field TraceChdir: program trace_chdir: map events: map create: invalid argument (without BTF k/v)

[goldetime]

Hello!
I'm trying to detect GHSA-xr7r-f8xq-vfvv (Kubernetes run-time eBPF detection) using this instruction

The build, publish, and deployment went well, but pods can start with an error:

[ebpf-detector] 2024/02/05 02:13:25 logger.go:49: "msg"="Failed loading chdir bpf objects" "error"="field TraceChdir: program trace_chdir: map events: map create: invalid argument (without BTF k/v)"

All 4 pods show me the same error:

NAME                  READY   STATUS             RESTARTS   AGE
ebpf-detector-6d8hc   0/1     CrashLoopBackOff   5          3m32s
ebpf-detector-7q8qh   0/1     CrashLoopBackOff   5          3m32s
ebpf-detector-dqxlh   0/1     CrashLoopBackOff   5          3m32s
ebpf-detector-gmw55   0/1     CrashLoopBackOff   5          3m32s

Provider: Tanzu vSphere with 7.0
Kubernetes version: 1.21
Please let me know if I can present an additional information

Could you tell me how I can make this work?

[nozik]

Hi @goldetime, can you share more details about the Kubernetes nodes in the cluster? Which Linux distro, version, etc.? Thanks.

[goldetime]

Hello @nozik,

os-release of Worker node

$ cat /etc/os-release
NAME="VMware Photon OS"
VERSION="3.0"
ID=photon
VERSION_ID=3.0
PRETTY_NAME="VMware Photon OS/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://vmware.github.io/photon/"
BUG_REPORT_URL="https://github.com/vmware/photon/issues"

Kubernetes Node Info

$ k get nodes -o wide
NAME                                                    STATUS   ROLES                  AGE    VERSION            INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                 KERNEL-VERSION       CONTAINER-RUNTIME
tkg-cluster-control-plane-c6tdf                         Ready    control-plane,master   518d   v1.21.2+vmware.1   10.92.54.29   <none>        VMware Photon OS/Linux   4.19.191-4.ph3-esx   containerd://1.4.6
tkg-cluster-control-plane-cs9wt                         Ready    control-plane,master   518d   v1.21.2+vmware.1   10.92.54.17   <none>        VMware Photon OS/Linux   4.19.191-4.ph3-esx   containerd://1.4.6
tkg-cluster-control-plane-t865z                         Ready    control-plane,master   518d   v1.21.2+vmware.1   10.92.54.31   <none>        VMware Photon OS/Linux   4.19.191-4.ph3-esx   containerd://1.4.6
tkg-cluster-workers-phxl9-579d4d5894-4xdwn              Ready    <none>                 47d    v1.21.2+vmware.1   10.92.54.26   <none>        VMware Photon OS/Linux   4.19.191-4.ph3-esx   containerd://1.4.6
tkg-cluster-workers-phxl9-579d4d5894-ftx4d              Ready    <none>                 518d   v1.21.2+vmware.1   10.92.54.19   <none>        VMware Photon OS/Linux   4.19.191-4.ph3-esx   containerd://1.4.6
tkg-cluster-workers-phxl9-579d4d5894-pljsb              Ready    <none>                 518d   v1.21.2+vmware.1   10.92.54.30   <none>        VMware Photon OS/Linux   4.19.191-4.ph3-esx   containerd://1.4.6

Please let me know if any additional information required..

Thanks.

[nozik]

Thanks @goldetime - eBPF isn't supported by PhotonOS 3.0, it was added in version 4.0 (see https://blogs.vmware.com/vsphere/2022/01/photon-os-4-0-rev-2-is-now-available.html - eBPF support for Linux Kernel under Other Enhancements). It should be possible to manually add it to the existing nodes, but I assume that's not a desirable approach.