Falco not able to build driver module

[shashwat-sec]

Falco not able to load driver module. Getting the below error:

* Setting up /usr/src links from host
* Running falco-driver-loader with: driver=module, compile=yes, download=yes
* Unloading falco module, if present
* Trying to dkms install falco module
* Running dkms build failed, couldn't find /var/lib/dkms/falco/ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7/build/make.log
* Trying to load a system falco driver, if present
* Trying to find locally a prebuilt falco module for kernel 4.14.209-160.339.amzn2.x86_64, if present
* Trying to download prebuilt module from https://dl.bintray.com/falcosecurity/driver/ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7/falco_amazonlinux2_4.14.209-160.339.amzn2.x86_64_1.ko
curl: (22) The requested URL returned error: 404 Not Found
Download failed, consider compiling your own falco module and loading it or getting in touch with the Falco community
Sun Feb 21 15:35:19 2021: Falco version 0.25.0 (driver version ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7)
Sun Feb 21 15:35:19 2021: Falco initialized with configuration file /etc/falco/falco.yaml
Sun Feb 21 15:35:19 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Sun Feb 21 15:35:20 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Sun Feb 21 15:35:21 2021: Unable to load the driver.
Sun Feb 21 15:35:21 2021: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded.. Exiting.

AWS EKS 1.18 OS Image: Amazon Linux 2 Kernel version: 4.14.209-160.339.amzn2.x86_64

• Falco version: Falco version 0.25.0

[leogr]

You need to update Falco to the latest version since the prebuilt repository has been moved to https://download.falco.org/ Alternatively, if you wanted to stick with Falco 0.25.0 you can manually set the env var DRIVERS_REPO to https://download.falco.org/

N.B.: It has been changed since Falco 0.26.2, you can find more detail here :point_down: https://falco.org/blog/falco-0-26-2/

[irivera007]

What worked for me was to enable ebpf, setting that to true, resolved the download issue, seems like for version .27 we need to enabled that for GKE.

[leogr]

What worked for me was to enable ebpf, setting that to true, resolved the download issue, seems like for version .27 we need to enabled that for GKE.

Enabling ebpf is always required for GKE: https://falco.org/docs/getting-started/third-party/production/#gke But, it seems to be not related to the issue reported by @shashwat-sec

[shashwat-sec]

@leogr Installing kernel-devel utilities on the node worked for me.

yum -y install kernel-devel-$(uname -r)

[leogr]

@leogr Installing kernel-devel utilities on the node worked for me.

yum -y install kernel-devel-$(uname -r)

:+1: That works too since by doing so the script is able to compile the driver, and no need of downloading the prebuilt one.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/charts/issues/195#issuecomment-894848659): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.