Tracee for Yocto

[sswarnas1]

Hi, i am trying to build tracee in Yocto to track the resources container is using in my project. I see it is failing in oe_make phase. I dont see makefile in this git, THis is the recipe file i am using...

DESCRIPTION = "tracee"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c466d4ab8a68655eb1edf0bf8c1a8fb8"

SRC_URI[md5sum] = "43ac9fbaf8cadfab7665a93054271a4a"
SRC_URI = "https://github.com/aquasecurity/tracee.git"

S = "${WORKDIR}/git"

do_compile() {
oe_runmake
}

do_install() {
install -d ${D}${bindir}
install -m 0755 tracee ${D}${bindir}
}
It says no Makefile found. Can you suggest what i am missing here ..

Thanks,
Swarna

[yanivagman]

Hi @sswarnas1,

I'm not sure why it says no makefile found, as Tracee does have a makefile:
https://github.com/aquasecurity/tracee/blob/master/Makefile

I never used Yocto before, but maybe your'e missing the "SRCREV" like in this example?
https://github.com/DynamicDevices/meta-example/blob/master/recipes-example/bbexample/bbexample_1.0.bb

[sswarnas1]

Thanks Yaniv.

I have corrected my recipe, and tracee compiles now, and see the below error.
ERROR: oe_runmake failed
| main.go:9:2: cannot find package "github.com/aquasecurity/tracee/tracee" in any of:
| /mnt/home/ssubir227/crun/arrisxi6_2006/build-arrisxi6/tmp/sysroots/x86_64-linux/usr/lib/go/src/github.com/aquasecurity/tracee/tracee (from $GOROOT)
| /mnt/home/ssubir227/go/src/github.com/aquasecurity/tracee/tracee (from $GOPATH)
| main.go:10:2: cannot find package "github.com/syndtr/gocapability/capability" in any of:
| /mnt/home/ssubir227/crun/arrisxi6_2006/build-arrisxi6/tmp/sysroots/x86_64-linux/usr/lib/go/src/github.com/syndtr/gocapability/capability (from $GOROOT)
| /mnt/home/ssubir227/go/src/github.com/syndtr/gocapability/capability (from $GOPATH)
| main.go:11:2: cannot find package "github.com/urfave/cli/v2" in any of:
| /mnt/home/ssubir227/crun/arrisxi6_2006/build-arrisxi6/tmp/sysroots/x86_64-linux/usr/lib/go/src/github.com/urfave/cli/v2 (from $GOROOT)
| /mnt/home/ssubir227/go/src/github.com/urfave/cli/v2 (from $GOPATH)
| make: *** [dist/tracee] Error 1
| WARNING: exit code 1 from a shell command.

i see in main.go, we are importing
" github.com/aquasecurity/tracee/tracee"
"github.com/syndtr/gocapability/capability"
"github.com/urfave/cli/v2"
)

when i give this URL directly in browser also, github.com/aquasecurity/tracee/tracee i am getting page not found. My build is failing with package not found error. Can you please suggest what can be the issue here.

Thanks,
Swarna

[yanivagman]

Regarding: "when i give this URL directly in browser also, github.com/aquasecurity/tracee/tracee i am getting page not found" -

the url "github.com/aquasecurity/tracee" is this repository, while "github.com/aquasecurity/tracee/tracee" is tracee directory in this repository, which is not accessible through this url, but "github.com/aquasecurity/tracee/tree/master/tracee"

I think the issue you have is related to how the go environment is configured, ($GOPATH and $GOROOT), and you should probably check how to correctly do that for compiling a project written in go with yocto. Sorry that I can't help here, as I didn't use yocto before and I don't know how to do that. I reccomend you try to find other go projects compiled with yocto recipes as an example.

[itaysk]

@sswarnas1 can you first confirm that you are able to build Tracee without Yocto, by cloning the Tracee repo, and running make build in it?

[itaysk]

the errors you included hints that you are using Golang 1.7. Tracee is using Go modules which requires a more recent version. Can you please try to upgrade go? Currently we are using 1.13

[nats5886]

Thanks @itaysk.
With 1.13, those errors are resolved. Now, I see some other issues in bcc files.
Is there any dependecy like partocular version to be used?

go: downloading github.com/urfave/cli/v2 v2.1.1
go: downloading github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
go: downloading github.com/iovisor/gobpf v0.0.0-20200529092446-49b58e11a4b5
go: extracting github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
go: extracting github.com/urfave/cli/v2 v2.1.1
go: extracting github.com/iovisor/gobpf v0.0.0-20200529092446-49b58e11a4b5
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d
go: extracting github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d
go: downloading github.com/russross/blackfriday/v2 v2.0.1
go: extracting github.com/russross/blackfriday/v2 v2.0.1
go: downloading github.com/shurcooL/sanitized_anchor_name v1.0.0
go: extracting github.com/shurcooL/sanitized_anchor_name v1.0.0
go: finding github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
go: finding github.com/iovisor/gobpf v0.0.0-20200529092446-49b58e11a4b5
go: finding github.com/urfave/cli/v2 v2.1.1
go: finding github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d
go: finding github.com/russross/blackfriday/v2 v2.0.1
go: finding github.com/shurcooL/sanitized_anchor_name v1.0.0
github.com/shurcooL/sanitized_anchor_name
github.com/iovisor/gobpf/pkg/cpuonline
github.com/syndtr/gocapability/capability
github.com/russross/blackfriday/v2
github.com/iovisor/gobpf/bcc
github.com/iovisor/gobpf/bcc
/home/nsubbira/go/pkg/mod/github.com/iovisor/[email protected]/bcc/module.go:32:28: fatal error: bcc/bcc_common.h: No such file or directory
#include <bcc/bcc_common.h>
^
compilation terminated.
github.com/cpuguy83/go-md2man/v2/md2man
github.com/urfave/cli/v2
Makefile:15: recipe for target 'dist/tracee' failed
make: *** [dist/tracee] Error 2
nsubbira@fies1uas90:/export/git/nsubbira/tracing/tracee$ go version
go version go1.13 linux/amd64

[itaysk]

you need to install BCC as indicated in the readme
Here are the instructions to install BCC: https://github.com/iovisor/bcc/blob/master/INSTALL.md
I know they had issues specifically with Ubuntu, so if that won't work out for you, you can try to build bcc from source instead of using the packaged version.

