From ff5b4959f503ee1ce166477d7dad96c9d268c084 Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Wed, 6 Mar 2024 11:07:29 +0100 Subject: [PATCH] docs: add FAQ entry about kernel config and tetra probe Signed-off-by: Mahe Tardy --- docs/content/en/docs/faq/_index.md | 110 ++++++++++++++++++----------- 1 file changed, 68 insertions(+), 42 deletions(-) diff --git a/docs/content/en/docs/faq/_index.md b/docs/content/en/docs/faq/_index.md index 99e78be5c5a..2fb49164817 100644 --- a/docs/content/en/docs/faq/_index.md +++ b/docs/content/en/docs/faq/_index.md @@ -14,54 +14,80 @@ for up to date information. Not all Tetragon features work with older kernel versions. BPF evolves rapidly and we recommend you use the most recent stable kernel possible to get the most out of Tetragon's features. -Note that Tetragon also needs [BTF support]({{< ref "/docs/faq/_index.md#tetragon-failed-to-start-complaining-about-a-missing-btf-file">}}) +Note that Tetragon needs [BTF support]({{< ref "/docs/faq/_index.md#tetragon-failed-to-start-complaining-about-a-missing-btf-file">}}) which might take some work on older kernels. -
See the recommended Linux kernel configuration options -

+### What are the Linux kernel configuration options needed to run Tetragon? +This is the list of needed configuration options, note that this might evolve +quickly with new Tetragon features: + +``` +# CORE BPF +CONFIG_BPF +CONFIG_BPF_JIT +CONFIG_BPF_JIT_DEFAULT_ON +CONFIG_BPF_EVENTS +CONFIG_BPF_SYSCALL +CONFIG_HAVE_BPF_JIT +CONFIG_HAVE_EBPF_JIT +CONFIG_FTRACE_SYSCALLS + +# BTF +CONFIG_DEBUG_INFO_BTF +CONFIG_DEBUG_INFO_BTF_MODULES + +# Enforcement +CONFIG_BPF_KPROBE_OVERRIDE + +# CGROUP and Process tracking +CONFIG_CGROUPS=y Control Group support +CONFIG_MEMCG=y Memory Control group +CONFIG_BLK_CGROUP=y Generic block IO controller +CONFIG_CGROUP_SCHED=y +CONFIG_CGROUP_PIDS=y Process Control group +CONFIG_CGROUP_FREEZER=y Freeze and unfreeze tasks controller +CONFIG_CPUSETS=y Manage CPUSETs +CONFIG_PROC_PID_CPUSET=y +CONFIG_CGROUP_DEVICE=Y Devices Control group +CONFIG_CGROUP_CPUACCT=y CPU accouting controller +CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y Attach eBPF programs to a cgroup +CGROUP_FAVOR_DYNMODS=y (optional) >= 6.0 + Reduces the latencies of dynamic cgroup modifications at the + cost of making hot path operations such as forks and exits + more expensive. + Platforms with frequent cgroup migrations could enable this + option as a potential alleviation for pod and containers + association issues. +``` + +At runtime, to probe if your kernel has sufficient features turned on, you can +run `tetra` with root privileges with the `probe` command: + +```shell +sudo tetra probe ``` - # CORE BPF - CONFIG_BPF - CONFIG_BPF_JIT - CONFIG_BPF_JIT_DEFAULT_ON - CONFIG_BPF_EVENTS - CONFIG_BPF_SYSCALL - CONFIG_HAVE_BPF_JIT - CONFIG_HAVE_EBPF_JIT - CONFIG_FTRACE_SYSCALLS - - # BTF - CONFIG_DEBUG_INFO_BTF - CONFIG_DEBUG_INFO_BTF_MODULES - - # Enforcement - CONFIG_BPF_KPROBE_OVERRIDE - - # CGROUP and Process tracking - CONFIG_CGROUPS=y Control Group support - CONFIG_MEMCG=y Memory Control group - CONFIG_BLK_CGROUP=y Generic block IO controller - CONFIG_CGROUP_SCHED=y - CONFIG_CGROUP_PIDS=y Process Control group - CONFIG_CGROUP_FREEZER=y Freeze and unfreeze tasks controller - CONFIG_CPUSETS=y Manage CPUSETs - CONFIG_PROC_PID_CPUSET=y - CONFIG_CGROUP_DEVICE=Y Devices Control group - CONFIG_CGROUP_CPUACCT=y CPU accouting controller - CONFIG_CGROUP_PERF=y - CONFIG_CGROUP_BPF=y Attach eBPF programs to a cgroup - CGROUP_FAVOR_DYNMODS=y (optional) >= 6.0 - Reduces the latencies of dynamic cgroup modifications at the - cost of making hot path operations such as forks and exits - more expensive. - Platforms with frequent cgroup migrations could enable this - option as a potential alleviation for pod and containers - association issues. + +You can also run this command directly from the tetragon container image on a +Kubernetes cluster node. For example: + +```shell +kubectl run bpf-probe --image=quay.io/cilium/tetragon-ci:latest --privileged --restart=Never -it --rm --command -- tetra probe ``` -

-
+The output should be similar to this (with boolean values depending on your +actual configuration): + +``` +override_return: true +buildid: true +kprobe_multi: false +fmodret: true +fmodret_syscall: true +signal: true +large: true +``` ### Tetragon failed to start complaining about a missing BTF file