falco: "BPF doesn't have JIT enabled" reported incorrectly when using docker

Describe the bug

Even if JIT is enabled for BPF, both falcosecurity/falco and facosecurity/falco-driver-loader are reporting the following message when run with -e FALCO_BPF_PROBE="":

******************************************************************
** BPF doesn't have JIT enabled, performance might be degraded. **
** Please ensure to run on a kernel with CONFIG_BPF_JIT on.     **
******************************************************************

How to reproduce it

In a system with a kernel >= 4.15 with CONFIG_BPF_JIT on and docker installed, run:

docker run --rm -i -t \
    --privileged \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro \
    -v /usr:/host/usr:ro \
    -v /etc:/host/etc:ro \
    -e FALCO_BPF_PROBE="" \
    falcosecurity/falco:0.23.0

Expected behaviour

No “BPF doesn’t have JIT enabled, performance might be degraded” banner.

Screenshots

Environment

Falco version: 0.23.0
System info:

Cloud provider or hardware configuration:
OS:

Kernel: Linux ubuntu-xenial 4.15.0-101-generic #102~16.04.1-Ubuntu SMP Mon May 11 11:38:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Installation method: docker

Additional context

Because the view of /proc inside the container is different, this check is not working as expected when it runs inside a container. Note that prefixing the path with ${HOST} will not solve the issue anyway.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 34 (20 by maintainers)

Most upvoted comments

As far as I know it’s a VERY corner case: I didn’t find any distro that permits to disable the JIT… the only way to test my assumptions was to recompile the kernel, I totally agree that it isn’t essential.

Uhm so if this is the situation probably I would simply close the issue, keeping in mind that we have a solution in the case. WDYT @leogr ?

The only problem, in my opinion, is the misleading error that shows up.

Please note that this log is no more present, this is a quite old issue

All the other tools, that I can think of and that I found, only check the value in /proc/sys/net/core/bpf_jit_enable

Thank you for the research!

Andreagit97 on Jun 9, 2023

first of all, thank you for the investigation! Just some random thoughts:

As far as I know the bpf jit is now a sort of default so I expect it to be enabled unless some real corner cases. At the time the issue was opened probably it was a notable issue but 3 years are passed… WDYT? Of course, if we need to add just a few lines in the code this is not an issue but if we need to add many lines I would think carefully about it
I like the proposed solution, but just out of curiosity how does bpftool detect the jit enabled?

Andreagit97 on Jun 8, 2023

/remove-lifecycle rotten

jasondellaluce on Mar 6, 2023

IIRC, we suppressed the banner. https://github.com/falcosecurity/falco/pull/1811 attempted to re-introduce it, but I had some concern 👇 https://github.com/falcosecurity/falco/pull/1811#pullrequestreview-837474605

cc @LucaGuerra @FedeDP

leogr on Mar 23, 2022