Skip to content

Instantly share code, notes, and snippets.

@MarioHewardt
Last active November 4, 2024 17:13
Show Gist options
  • Save MarioHewardt/5759641727aae880b29c8f715ba4d30f to your computer and use it in GitHub Desktop.
Save MarioHewardt/5759641727aae880b29c8f715ba4d30f to your computer and use it in GitHub Desktop.
Enable EBPF on WSL2
By default, EBPF programs will not run on WSL2 due to required kernel modules missing. The following example error is an
indication of this problem:
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.19.84-microso
ft-standard/modules.dep.bin'
modprobe: FATAL: Module kheaders not found in directory /lib/modules/4.19.84-microsoft-standard
chdir(/lib/modules/4.19.84-microsoft-standard/build): No such file or directory
To fix this you need to rebuild the WSL2 kernel with the missing kernel modules. The below instructions are for Ubuntu 18.04 WSL2.
1. git clone https://github.com/microsoft/WSL2-Linux-Kernel.git
2. cd WSL2-Linux-Kernel
3. sudo apt install flex bison build-essential libelf-dev libncurses-dev libssl-dev
4. cp Microsoft/config-wsl .config
5. Add the kernel flags specified in https://github.com/iovisor/bcc/blob/master/INSTALL.md#kernel-configuration to .config
6. export KERNELRELEASE=4.19.84-microsoft-standard
NOTE: Make sure the version corresponds to the version of WSL2. Run: uname -a
7. make KERNELRELEASE=$KERNELRELEASE -j 4
8. make KERNELRELEASE=$KERNELRELEASE modules -j 4
9. sudo make KERNELRELEASE=$KERNELRELEASE modules_install
10. (confirm you can see files under /lib/modules/$(uname -r))
11. sudo mount -t debugfs debugfs /sys/kernel/debug (for any apps that uses it since its not mounted by default)
@benjaminbuzek
Copy link

Thank you for the nice and well structured guide, worked without any issues for me. 😃

@cheneytianx
Copy link

cheneytianx commented Aug 16, 2022

Hi, @MetaT1an @satanshiro,

Have you tried using the following command

export KERNELRELEASE=$(uname -r)

to replace the original one in https://gist.github.com/MarioHewardt/5759641727aae880b29c8f715ba4d30f#file-enable_ebpf_on_wsl2-L15

For me, I can see the new content in /lib/modules/$(uname -r) after rebuilding the kernel.

The kernel KERNELRELEASE should have -WSL2 as the suffix.

@aminmiri
Copy link

@baoqger here is a hello-world i used, and it worked.


#!/usr/bin/python3
from bcc import BPF
from time import sleep

program = """
BPF_HASH(clones);

int hello_world(void *ctx) {
    u64 uid;
    u64 counter = 0;
    u64 *p;

    uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
    p = clones.lookup(&uid);
    if (p != 0){
        counter = *p;
    }

    counter++;
    clones.update(&uid, &counter);

    return 0;
}
"""

b = BPF(text=program)
clone = b.get_syscall_fnname("clone")
b.attach_kprobe(event=clone, fn_name="hello_world")
b.trace_print()

sleep(1000)

while True:
    sleep(2)
    s = ""
    if len(b["clones"].items()):
        for k,v in b["clones"].items():
            s += "ID {}: {}\t".format(k.value, v.value)
        print(s)
    else:
        print("No entries yet")

Here is a simpler one:

#!/usr/bin/python3  
from bcc import BPF

program = r"""
int hello(void *ctx) {
    bpf_trace_printk("Hello World!");
    return 0;
}
"""

b = BPF(text=program)
syscall = b.get_syscall_fnname("execve")
b.attach_kprobe(event=syscall, fn_name="hello")

b.trace_print()

then open a second terminal and run any linux command (ls, echo...etc) and you should see in the trace output Hello World

@Joly0
Copy link

Joly0 commented Oct 15, 2023

Can anyone give one hello-world demo to verify that bpf program can run on WSL2? In this way, we can troubleshoot that the issue is in bpf program aspect or wsl2 aspect?

Hi @baoqger, I have a mistake:

FAILED: load BTF from vmlinux: Unknown error -2make: *** [Makefile:1179: vmlinux] Error 255

Has that ever happened to you?

Hey, have you ever found a solution to this? I am having the same issue

@gambitaw
Copy link

Can anyone give one hello-world demo to verify that bpf program can run on WSL2? In this way, we can troubleshoot that the issue is in bpf program aspect or wsl2 aspect?

Hi @baoqger, I have a mistake:

FAILED: load BTF from vmlinux: Unknown error -2make: *** [Makefile:1179: vmlinux] Error 255

Has that ever happened to you?

Hey, habe you ever found a solution to this? I am having the same issue

Same :(

@NexViolentus
Copy link

I have been trying to unfuck this for several days. This is a tough son of a bitch to solve. I have followed several guides and still FAILED: load BTF from vmlinux: Unknown error -22make: *** [Makefile:1179: vmlinux] Error 255

@deadash
Copy link

deadash commented Jan 26, 2024

I successfully launched eBPF following the guide at https://learn.microsoft.com/en-us/community/content/wsl-user-msft-kernel-v6. However, I used Debian which required the installation of the following packages:

sudo apt install git python3 bc dwarves rsync

Additionally, to run the example Python code provided above, I had to install:

sudo apt install bpfcc-tools python3-bpfcc

Running it initially failed, but I managed to fix it by mounting debugfs with the command:

sudo mount -t debugfs debugfs /sys/kernel/debug

Finally, after opening a new Debian terminal, it printed the following:

b'           <...>-275     [004] d...1    91.948441: bpf_trace_printk: Hello World!'
b'            bash-276     [007] d...1    91.950385: bpf_trace_printk: Hello World!'
b'           <...>-277     [007] d...1    94.875099: bpf_trace_printk: Hello World!'

@Slach
Copy link

Slach commented Jan 26, 2024

@deadash thank you!

@NexViolentus
Copy link

It finally worked even after I tried several guides and got errors every time. I typed usbip and the menu appeared. I got my device to forward to the VM but I cant connect it to WSL1. I can only get WSL1 to work on the VM so im thinking about trying this with rasberrypi instead

@WCY-dt
Copy link

WCY-dt commented Mar 27, 2024

Hi, @MetaT1an @satanshiro,

Have you tried using the following command

export KERNELRELEASE=$(uname -r)

to replace the original one in https://gist.github.com/MarioHewardt/5759641727aae880b29c8f715ba4d30f#file-enable_ebpf_on_wsl2-L15

For me, I can see the new content in /lib/modules/$(uname -r) after rebuilding the kernel.

The kernel KERNELRELEASE should have -WSL2 as the suffix.

Thank you! It works!

@massoudasadi
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment