Introduction
This document describes how to identify, resolve, and verify fault 11 in the Secure Endpoint Linux connector.
Determine BTF Support
In order for the connector to monitor filesystem and network events using eBPF, one of these must be true:
- The current kernel has
CONFIG_DEBUG_INFO_BTF
enabled, or
- There is a kernel header installed for the current kernel.
It is preferred that your kernel has CONFIG_DEBUG_INFO_BTF
enabled. To check if your current kernel has CONFIG_DEBUG_INFO_BTF
enabled, run the command:
cat /boot/config-$(uname -r) | grep CONFIG_DEBUG_INFO_BTF
If you see CONFIG_DEBUG_INFO_BTF=y
then your kernel supports BTF and the connector can monitor filesystem and network events using eBPF. Linux connector versions 1.25.0 and newer support eBPF CO-RE which allows monitoring of filesystem and network events on BTF supported kernels without requiring kernel headers to be installed.
Fault 11
If your current kernel does not support BTF and the required kernel header is missing, then fault 11 is raised by the Linux connector. Use one of these steps to resolve the fault:
- Upgrade your kernel and connector to a BTF supported version (preferred solution), or
- Install the missing kernel header
BTF Supported Distributions
These distributions have CONFIG_DEBUG_INFO_BTF
enabled by default in the latest kernel version:
- Centos/RHEL 8.2 and later
- Ubuntu 20.04 and later
- Oracle Linux 8.5 and later
- Debian 11 and later
- Alma Linux 8.3 and later
- Rocky Linux 8.3 and later
- SUSE Enterprise 15 SP4 / openSUSE Leap 15.4 and later
Upgrade to a BTF Supported Kernel
If you are on a distribution that supports BTF in a later kernel version, it is preferred that you update your kernel in order to resolve fault 11.
Before proceeding to update your kernel, first upgrade your Linux connector to version 1.25.0 or newer to ensure that your connector supports BTF.
RPM-based Distributions
This section is applicable to:
- Alma Linux
- Amazon Linux
- CentOS Linux
- Oracle Linux Red Hat Compatible Kernel (RHCK)
- Red Hat Enterprise Linux
- Rocky Linux
To upgrade to the latest kernel version:
- Check if there are updates available for the kernel:
yum check-update
If you see kernel.x86_64
in the output then there is a kernel upgrade available.
- Update the kernel package:
sudo yum update kernel
- Reboot your system:
sudo reboot
- Verify the new kernel supports BTF and that fault 11 is cleared by the connector.
Oracle Linux Unbreakable Enterprise Kernel (UEK)
To upgrade to the latest kernel version:
- Check if there are updates available for the kernel:
yum check-update
If you see kernel-uek.x86_64
in the output then there is a kernel upgrade available.
- Update the kernel package:
sudo yum update kernel-uek
- Reboot your system:
sudo reboot
- Verify the new kernel supports BTF and that fault 11 is cleared by the connector.
SUSE Linux Enterprise and openSUSE Leap
To upgrade to the latest kernel version:
- Check your current kernel version:
uname -r
- List the available
kernel-default
packages:
zypper search -s --match-exact kernel-default
The output appears as:
<status> | kernel-default | package | <version> | <arch> | <repository>
Find a version
that is greater than your current kernel version, determined in step 1.
- Install the new versions of
kernel-default
with the command:
sudo zypper install kernel-default=<new-version>
- Reboot your system:
sudo reboot
- Verify the new kernel supports BTF and that fault 11 is cleared by the connector.
Debian-based Distributions
To upgrade to the latest kernel version:
- Retrieve the latest package lists:
sudo apt update
- Install the latest packages:
sudo apt upgrade
- Reboot your system:
sudo reboot
- Verify the new kernel supports BTF and that fault 11 is cleared by the connector.
Install Missing Kernel Header
Before installing a missing kernel header, try upgrading your system to a BTF supported version. If this does not resolve fault 11, or if your distribution does not yet support BTF in the latest version, then continue to install the missing kernel header.
