can't install falco in CentOS 7.9

[yf-0dyssey]

Describe the bug

I want to install falco in K8s using helm. I try the default and legacy driver but they all failed.

How to reproduce it

First I read the official document(https://falco.org/docs/event-sources/kernel/#requirements) .

Because kernal is 3.10.0 and default Kernel module is suit for me. I using the below command to install falco following official document (https://github.com/falcosecurity/charts/tree/master/charts/falco#daemonset). helm install falco falcosecurity/falco --create-namespace --namespace falco After helm install is Ok, I find the falco pod is failed. Below is the screenshot. I using the logs to check, it said "Error: error opening device /host/dev/falco0".

I read the offical document and find that It suggest using the legacy image if using an older kernel version.

So I tried using the command to install falco again. But after helm install finished I found that falco pod is still failed. helm install falco falcosecurity/falco --create-namespace --namespace falco --set driver.loader.initContainer.image.repository=falcosecurity/falco-driver-loader-legacy I using to logs to check and find the error info is the same. Below is the screenshot.

Pls help me find out the problem. Thanks a lot! I want to know which falco version I should use and which driver is suit for me. Because our production is using CentOS7.9 and kernal is also 3.10.0-1160.108.1.el7.x86_64. It's impossible to update kernal version.

PS:before install falco again I have helm uninstall it.

Environment

• Falco version: 0.38.2

• System info:

• OS: CentOS 7.9

• Kernel: 3.10.0-1160.el7.x86_64.

• Installation method: K8s using helm

Additional context

[yf-0dyssey]

I even tried other two driver mode（ebpf and modern ebpf），but they all failed. The falco pod can't start normally.

[yf-0dyssey]

@LucaGuerra @Andreagit97 @alacuku hi ，can anyone help me to solve this？ It confused me a very long time. Thank you all very much！

[alacuku]

Hey @yf-0dyssey, could you share the logs of the init container? It seems that we provide a precompiled module for your kernel version, check it out here: https://d20hasrqv82i0q.cloudfront.net/?prefix=driver/7.2.1%2Bdriver/x86_64/

[yf-0dyssey]

Hey @yf-0dyssey, could you share the logs of the init container? It seems that we provide a precompile module for your kernel version, check it out here: https://d20hasrqv82i0q.cloudfront.net/?prefix=driver/7.2.1%2Bdriver/x86_64/

Thank your reply. I have just try again using the epbf driver but it seems also failed. Below is the screenshot. I'll helm uninstall it and try the default driver again.

[alacuku]

I would suggest using the kernel module, and after that please provide the logs of the falco-driver-loader container.

[yf-0dyssey]

@alacuku yes . I using command(helm install falco falcosecurity/falco --create-namespace --namespace falco) and it's default driver(kernel module). It's right ? But falco pod still doesn't work. Below is the screetshot.

I also check the falco-driver-loader container log and paste as bleow. Pls check it. But it seems there is no any error info. [root@falco ~]# kubectl logs falco-hn2ts -c falco-driver-loader -n falco

• Setting up /usr/src links from host 2024-09-11 07:26:27 INFO Running falcoctl driver config ├ name: falco ├ version: 7.2.1+driver ├ type: kmod ├ host-root: /host └ repos: https://download.falco.org/driver 2024-09-11 07:26:27 INFO Committing driver config to k8s configmap └ namespace: falco 2024-09-11 07:26:27 INFO Storing falcoctl driver config 2024-09-11 07:26:27 INFO Running falcoctl driver install ├ driver version: 7.2.1+driver ├ driver type: kmod ├ driver name: falco ├ compile: true ├ download: true ├ target: centos ├ arch: x86_64 ├ kernel release: 3.10.0-1160.el7.x86_64 └ kernel version: #1 SMP Mon Oct 19 16:18:59 UTC 2020 2024-09-11 07:26:27 INFO Check if kernel module is still loaded. 2024-09-11 07:26:27 INFO OK! There is no module loaded. 2024-09-11 07:26:27 INFO Check all versions of kernel module in dkms. 2024-09-11 07:26:27 INFO OK! There are no module versions in dkms. 2024-09-11 07:26:27 INFO Trying to download a driver. └ url: https://download.falco.org/driver/7.2.1%2Bdriver/x86_64/falco_centos_3.10.0-1160.el7.x86_64_1.ko 2024-09-11 07:26:30 INFO Driver downloaded. └ path: /root/.falco/7.2.1+driver/x86_64/falco_centos_3.10.0-1160.el7.x86_64_1.ko 2024-09-11 07:26:30 INFO Success: module found and loaded in dkms. └ driver: /root/.falco/7.2.1+driver/x86_64/falco_centos_3.10.0-1160.el7.x86_64_1.ko [root@falco ~]#

