Kernel config read failed, error:Config not found

[vincentmli]

Describe the bug

the most recent ecapture build from master branch breaks with error

# ./bin/ecapture 
2022/07/02 12:37:53 Kernel config read failed, error:Config not found,  item:CONFIG_BPF.

To Reproduce
Steps to reproduce the behavior:

1. git clone the ecapture master branch
2. make
3. ./bin/ecapture

Expected behavior

should work

Screenshots

Linux Server/Android (please complete the following information):

• OS: centos 8 with custom kernel build
• Arch: x86
• Kernel Version: 5.18.0-rc3+

Additional context
ecapture works before on this same machine with same kernel build

[cfc4n]

Can old version works? like v0.1.10 .

I think that CONFIG_BPF config was disabled. you can check it with cat /boot/config

cfc4n@vm-server:~$ cat /boot/config-`uname -r`|grep CONFIG_BPF
CONFIG_BPF=y
CONFIG_BPF_LSM=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_PRELOAD is not set
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=m
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=

[vincentmli]

0.1.10 works, here is my kernel config, I suspect commit c425dea41a0d introduced a bug

egrep 'BPF|BTF' /usr/src/bpf-next/.config

CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# BPF subsystem
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# CONFIG_BPF_LSM is not set
# end of BPF subsystem
CONFIG_CGROUP_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
# CONFIG_BPFILTER is not set
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
# CONFIG_BPF_STREAM_PARSER is not set
# CONFIG_LWTUNNEL_BPF is not set
CONFIG_DEBUG_INFO_BTF=y
CONFIG_PAHOLE_HAS_SPLIT_BTF=y
CONFIG_DEBUG_INFO_BTF_MODULES=y
# CONFIG_MODULE_ALLOW_BTF_MISMATCH is not set
CONFIG_BPF_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not set
# CONFIG_TEST_BPF is not set

[cfc4n]

maybe.
kernel config filepath is one of https://github.com/ehids/ecapture/blob/e083d55e2ef52b1232ad92e4684907118fa1da9e/pkg/util/ebpf/bpf_linux.go#L31-L35

but , why is this ?

[vincentmli]

my kernel is custom build, I don't have /boot/config* for my running kernel, I do have /sys/kernel/btf/vmlinux

 configPaths = []string{ 
 	"/proc/config.gz", 
 	"/boot/config", 
 	"/boot/config-%s", 
 } 

ls -l /boot/conf* old kernel config from centos distro

-rw-r--r--. 1 root root 187648 May  8  2020 /boot/config-4.18.0-193.el8.x86_64
-rw-r--r--. 1 root root 192095 Jun  1  2021 /boot/config-4.18.0-305.3.1.el8.x86_64

my custom running kernel [root@centos-dev ecapture]# uname -a

Linux centos-dev.localdomain 5.18.0-rc3+ #90 SMP PREEMPT_DYNAMIC Mon May 23 12:55:31 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

[vincentmli]

@cfc4n to resolve my problem, I found the fix with diff below, my custom kernel has config located here /lib/modules/$(uname -r)/build/.config, in general linux distribution should have either /proc/config.gz or /boot/config-%s, so I guess my custom kernel build is kind of special, I can send a PR if that is ok for you.

diff --git a/pkg/util/ebpf/bpf_linux.go b/pkg/util/ebpf/bpf_linux.go
index a8dad21..396cb9b 100644
--- a/pkg/util/ebpf/bpf_linux.go
+++ b/pkg/util/ebpf/bpf_linux.go
@@ -32,6 +32,8 @@ var (
                "/proc/config.gz",
                "/boot/config",
                "/boot/config-%s",
+               "/boot/config-%s",
+               "/lib/modules/%s/build/.config",
        }
 )

[cfc4n]

wait...

/lib/modules/%s/build/.config is a standard path? do you have official documentation in linux handle? or a link?

