Falco stops working after kernel version upgrade from 5.13.0-39-generic to 5.15.0-46-generic

[eminaktas]

Describe the bug

Falco stops working after kernel upgrade.

How to reproduce it

Falco was runnnig in a virtual machine with 5.13.0-39-generic kernel version. After, we upgraded the kernel version to 5.15.0-46-generic. Then pods started to failing.

Expected behaviour

We expected to see that Falco should be able to load the kernel driver from /lib/modules. However, it couldn't and tries to download it from the this site: https://download.falco.org/driver/3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4/falco_ubuntu-generic_5.15.0-46-generic_49.ko

Environment

The versions are taken from a working Falco which was still running on 5.13.0-30-generic kernel.

• Falco version: Falco version: 0.30.0 Driver version: 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4
• System info: Wed Sep 28 11:35:13 2022: Falco version 0.30.0 (driver version 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4) Wed Sep 28 11:35:13 2022: Falco initialized with configuration file /etc/falco/falco.yaml Wed Sep 28 11:35:13 2022: Loading rules from file /etc/falco/falco_rules.yaml: Wed Sep 28 11:35:13 2022: Loading rules from file /etc/falco/falco_rules.local.yaml: Wed Sep 28 11:35:14 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml: Wed Sep 28 11:35:14 2022: Loading rules from file /etc/falco/rules.d/override-rules.yaml: Wed Sep 28 11:35:14 2022: Loading rules from file /etc/falco/rules.d/rules-consul.yaml: Wed Sep 28 11:35:15 2022: Loading rules from file /etc/falco/rules.d/rules-elasticsearch.yaml: Wed Sep 28 11:35:15 2022: Loading rules from file /etc/falco/rules.d/rules-etcd.yaml: Wed Sep 28 11:35:15 2022: Loading rules from file /etc/falco/rules.d/rules-fim.yaml: Wed Sep 28 11:35:15 2022: Loading rules from file /etc/falco/rules.d/rules-haproxy.yaml: Wed Sep 28 11:35:16 2022: Loading rules from file /etc/falco/rules.d/rules-k8s.yaml: Wed Sep 28 11:35:16 2022: Loading rules from file /etc/falco/rules.d/rules-mitre.yaml: Wed Sep 28 11:35:16 2022: Loading rules from file /etc/falco/rules.d/rules-nginx.yaml: Wed Sep 28 11:35:17 2022: Loading rules from file /etc/falco/rules.d/rules-postgres.yaml: Wed Sep 28 11:35:17 2022: Loading rules from file /etc/falco/rules.d/rules-redis.yaml: { "machine": "x86_64", "nodename": "falco-h65cv", "release": "5.13.0-39-generic", "sysname": "Linux", "version": "#44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022" }
• Cloud provider or hardware configuration:
• OS: NAME="Ubuntu" VERSION="20.04.4 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.4 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal
• Kernel: Linux k8s-p-common-p1-1mars-master-2 5.15.0-46-generic falcosecurity/driverkit#49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
• Installation method: Kubernetes

Additional context

[FedeDP]

Hi! If you upgraded the running kernel, Falco driver needs to be upgraded as well (ie: rebuilt). For the moment, we are not able to provide prebuilt drivers for linux 5.10+, but things will change once https://github.com/falcosecurity/test-infra/pull/868 is merged. Moreover, as you can see, your kernel is actually discovered by kernel-crawler: https://falcosecurity.github.io/kernel-crawler/?arch=x86_64&target=Ubuntu (search for 5.15.0-46). Btw this is more of an issue with Falco than with driverkit, i will transfer it.

[jasondellaluce]

On top of what @FedeDP said, I'd also add that pre-built drivers are made available on a best-effort basis, and we support the driver versions of the last 3 releases. This means that starting from Falco 0.33 (available in few days), you'll have to build your kernel module manually. I suggest trying to update to Falco 0.33.0 once it's out, if that's an option for you. Updates about the upcoming release can be found here, in our official communication channels, and during our community calls.

[Dentrax]

For 5.13.0-39-generic, upgrading the kernel header to current version fixed the issue: (Thanks to @terylt)

# install the headers
$ sudo apt install linux-headers-$(uname -r)
# ensure correct headers placed there
$ ls /usr/src/

It doesn't need a reboot. But I think this is not a right way to do. It would better to download pre-compiled driver from download.falco.org.

I think people have open similar issues:

• https://github.com/falcosecurity/falco/issues/1433
• https://github.com/falcosecurity/falco/issues/1390
• https://github.com/falcosecurity/falco/issues/1432

Maybe we should move this issue to troubleshooting guide (if there already) for awareness. Wdyt?

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[FedeDP]

/remove-lifecycle rotten

Hi! We do now support building drivers for kernels > 5.10 ;) Is this still an issue?

See: https://download.falco.org/driver/site/index.html?lib=4.0.0%2Bdriver&target=ubuntu-generic&arch=all&kind=all

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/2254#issuecomment-1636770751): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.