[Falco driver loader] falco-driver-loader on OpenShift 4.12 fails with "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel"

[tosmi]

Describe the bug

Tried to install falco with the 3.8.0 helm chart on an OpenShift 4.12 cluster. Falco-driver-loader init container fails with

Makefile:1005: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel".  Stop.

Using a custom falco-driver-loader image with libelf-dev included fixes the problem and falco seems to work with the eBPF driver.

We documented our steps to get falco running here.

This is the initial values file we used for the helm chart:

driver:
  kind: ebpf

falco:
  json_output: true
  json_include_output_property: true
  log_syslog: false
  log_level: info

falcosidekick:
  enabled: true
  webui:
    enabled: true

After taking the steps mention here we used the following helm chart:

driver:
  kind: ebpf
  loader:
    initContainer:
      image:
        registry: quay.io
        repository: tosmi/falco-driver-loader
        tag: 0.36.1-libelf-dev

falco:
  json_output: true
  json_include_output_property: true
  log_syslog: false
  log_level: info

falcosidekick:
  enabled: true
  webui:
    enabled: true

quay.io/tosmi/falco-driver-loader:0.36.1-libelf-dev only includes libelf-dev. See the Dockerfile used to build the updated image.

How to reproduce it

Install falco with helm chart version 3.8.0 on OpenShift 4.12 and the values file above.

Expected behaviour

falco-driver-loader should compile the ebpf module.

Environment

• Falco version: Falco version: 0.36.1 (x86_64)

• System info: Tue Oct 24 06:02:40 2023: Falco version: 0.36.1 (x86_64) Tue Oct 24 06:02:40 2023: Falco initialized with configuration file: /etc/falco/falco.yaml Tue Oct 24 06:02:40 2023: Loading rules from file /etc/falco/falco_rules.yaml { "machine": "x86_64", "nodename": "falco-slx5k", "release": "4.18.0-372.73.1.el8_6.x86_64", "sysname": "Linux", "version": "#1 SMP Fri Sep 8 13:16:27 EDT 2023" }

• Cloud provider or hardware configuration: OpenShift 4.12 running on AWS

• OS: ID="rhcos" ID_LIKE="rhel fedora" VERSION="412.86.202309200923-0" VERSION_ID="4.12" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 412.86.202309200923-0 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.12/" BUG_REPORT_URL="https://access.redhat.com/labs/rhir/" REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform" REDHAT_BUGZILLA_PRODUCT_VERSION="4.12" REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform" REDHAT_SUPPORT_PRODUCT_VERSION="4.12" OPENSHIFT_VERSION="4.12" RHEL_VERSION="8.6" OSTREE_VERSION="412.86.202309200923-0"

• Kernel: Linux ip-10-0-182-18 4.18.0-372.73.1.el8_6.x86_64 #1 SMP Fri Sep 8 13:16:27 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

• Installation method: helm chart 3.8.0

[Andreagit97]

Ei @tosmi thank you for all the research! Have you tried to use the falco-driver-loader-legacy image? In falco 0.36 we changed the default falco-driver-loader image and the older image, meant for compatibility with older kernels (4.x and below), is currently retained as falcosecurity/falco-driver-loader-legacy. You can read more info in the official release blog post https://falco.org/blog/falco-0-36-0/. I'm saying that because looking at the dockerfile, libelf-dev seems already included https://github.com/falcosecurity/falco/blob/9eb611609a2876a5f5a5378e0613f0ff767f0d42/docker/driver-loader-legacy/Dockerfile#L34

[tosmi]

thanks for the quick update. i will re-test with the legacy image, sorry for this, but i'm new to the world of falco :-) i will also test the deployment of falco with openshift 4.13 because this is based on rhel 9 and comes with an updated kernel. will post my findings here. seems i should have read the release blog post before staring my adventure :-)

[Andreagit97]

don't worry! you are welcome!

[tosmi]

closing this, falco-driver-loader-legacy fixes the issue on OpenShift 4.12. See the release notes, especially the second point about kernel versions for more info. OpenShift 4.12 uses a 4.x (RHEL 8) kernel.