search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.39k stars 902 forks source link

kernels not supported (similar to #1390) #1432

Closed balpreet-telnyx closed 3 years ago

balpreet-telnyx commented 4 years ago

Hi! I am having this similar issue on newer Ubuntu GCP kernels and CentOS 8 kernels - 5.4.0-1025-gcp, 4.18.0-193.6.3.el8 and the drivers are not available here

I am installing Falco in a container, so ideally, I'd like Falco to build the kernel module on the fly so my automation does not break(i confirmed that I have kernel-headers installed).

Another question - whats the purpose of falco-driver-loader. Can this be used to build newer drivers and if yes, how?

Also used the driverkit project but not working as expected - 

go run main.go docker --output-module /tmp/falco-1.ko --kernelversion=25 --kernelrelease=5.4.0-1025-gcp --driverversion=dev --target=ubuntu-generic
INFO driver building, it will take a few seconds   processor=docker
FATA exiting                                       error="specific kernel headers not found"
exit status 1

This worked though -

go run main.go docker --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=dev --target=ubuntu-generic
INFO driver building, it will take a few seconds   processor=docker
INFO kernel module available                       path=/tmp/falco.ko
balpreet-telnyx commented 4 years ago

/kind bug

leodido commented 4 years ago

Hello @balpreet-telnyx please use the issue template when submitting new issues: it helps us in triaging the issues. It'd very appreciated, thanks!

Anyways, driverkit does not support GCP kernels because it doesn't have a builder for them, and it doesn't know where to look for their kernel headers.

We welcome contributions to support such kernels, as usual 😃

Rather, the falcosecurity/falco-driver-loader image can be used to download (will not work in this case, since there are no prebuilt drivers for GPC kernels) or to build the driver on the fly for the current host kernel.

In the docs you can surely find guidance.

Otherwise, you could directly use the falco-driver-loader script (installed under /usr/bin when using packages, or just download it and use it), but you need to ensure your system already contains all the deps in this case (while the docker image above contains the toolchain).

balpreet-telnyx commented 4 years ago

@leodido Yea I can confirm driverkit does not support GCP kernels.

Another thing which I tested today is, installing Falco natively (using apt) builds the respective GCP module but Falco dockerized does not build module even if kernel-headers are installed.

rolfberkenbosch commented 3 years ago

We can confirm that we also have the same problems with CoreOS with the latest kernel. Because of this issue, the latest working version of RedHat Openshift is 4.5. Openshift 4.6 is using the new kernel wich gives this problem. Is there any progression in debugging/fixing this issue ?

fntlnz commented 3 years ago

@rolfberkenbosch - Thanks for bringing that up! Please open your own issue and fill the template you get when opening so that a maintainer/contributo can have a chance to understand.

I'm closing this since OP completely ignored our bug reporting template.

The prebuilt drivers service is a best-effort service that the project maintainers provide to the community, the best way to help to get it working good for everyone is to fill bug reports that help maintainers

rolfberkenbosch commented 3 years ago

Look for the solution on https://github.com/falcosecurity/falco/issues/1505