404 while kernel object download

stackrox / collector

Runtime data collection for the StackRox Kubernetes Security Platform using eBPF

Apache License 2.0

51 stars 24 forks source link

404 while kernel object download #1835

Open cooperspencer opened 1 month ago

cooperspencer commented 1 month ago

We are using version 4.2.1 and with a newly created machine in our cluster we get the following error:

[INFO    2024/09/09 13:08:08] Attempting to download collector-ebpf-5.4.17-2136.332.5.2.el7uek.x86_64.o
[INFO    2024/09/09 13:08:08] Attempting to download kernel object from https://sensor.stackrox.svc:443/kernel-objects/2.6.0/collector-ebpf-5.4.17-2136.332.5.2.el7uek.x86_64.o.gz
[INFO    2024/09/09 13:08:09] HTTP Request failed with error code 404

But the kernel is in the kernel_versions file: https://github.com/stackrox/collector/blob/master/kernel-modules/KERNEL_VERSIONS#L6875

Stringy commented 1 month ago

Hi @cooperspencer - I'm not quite sure why we don't have a driver for that kernel, but I'll look into it.

In the meantime you may be able to switch to CORE_BPF collection (which is a kernel-agnostic driver embedded into the collector image), though I'm not certain if it will work with a 5.4 kernel. If there's a line in your collector logs like CORE_BPF collection method is available then it is likely to work, and collector won't need to download anything.

cooperspencer commented 1 month ago

Thanks for looking into it.

Sadly I don't have anything like this in my logs.

Stringy commented 1 month ago

I've had a look and we do have drivers for that kernel for stackrox version 4.3 and newer. It looks like we scraped it a couple of months after 4.2 went out of support, so that's why it was never built for that version.

I'd recommend updating to at least 4.4, because anything older than that is out of support (there's some more detail about our support life cycle here: https://access.redhat.com/support/policy/updates/rhacs)

cooperspencer commented 1 month ago

thanks for the notice. Then I'll upgrade Stackrox.

cooperspencer commented 1 month ago

I upgraded stackrox and still get those errors:

[INFO    2024/09/12 11:20:34] collector-ebpf-5.4.17-2136.332.5.2.el7uek.x86_64.o
[INFO    2024/09/12 11:20:34] Attempting to download collector-ebpf-5.4.17-2136.332.5.2.el7uek.x86_64.o
[INFO    2024/09/12 11:20:34] Attempting to download kernel object from https://sensor.stackrox.svc:443/kernel-objects/2.10.0/collector-ebpf-5.4.17-2136.332.5.2.el7uek.x86_64.o.gz
[INFO    2024/09/12 11:20:34] HTTP Request failed with error code 404

I upgraded to version 4.5.1

JoukoVirtanen commented 1 month ago

Ebpf should not be used in 4.5. I recommend upgrading to the latest 4.5 release and ensure that your collection method is CORE_BPF.