Troubleshooting
Problem
Linux Agent 0.60.0 version might return the error, "keeper.service: Main process exited, code=exited, status=4/NOPERMISSION" while registering the endpoint when the Linux system uses kernel modules instead of eBPF probe.
Symptom
Agent registration is successful. However, the endpoint shows out an outdated version warning in the ReaQta endpoint dashboard
Keeperx.service not running and failing to start
Keeperx.service not running and failing to start
Cause
When the agent is installed on a Linux system that uses kernel modules rather than an eBPF probe, it includes an unsigned Falco kernel module. If kernel module signing is set to
recommended
, the Falco kernel module does not load. In this case, you can force the module to load in this case.Diagnosing The Problem
Check the journalctl logs by typing the command:
journalctl -xef -u keeperx
, and search for the following messages: keeperx-loader.sh[5247]: Trying kernel module driver
keeperx-loader.sh[5247]: Your current kernel configuration does not require to load properly signed modules.
keeperx-loader.sh[5247]: However, the kernel will switch into 'tainted' state when loading unsigned modules
keeperx.service: Main process exited, code=exited, status=4/NOPERMISSION
An ExecStart= process belonging to unit keeperx.service has exited.
The process' exit code is 'exited' and its exit status is 4.
keeperx.service: Failed with result 'exit-code'.
Resolving The Problem
To resolve the
status=4/NOPERMISSION
error, complete the following steps: - Edit the /etc/reaqtahive.d/keeperx.env file, and add the following line to the end of it:
KMOD_IGNORE_TAINT=1
- Print the content of the keeperx.env file and make sure the line previously added is present there, by issuing the command:
cat/etc/reaqtahive.d/keeperx.env
- Reset any agent service errors by typing the following command:
sudo systemctl reset-failed keeperx
- Restart the agent service by typing the following command:
sudo systemctl restart keeper
Note: Forcing the module to load causes the kernel to mark itself as tainted. If this solution is not viable in your environment, do not follow these steps.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSZAA2","label":"Agent-\u003EInstallation-\u003ELinux"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
16 May 2023
UID
ibm16842417