daemon known problems (original) (raw)
Compilation
cgo: cannot load DWARF output from $WORK/b085//cgo.o: zlib: invalid header
See these comments: #851 and #851 , and issues: #820 #768
opensnitchd does not start
Note: Since v1.6.0 you can use opensnitchd -check-requirements to know if your system is compatible.
For all the following errors:
- The daemon needs NET_ADMIN capabilities. For example, to run it in docker you need --cap-add NET_ADMIN, or you'll get some of the described errors.
Error while creating queue #0: Error binding to queue: operation not permitted.(#323)- Be sure that the daemon is not already running, check it out with: pgrep -a opensnitchd, output should be empty)
- You should only have one opensnitchd binary at /usr/bin/opensnitchd . If you have others (for example in /usr/local/bin), investigate why it's there, and rename it to opensnitchd.xx for example (that will prevent from loading).
- Having no opensnitchd process running (pgrep opensnitchd), launch it manually and see if it exits with error or not.
- If you're executing it in a container, be sure to give the daemon NET_ADMIN capabilities.
Error while enabling probe descriptor for opensnitch_exec_probe: write /sys/kernel/debug/tracing/kprobe_events: no such file or directory(the kernel does not have support for CONFIG_FTRACE, or it's not loaded)iptables: Protocol wrong type for socket(modules nf_defrag_ipv4, nf_conntrack_ipv4 not loaded)Error opening Queue handle: protocol not supported(nfnetlink module not loaded)Could not open socket to kernel: Address family not supported by protocol (IPv6)Error while creating queue #0: Error unbinding existing q handler from AF_INET protocolsee #323 and #204. Usually caused because thenfnetlink_queuemodule is not loaded. Verify if it's loaded:~ $ lsomd | grep nfnetlink_queueAnother reason could be becauseip_queuemodule is loaded. If it's loaded, unload it.Subscribing to GUI rpc error: code = ResourceExhausted desc = Received message larger than max (4210785 vs. 4194304)Usually caused by the amount of rules. If you have 10k to 20k rules, consider grouping the rules to reduce the amount of rules.
be sure that you have NFQUEUE support in the kernel (=y or =m):
$ grep -E "(NFT|NETLINK|NFQUEUE)" /boot/config-$(uname -r) CONFIG_NFT_QUEUE=y CONFIG_NETFILTER_NETLINK_QUEUE=y CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
and that the needed modules are loaded:
$ lsmod | grep -i nfqueue xt_NFQUEUE 16384 4 x_tables 53248 20 xt_conntrack,nft_compat,xt_LOG,xt_multiport,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_recent,xt_nat,ip6t_rt,xt_set,ip6_tables,ipt_REJECT,ip_tables,xt_limit,xt_hl,xt_MASQUERADE,ip6t_REJECT,xt_NFQUEUE,xt_mark
The following modules are also needed:
nf_defrag_ipv4.ko, nf_conntrack_ipv4.ko, nfnetlink.ko
cannot open kprobe_events: open /sys/kernel/debug/tracing/kprobe_events: permission denied
If after enabling eBPF you see the following error (even as root, specially on Fedora):
you'll need to allow opensnitch in selinux or set it to permissive:
# setenforce 0
or:
~ $ sudo journalctl -ar | grep "opensnitch.*lockdown" Aug 19 06🔞28 localhost-live audit[2443]: AVC avc: denied { confidentiality } for pid=2443 comm=opensnitchd lockdown_reason=use of tracefs scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0
~ $ echo "Aug 19 06🔞28 localhost-live audit[2443]: AVC avc: denied { confidentiality } for pid=2443 comm=opensnitchd lockdown_reason=use of tracefs scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0" > opensnitch_lockdown.txt
~ $ sudo su ~ # audit2allow -M opensnitchd < opensnitch_lockdown.txt ~ # semanage -i opensnitchd.pp
You can download this generic selinux policy from here: #475 (comment)
Useful links:
https://danwalsh.livejournal.com/24750.html
https://learn.netdata.cloud/docs/agent/collectors/ebpf.plugin
kprobe_events file exists
This error indicates that the network hooks are already added, you'll need to delete them manually:
$ sudo su
> /sys/kernel/debug/tracing/kprobe_events
If it complains with "resource busy" or similar, restart the daemon.
Error while loading kprobes: invalid argument
eBPF Failed to load /etc/opensnitchd/opensnitch.o: error while loading "kprobe/tcp_v4_connect" (invalid argument):
This error may indicate that your kernel doesn't have ftrace support, which is needed for eBPF to work.
CONFIG_FTRACE should be y and the directory /sys/kernel/debug/tracing/ must exist.
~ $ grep CONFIG_FTRACE /boot/config-$(uname-r) CONFIG_FTRACE=y
If the output is # CONFIG_FTRACE is not set, your kernel is not compiled with ftrace support.
Read more: #475
error enabling tracepoints
[eBPF events] error enabling tracepoint tracepoint/syscalls/sys_enter_execve: cannot read tracepoint id (...)
Your kernel lacks support for syscalls tracing. The kernel must have the following option configured:
~ $ grep FTRACE_SYSCALLS /boot/config-$(uname -r) CONFIG_FTRACE_SYSCALLS=y
If the output is # CONFIG_FTRACE_SYSCALLS is not set, you need to reconfigure it or install one that has the option enabled.
Kernel panics
Some users reported kernel panics with kernel 5.6.16 (#297) and other kernels (#41). deathtrip found that the culprit was a configuration of the Arch's linux-hardened kernel command line option.
Removing the following options from the kernel booting parameters solved the issue:
slab_nomerge, slub_debug=FZP and page_alloc.shuffle=1
No interception
There's no interception and there are these warnings in the logs:
2 │ [2023-06-24 18:06:54] WAR nftables: error applying changes: conn.Receive: netlink receive: no such file or directory
3 │ [2023-06-24 18:06:54] ERR Error while running DNS nftables rule: Error adding DNS interception rules
4 │ [2023-06-24 18:06:54] WAR nftables: error applying changes: conn.Receive: netlink receive: no such file or directory
5 │ [2023-06-24 18:06:54] ERR Error while running conntrack nftables rule: Error adding interception rule
Your kernel doesn't have support for some needed options. Execute opensnitchd -check-requirements to know what is missing (more info: #976).
On Debian with kernel 5.7.0, remove slub_debug=FZP if you have it configured and try again.
Note: This was caused by a bug in the libnetfilter_queue library.