[itaysk]

as an alternative, you can build within the docker image, which has all the prerequisites already. instead of make build try make build-docker

[nats5886]

Hi @itaysk,

Thanks. After installing LLVM/CLANG/BCC properly, I am able to compile tracee successfully on my system.

but, need to integrate all these tools into Yocto to make tracee working in Yocto.
i will try that and let you know.

Thanks
Natarajan

[sswarnas1]

I have also faced bcc_common.h error in ubuntu... Not able to resolve this....

…

On Thu, Oct 1, 2020, 9:42 AM nats5886 ***@***.***> wrote: Thanks @itaysk <https://github.com/itaysk>. With 1.13, those errors are resolved. Now, I see some other issues in bcc files. go: downloading github.com/urfave/cli/v2 v2.1.1 go: downloading github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 go: downloading github.com/iovisor/gobpf v0.0.0-20200529092446-49b58e11a4b5 go: extracting github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 go: extracting github.com/urfave/cli/v2 v2.1.1 go: extracting github.com/iovisor/gobpf v0.0.0-20200529092446-49b58e11a4b5 go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d go: extracting github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d go: downloading github.com/russross/blackfriday/v2 v2.0.1 go: extracting github.com/russross/blackfriday/v2 v2.0.1 go: downloading github.com/shurcooL/sanitized_anchor_name v1.0.0 go: extracting github.com/shurcooL/sanitized_anchor_name v1.0.0 go: finding github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 go: finding github.com/iovisor/gobpf v0.0.0-20200529092446-49b58e11a4b5 go: finding github.com/urfave/cli/v2 v2.1.1 go: finding github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d go: finding github.com/russross/blackfriday/v2 v2.0.1 go: finding github.com/shurcooL/sanitized_anchor_name v1.0.0 github.com/shurcooL/sanitized_anchor_name github.com/iovisor/gobpf/pkg/cpuonline github.com/syndtr/gocapability/capability github.com/russross/blackfriday/v2 github.com/iovisor/gobpf/bcc github.com/iovisor/gobpf/bcc /home/nsubbira/go/pkg/mod/ ***@***.***/bcc/module.go:32:28: fatal error: bcc/bcc_common.h: No such file or directory #include <bcc/bcc_common.h> ^ compilation terminated. github.com/cpuguy83/go-md2man/v2/md2man github.com/urfave/cli/v2 Makefile:15: recipe for target 'dist/tracee' failed make: *** [dist/tracee] Error 2 ***@***.***:/export/git/nsubbira/tracing/tracee$ go version go version go1.13 linux/amd64 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#231 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANQJWZUETKZ5VOGHN55BI33SISIN5ANCNFSM4RWLMCSQ> .

[itaysk]

Hi, please see my reply to @nats5886 above

[sswarnas1]

Thanks Itay.. my end objective is to run tracee on my device based on Broadcomin yocto, we don't have docker support on the device...

…

On Thu, Oct 1, 2020, 10:36 AM Itay Shakury ***@***.***> wrote: Hi, please see my reply to @nats5886 <https://github.com/nats5886> above — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#231 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANQJWZVLQDR7LA56I5MXYXDSISOZTANCNFSM4RWLMCSQ> .

[yanivagman]

Hi @sswarnas1 ,

Is your broadcom device based on x86?
Please note that we don't support other architectures yet (e.g. arm/arm64)

[sswarnas1]

unfortunately my device is based on arm...

…

On Thu, Oct 1, 2020 at 1:37 PM Yaniv Agman ***@***.***> wrote: Hi @sswarnas1 <https://github.com/sswarnas1> , Is your broadcom device based on x86? Please note that we don't support other architectures yet (e.g. arm/arm64) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#231 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANQJWZXBISOAUIQEPGGLVMDSIS45VANCNFSM4RWLMCSQ> .

[itaysk]

I have added an issue to track interest in ARM #234. please vote up if you need it

[nats5886]

Thanks @yanivagman for the explanation. I would like to try Tracee in an ARM based device.
Could you please let me know whether ARM support will be added soon or it is in future list of action items?

[itaysk]

Hi @nats5886 we are not working on this yet. If we see that there's community interest it will certainly help us prioritize. I see that you have already voted on the issue (#234), we will update that issue if/when we move on with this enhancement request

[itaysk]

FYI, ARM support was just merged in with #371, although it's not released yet, you can try to experiment with it.

[yanivagman]

*ARM64

[sswarnas1]

Thanks done...

…

On Fri, Oct 2, 2020 at 6:01 AM Yaniv Agman ***@***.***> wrote: The reason why Tracee will not work on arm devices is that the event ids numbers are according to the x86_64 syscalls numbers. I recently added a table that maps x86_64 syscalls to x86_32 syscalls to support 32bit applications running in compat mode. We can do something similar for arm, but some other changes are also required, like reading the arguments to different registers in pt_regs struct in the bpf code. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#231 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANQJWZWCXZIHCMMDV5BWB53SIWQGZANCNFSM4RWLMCSQ> .