diff --git a/alpine/base/ebpf/Dockerfile b/alpine/base/ebpf/Dockerfile index fb9f5485e..4eddcf4de 100644 --- a/alpine/base/ebpf/Dockerfile +++ b/alpine/base/ebpf/Dockerfile @@ -6,7 +6,7 @@ COPY cdefs.h /usr/include/sys/ ADD kernel-headers.tar / ADD kernel-dev.tar / ADD kernel-modules.tar / -ADD 100-musl-compat.patch decl.patch intl.patch bcc-gnuism.patch ./ +ADD 100-musl-compat.patch decl.patch intl.patch bcc-gnuism.patch bcc-stack-protector.patch ./ RUN cat elfutils-$ELFUTILS_VERSION.tar.bz2 | tar xjf - RUN cd elfutils-$ELFUTILS_VERSION && \ patch -p1 < ../100-musl-compat.patch && \ @@ -15,9 +15,11 @@ RUN cd elfutils-$ELFUTILS_VERSION && \ automake && \ ./configure --prefix=/usr CFLAGS=-Wno-strict-aliasing && \ make -C libelf && make -C libelf install -RUN cd bcc && patch -p0 < ../bcc-gnuism.patch +RUN cd bcc && patch -p0 < ../bcc-gnuism.patch && patch -p0 < ../bcc-stack-protector.patch RUN mkdir -p bcc/build && cd bcc/build && \ cmake .. -DCMAKE_INSTALL_PREFIX=/usr -DLUAJIT_INCLUDE_DIR=/usr/include/luajit-2.1 && \ make && \ make install RUN mkdir -p /usr/local/share/lua/5.1/ && cd ljsyscall && cp -a *.lua syscall /usr/local/share/lua/5.1/ + +ENV LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/lib64 diff --git a/alpine/base/ebpf/Makefile b/alpine/base/ebpf/Makefile index ea07c0043..b575503ac 100644 --- a/alpine/base/ebpf/Makefile +++ b/alpine/base/ebpf/Makefile @@ -2,7 +2,7 @@ KERNEL_FILES=-C ../../kernel/x86_64 kernel-headers.tar kernel-dev.tar kernel-mod default: ebpf.tag -ebpf.tag: Dockerfile 100-musl-compat.patch bcc-gnuism.patch decl.patch intl.patch temp_failure.patch cdefs.h error.h +ebpf.tag: Dockerfile 100-musl-compat.patch bcc-gnuism.patch bcc-stack-protector.patch decl.patch intl.patch temp_failure.patch cdefs.h error.h BUILD=$$( tar cf - $^ $(KERNEL_FILES) | docker build -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && \ echo $$BUILD > $@ diff --git a/alpine/base/ebpf/bcc-stack-protector.patch b/alpine/base/ebpf/bcc-stack-protector.patch new file mode 100644 index 000000000..c33c91d49 --- /dev/null +++ b/alpine/base/ebpf/bcc-stack-protector.patch @@ -0,0 +1,10 @@ +--- src/cc/frontends/clang/kbuild_helper.cc ++++ src/cc/frontends/clang/kbuild_helper.cc +@@ -89,6 +89,7 @@ int KBuildHelper::get_flags(const char *uname_machine, vector *cflags) { + cflags->push_back("-D__HAVE_BUILTIN_BSWAP64__"); + cflags->push_back("-Wno-unused-value"); + cflags->push_back("-Wno-pointer-sign"); ++ cflags->push_back("-fno-stack-protector"); + + return 0; + } diff --git a/docs/ebpf.md b/docs/ebpf.md index 7d8ec8ab0..ed5a893a7 100644 --- a/docs/ebpf.md +++ b/docs/ebpf.md @@ -11,7 +11,12 @@ benchmarks etc. You probably want to run with -`docker run -it -v /sys/kernel/debug:/sys/kernel/debug --privileged mobylinux/ebpf:tag sh` for +`docker run -it -v /sys/kernel/debug:/sys/kernel/debug --privileged --pid=host mobylinux/ebpf:tag sh` for interactive use as some things use debugfs. You need at least `CAP_SYS_ADMIN` to do anything. There are examples in `bcc/examples` that should generally just work, I have tried several of the Lua ones. + +Some of the `iovisor/bcc` samples try to access the kernel symbols. For them to work correctly you should also execute: +```sh +echo 0 > /proc/sys/kernel/kptr_restrict +```