EDR Sensor: SUSE Install fails with "Running kernel unsupported, cannot load CarbonBlack kernel module!"
search cancel

EDR Sensor: SUSE Install fails with "Running kernel unsupported, cannot load CarbonBlack kernel module!"

book

Article ID: 287387

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Example error during install:
Module not found for 5.3.18-24.43-default
Running kernel unsupported, cannot load CarbonBlack kernel module!
  • Error in SensorDiag:
Initializing BPF Program ...
modprobe: FATAL: Module kheaders not found in directory /lib/modules/5.3.18-24.43-default
chdir(/lib/modules/5.3.18-24.43-default/build): No such file or directory
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module)
Unable to initialize BPF program

Environment

  • EDR Sensor: 7.0.1 Linux Sensor
  • SUSE: 15.x
     

Cause

  • The kernel development package is not installed, and this creates a partial installation.

Resolution

Note that step 1 can be skipped and move onto installing the sensor, but we may have to come back to step 1 at some point during the workaround.
  1. Check if the kernel development package is installed and if not install it manually.
    • Execute the command below to see if the kernel development package is installed 
      • rpm -qa | grep kernel
    • There should be a kernel-devel and kernel-default-devel package that match the kernel-default one.
    • If the kernel development package is not installed then install it manually. Note: the install of the kernel development package may fail if for example the system is unregistered and/or the repository is not configured.  These sorts of issues must be resolved before the package can be installed. 
      • # fullkver=$(zypper se -s kernel-default-devel | awk '{split($0,a,"|"); print a[4]}' | grep $(uname -r | awk '{gsub("-default", "");print}') | sed -e 's/^[ \t]*//' | tail -n 1)

# zypper -n --config /var/opt/carbonblack/response/zypp.conf install -f -y kernel-default-devel="$fullkver"
  2. Install the sensor:
    • Ignore the "Running kernel unsupported, cannot load CarbonBlack kernel module!" message.  This is due to CB-33242 which is fixed in Linux Sensor Version 7.0.2.
    • If the install script gets stuck at "Starting daemon..." then ^C (CTRL + C) out.  This is due to CB-33906 which is fixed in Linux Sensor Version 7.0.2.
  3. Check if the sensor failed due to missing kernel development package:
    • Check the cbebpfdaemon log file /tmp/cbebpf_error.log for error messages that look like this indicating the kernel header package is not installed: 
      • modprobe: FATAL: Module kheaders not found in directory /lib/modules/5.3.18-24.46-default
chdir(/lib/modules/5.3.18-24.46-default/build): No such file or directory
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module)
Unable to initialize BPF program
    • If there is an error message then do one of the following to install the missing package:
      1. Install package by rebooting:
        • A reboot will cause cbkernelupdate service to run and try to install the package.
      2. Install package by running cbkernelupdate service manually:
        • Stop cbdaemon and cbebpfdaemon services 
          • # service cbdaemon stop
# service cbebpfdaemon stop
        • Start the cbkernelupdate service 
          • # service cbkernelupdate start
        • Start cbdaemon service 
          • # service cbdaemon start
      3. Install package manually as mentioned in the first step above (kernel-devel installation):
        • Stop cbdaemon and cbebpfdaemon services. 
          • # service cbdaemon stop
# service cbebpfdaemon stop
        • Following step 1 from above.
        • Start cbdaemon service 
          • # service cbdaemon start
    • Go back to step 3 to check that the development package is now installed
  4. Check the status of services:
    • Check cbkernelupdate service status:
      • It is OK for it to say "active (exited)" or "inactive (dead)" since it only tries to install the package and exits.
      • If there is a failure then it may be due to a failure to install the kernel package due to an unconfigured repository. Try installing it manually as in step 3. 
        • # service cbkernelupdate status
    • Check cbebpfdaemon service status: 
      • # service cbebpfdaemon status
      • It should be "Active: active (running)".
      • It is OK for it to say "Active: activating (start)". This is being corrected in CB-32389 which will be fixed in the 7.0.3 Linux Sensor.
      • Note: due to CB-33644/CB-32390 (fixed in the 7.0.3 Linux Sensor) it will not report a failure due to missing kernel header files. 
        • # service cbebpfdaemon status
    • Check cbdaemon service status:
      • It should now be "Active: active (running)"
      • # service cbdaemon status
  5. Check the health of the sensor on the server:
    • If the health is "50/100 Event Source Not Connected" then there is still a problem.
    • Go back through steps to make sure nothing was missed.  If nothing was missed, reach out to VMWare CB Support.
Powered by Wolken Software