[vincentmli]

"/lib/modules/%s/build/.config",

I could not find official documentation yet, according to my understanding, when I build custom kernel from kernel source, the /lib/modules/%s/build is a symbolic link to the kernel source tree build directory, for example, I always run most recent bpf-next kernel tree and cloned to /usr/src/bpf-next directory, after I make modues_install and reboot into my custom kernel build, I can see the symbolic link:

ls -l /lib/modules/uname -r/build

lrwxrwxrwx 1 root root 17 May  6 00:49 /lib/modules/5.18.0-rc3+/build -> /usr/src/bpf-next

this is for my centos 8 with custom kernel build

I also checked ubuntu 22.04 machine that is upgraded from ubuntu 20.04, so the kernel is upgraded from the distro, I don't have custom kernel build on this machine, but it has the same symbolic link

ls -l /lib/modules/uname -r/build

lrwxrwxrwx 1 root root 40 Jun  9 14:36 /lib/modules/5.15.0-39-generic/build -> /usr/src/linux-headers-5.15.0-39-generic

it seems to be safe to assume /lib/modules/`uname -r`/build/.config could exist for running kernel

[vincentmli]

I think I speak too early, the fix i mentioned only fix ecapture running in the host VM machine, if I put the ecapture in container like netshoot pod, it failed to run with same error. so the fix is not good, ecapture 0.1.10 works in container fine. maybe we need to think about if the configPaths is needed? does andriod require configPaths?

[cfc4n]

please wait, I'm release new version. something need to debug..

[vincentmli]

fyi, i recompiled the kernel with /proc/config.gz support, ecapture still failed with same error, both failed in host and in container

[root@cilium-dev var]# uname -a
Linux cilium-dev 5.18.0+ #3 SMP PREEMPT_DYNAMIC Sun Jul 3 20:57:54 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

[root@cilium-dev var]# ls -l /proc/config.gz 
-r--r--r-- 1 root root 34436 Jul  3 21:09 /proc/config.gz

[vincentmli]

fyi, i recompiled the kernel with /proc/config.gz support, ecapture still failed with same error, both failed in host and in container

[root@cilium-dev var]# uname -a
Linux cilium-dev 5.18.0+ #3 SMP PREEMPT_DYNAMIC Sun Jul 3 20:57:54 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

[root@cilium-dev var]# ls -l /proc/config.gz 
-r--r--r-- 1 root root 34436 Jul  3 21:09 /proc/config.gz

there is problem with the code, line 47 append kernel version number to /proc/config.gz or /boot/config-%s, but /proc/config.gz does not have kernel version number, so even if user has /proc/config.gz supported in kernel config, /proc/config.gz will not be found, this is the first problem I found

 31         configPaths = []string{
 32                 "/proc/config.gz",
 33                 "/boot/config",
 34                 "/boot/config-%s",
 35         }
 36 )
 37 
 38 func GetSystemConfig() (map[string]string, error) {
 39         var KernelConfig = make(map[string]string)
 40 
 41         i, e := getOSUnamer()
 42         if e != nil {
 43                 return KernelConfig, e
 44         }
 45 
 46         for _, system_config_path := range configPaths {
 47                 bootConf := fmt.Sprintf(system_config_path, i.Release)
 48                 KernelConfig, e = getLinuxConfig(bootConf)
 49                 if e != nil {
 50                         continue
 51                 }
 52 
 53                 if len(KernelConfig) > 0 {
 54                         break
 55                 }
 56         }

the second problem i found when I hacked the code to bypass line 47 bootConf := fmt.Sprintf(system_config_path, i.Release) for /proc/config.gz, the line 48 getLinuxConfig(bootConf) still failed to parse /proc/config.gz for some reason and KernelConfig is empty

[cfc4n]

yes ,the code here is flawed. I'll send a PR later. That is my fault, thannnnkkkksssss.

[vincentmli]

@cfc4n I am sorry to tell you that I tested again with your fix #123, it did not fix the problem on my VM with custom kernel build with /proc/config.gz support :(.

[root@centos-dev ecapture]# ls -l /proc/config.gz 
-r--r--r-- 1 root root 34270 Jul  4 02:21 /proc/config.gz

./bin/ecapture 
2022/07/05 10:07:11 Kernel config read failed, error:KernelConfig not found.

also I am concerned even if we fixed /proc/config.gz for ecapture running in host, it may not work for ecapture in k8s container environment, /proc/config.gz is not supported in Ubuntu or Centos distribution, and in container environment, the container may has no access to /boot/config* neither, just a head up

now my workaround is to replace log.Fatalf with log.Printf in main.go when error:KernelConfig not found :)

[cfc4n]

eh.... That is scene I didn't expect while use on k8s container.

I'll try a new idea.

[vincentmli]

maybe add a new flag switch or something like that for andriod environment, restore the previous behavior that worked in container environment?

[cfc4n]

I don't think so.
New detection methods are necessary for container.