search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.09k stars 875 forks source link

unable to find a prebuilt driver #3172

Open YAYAXZM opened 2 months ago

YAYAXZM commented 2 months ago

Describe the bug

When I used helm to deploy in the k8s cluster, I found this error and the falco-driver-loader container kept restarting.

kubectl logs falco-7bgdd -nfalco -c falco-driver-loader

FedeDP commented 2 months ago

Hi! Yes we don't support tencentos prebuilt drivers. What is super weird here is that falcoctl is not able to fetch the kernel release you are running on. I don't know how is tencentos built, but we are just calling unix.Uname(&u) : https://github.com/falcosecurity/falcoctl/blob/main/pkg/driver/kernel/kernel_linux.go#L37C13-L37C27 and it should work just fine. Can you share an uname -a from the node?

YAYAXZM commented 2 months ago

Hi! Yes we don't support tencentos prebuilt drivers. What is super weird here is that falcoctl is not able to fetch the kernel release you are running on. I don't know how is tencentos built, but we are just calling unix.Uname(&u) : https://github.com/falcosecurity/falcoctl/blob/main/pkg/driver/kernel/kernel_linux.go#L37C13-L37C27 and it should work just fine. Can you share an uname -a from the node?

Linux VM-129-234-tencentos 5.4.119-19.0009.28 #1 SMP Thu May 18 10:37:10 CST 2023 x86_64 x86_64 x86_64 GNU/Linux

FedeDP commented 2 months ago

Thanks! So it seems like FromString is not correctly parsing the 5.4.119-19.0009.28 (and that is somewhat expected because it does not match our kernelVersionPattern regex. I will open a PR against driverkit to update the regex to accept these kind of kernelreleases. In the meantime, care to try using modern-ebpf driver? (see https://github.com/falcosecurity/charts/tree/master/charts/falco#deploying-falco-in-kubernetes modern eBPF probe section)

YAYAXZM commented 2 months ago

Thanks!

HI, I tried the new method you mentioned, but encountered new problems. My installation environment may be offline and I cannot access the external network. Can I download the index.yaml file and mount it in the directory?

{"level":"ERROR","msg":"unable to fetch index \"falcosecurity\" with URL \"https://falcosecurity.github.io/falcoctl/index.yaml\": unable to fetch index: cannot fetch index: Get \"https://falcosecurity.github.io/falcoctl/index.yaml\": proxyconnect tcp: net/http: TLS handshake timeout","timestamp":"2024-04-23 09:24:37"}

FedeDP commented 2 months ago

Can I download the index.yaml file and mount it in the directory?

No, that's an internal index used internally by falcoctl. Invoking @alacuku to answer your question (ie: how to run falco chart without involving any external artifact installation)

YAYAXZM commented 1 month ago

Can this be solved by setting up a proxy?

Andreagit97 commented 1 month ago

ei @YAYAXZM have you tried this?

In the meantime, care to try using modern-ebpf driver? (see https://github.com/falcosecurity/charts/tree/master/charts/falco#deploying-falco-in-kubernetes modern eBPF probe section)

If yes, can you report the error? This probe is bundled inside Falco so if it works you have to download nothing