RPM-based Distributions
This section is applicable to:
- Alma Linux
- Amazon Linux
- CentOS Linux
- Oracle Linux Red Hat Compatible Kernel (RHCK)
- Red Hat Enterprise Linux
- Rocky Linux
Verify
RPM-based distributions require that a kernel-devel
package is installed for the currently running kernel. To verify if a kernel-devel
package is installed for the current running kernel, run:
rpm -qa | grep kernel-devel-$(uname -r)
If there are no results, then the required kernel-devel
package is missing and needs to be installed.
Resolution
To install the required kernel-devel
package, run the command:
sudo dnf install -y kernel-devel-$(uname -r)
Reverify. Fault 11 is be cleared by the connector after about a minute.
Oracle Linux Unbreakable Enterprise Kernel (UEK)
Verify
Oracle Linux UEK requires that a kernel-uek-devel
package is installed for the currently running kernel. To verify if a kernel-uek-devel
package is installed for the current running kernel, run:
rpm -qa | grep kernel-uek-devel-$(uname -r)
If there are no results, then the required kernel-uek-devel
package is missing and needs to be installed.
Resolution
To install the required kernel-uek-devel
package, run the command:
sudo dnf install -y kernel-uek-devel-$(uname -r)
Reverify. Fault 11 is be cleared by the connector after about a minute.
SUSE Linux Enterprise and openSUSE Leap
Verify
SUSE and openSUSE require that the kernel-default-devel
package is installed for the currently running kernel. To verify if the kernel-default-devel
package is installed for the current running kernel, run:
zypper search -si kernel-default-devel | grep $(uname -r | sed "s/-default//")
If there are no results, then the required kernel-default-devel
package is missing and needs to be installed.
Resolution
Install kernel headers
- To determine if the correct
kernel-default-devel
package for your kernel version is available for install, run the command:
zypper search -s kernel-default-devel | grep $(uname -r | sed "s/-default//")
The output includes the syntax:
<status> | kernel-default-devel | <package_type> | <version> | <arch> | <repository>
If you see a similar output, then take note of the version
specified in the output and continue to step 2. Otherwise, skip this section and instead use the steps to update the kernel and install matching kernel headers.
- Install the
kernel-default-devel
package using this command, replacing <version>
with the available version identified in the previous step:
sudo zypper install --oldpackage kernel-default-devel=<version>
- Verify the
kernel-default-devel
package was installed. Fault 11 is cleared by the connector after about a minute.
Update Kernel and Install Matching Kernel Headers
If the required kernel-default-devel
package is not available, update your kernel to a supported version and install the matching kernel headers.
- List the available
kernel-default
and kernel-default-devel
packages with the command:
zypper search -s --match-exact kernel-default kernel-default-devel
Look for matching versions of the kernel-default
and the kernel-default-devel
packages. For example:
<status> | kernel-default | package | <new-version> | <arch> | <repository>
<status> | kernel-default-devel | package | <new-version> | <arch> | <repository>
Take note of the new-version
specified in the output.
Note: if you cannot find a newer kernel to upgrade to, you must upgrade to a newer distribution release version.
- Install the new versions of
kernel-default
and kernel-default-devel
with the command:
sudo zypper install kernel-default=<new-version> kernel-default-devel=<new-version>
- Reboot your system:
sudo reboot
- Reverify. Fault 11 is cleared by the connector.
Debian-based Distributions
Verify
Debian-based distributions require that a linux-headers
package is installed for the currently running kernel. To verify if a linux-headers
package is installed for the current running kernel, run:
apt list linux-headers-$(uname -r)
If there are no results, then the required linux-headers
package is missing and needs to be installed.
Resolution
To install the required linux-headers
package, run the command:
sudo apt install linux-headers-$(uname -r)
Reverify. Fault 11 is cleared by the connector after about a minute.