Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
n
Nico
09/01/2021, 11:34 AMHi everyone! I am not sure where to put this. I built Osquery from a Ubuntu/arm64 machine in order to run it on arm64 devices. When the Linux kernel version is equal to 4.9, the binary runs fine. But when the kernel is older, then I get : "FATAL : kernel too old". I gess I have to indicate the kernel version to CMake, but I don't know how. It this normal? And if it is normal, how can we make a binary run with old Linux kernel?
a
alessandrogario
09/01/2021, 11:47 AMHey Nico! Can you show us the full output of osquery, with --verbose?
n
Nico
09/01/2021, 11:53 AMHello Alessandro! Unfortunately it happens just as I run the binary. I get 'FATAL: kernel too old' and 'Segmentation fault (core dumped)'
And --verbose doesn't bring more info
a
alessandrogario
09/01/2021, 11:55 AMWhat kind of distros are you using? I think we relied on whatever was available from AWS for Graviton instances
๐ 1
n
Nico
09/01/2021, 11:59 AMFor instance, I want to run it on Ubuntu 16.04 server (on ARM64 machine). The Linux kernel is v4.4.0. It brings the error message I showed above. But when I run it on my Android 10 smartphone with v4.9.190 Linux kernel, it runs fine!
And the funny part, I build Osquery from the ARM64/Ubuntu16.04server machine. But the binary genereted does not work on this machine. It works on my Android device, but not on my ubuntu16.04 machine..
Is there specific modification to build the binary for graviton 2? What is needed to buid the code? A arm64-Linux machine? There is an option to add?
a
alessandrogario
09/01/2021, 12:09 PMProbably in the osquery-toolchain, then you would have to update all the pre-generated config files for all libraries
I don't think it makes sense for upstream to support distributions that are no longer supported and marked as end of life
The reason that the x64 version supports old (but still supported) distributions is for backward compatibility
given that osquery was never deployed on Ubuntu 16 ARM before, I think it's not a regression
๐ 1
but it should work on ARM distributions that are still supported, so this is a bug
the reference distributions are what AWS + Graviton supports though (at least for now)
The reason is that it was the only development environment most of us could get access to
n
Nico
09/01/2021, 12:17 PMOk I understand
I thought I could get through with CMake that should indicate the options to the compiler. And I added '--enable-kernel=3.3.0' in the file flags.cmake' for the compiler options. But it is useless
I will try to build the code from a different machine
s
Stefano Bonicatti
09/01/2021, 8:02 PMBy the way itโs not a matter of where the code is compiled from, but the fact that the osquery-toolchain uses kernel headers for the version 4.9 and most importantly (which is the cause of the error) targets glibc version 2.23.
n
Nico
09/02/2021, 7:08 AMHi Stefano. Thank you very much for your answer