-driver-loader with: driver=module, compile=yes, download=yes

================ Cleaning phase ================

• 1. Check if kernel module 'scap' is still loaded:

• OK! There is no 'scap' module loaded.

• 2. Check all versions of kernel module 'scap' in dkms:

• There are some versions of 'scap' module in dkms.

• 3. Removing all the following versions from dkms: 5.0.1+driver

• Removing 5.0.1+driver...

---

Deleting module version: 5.0.1+driver completely from the DKMS tree.

Done.

• OK! Removing '5.0.1+driver' succeeded.

[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

• Looking for a scap module locally (kernel 5.4.248-1.el7.elrepo.x86_64)
• Filename 'scap_centos_5.4.248-1.el7.elrepo.x86_64_1.ko' is composed of:
  • driver name: scap
  • target identifier: centos
  • kernel release: 5.4.248-1.el7.elrepo.x86_64
  • kernel version: 1
• Trying to download a prebuilt scap module from https://download.sysdig.com/scap-drivers/5.0.1%2Bdriver/x86_64/scap_centos_5.4.248-1.el7.elrepo.x86_64_1.ko curl: (22) The requested URL returned error: 404 Unable to find a prebuilt scap module install: /usr/lib/gcc/x86_64-redhat-linux/8/
• Trying to dkms install scap module with GCC /usr/bin/gcc DIRECTIVE: MAKE="'/tmp/scap-dkms-make'"

Creating symlink /var/lib/dkms/scap/5.0.1+driver/source -> /usr/src/scap-5.0.1+driver

DKMS: add completed.

• Running dkms build failed, couldn't find /var/lib/dkms/scap/5.0.1+driver/build/make.log (with GCC /usr/bin/gcc)
• Trying to load a system scap module, if present Consider compiling your own scap driver and loading it or getting in touch with the Sysdig community [root@yuri /]# gcc --version gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-18) Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[root@yuri /]# sysdig --version sysdig version 0.32.0 [root@yuri /]# uname -r 5.4.248-1.el7.elrepo.x86_64 [root@yuri /]# ldd --version ldd (GNU libc) 2.28 Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper. [root@yuri /]#

Could a potential solution be to copy the driver source (https://github.com/falcosecurity/libs/tree/master/driver) into the container and build within the container?

[therealbobo]

Sadly we don't build all the kernel... I'll take a look on why this has not been built. If you are ok with compiling it, you can just use scap-driver-loader --compile 😄

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.