[alacuku]

hey @yf-0dyssey, the kernel module has been correctly loaded.

Could you also share the Falco container logs?

[yf-0dyssey]

I describe the falco pod and think falco-driver-loader container works well. I also find the falcoctl-artifact-install container works well.

But I find the falco container doesn't work. So I check logs of falco container. Pls check it. [root@falco ~]# kubectl logs falco-hn2ts -c falco -n falco Wed Sep 11 07:47:58 2024: Falco version: 0.38.2 (x86_64) Wed Sep 11 07:47:58 2024: Falco initialized with configuration files: Wed Sep 11 07:47:58 2024: /etc/falco/falco.yaml Wed Sep 11 07:47:58 2024: System info: Linux version 3.10.0-1160.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Mon Oct 19 16:18:59 UTC 2020 Wed Sep 11 07:47:58 2024: Loading rules from file /etc/falco/falco_rules.yaml Wed Sep 11 07:47:58 2024: Hostname value has been overridden via environment variable to: falco Wed Sep 11 07:47:58 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Wed Sep 11 07:47:58 2024: Starting health webserver with threadiness 2, listening on 0.0.0.0:8765 Wed Sep 11 07:47:58 2024: Loaded event sources: syscall Wed Sep 11 07:47:58 2024: Enabled event sources: syscall Wed Sep 11 07:47:58 2024: Opening 'syscall' source with Kernel module Wed Sep 11 07:47:58 2024: Trying to inject the Kernel module and opening the capture again... Wed Sep 11 07:47:58 2024: Unable to load the driver Wed Sep 11 07:47:58 2024: An error occurred in an event source, forcing termination... Events detected: 0 Rule counts by severity: Triggered rules by rule name: Error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded: No such file or directory

[yf-0dyssey]

hey @yf-0dyssey, the kernel module has been correctly loaded.

Could you also share the Falco container logs?

Yes. I just paste the logs and upload the screenshot. Pls check them.

[alacuku]

Please uninstall falco and then install it running the following command:

helm install falco falcosecurity/falco \
    --namespace falco \
    --create-namespace \
    --set driver.kind=kmod

[yf-0dyssey]

Please uninstall falco and then install it running the following command:

helm install falco falcosecurity/falco \
    --namespace falco \
    --create-namespace \
    --set driver.kind=kmod

@alacuku Thanks you a lot ！ I really appreciate yours quick and patient instructions！ I tried using the --set driver.kind=kmod options and it works. The falco finally initialized normally.

Btw, I really want to consult you. Why it must using the --set driver.kind=kmod option explicitly. Does it use the kmod driver when using the helm install falco falcosecurity/falco --create-namespace --namespace falco command? I didn't find any description in official docs. :)

[alacuku]

Btw, I really want to consult you. Why it must using the --set driver.kind=kmod option explicitly. Does it use the kmod driver when using the helm install falco falcosecurity/falco --create-namespace --namespace falco command? I didn't find any description in official docs. :)

The default value is driver.kind=auto, meaning that the falco driver loader will pick up the best driver for your environment. In your case you are using an old kernel, that does not support the ebpf probes so it chooses to run it with the kmod. It turned out that we have a bug that is described and fixed here: https://github.com/falcosecurity/charts/pull/738. We are going to merge it by the end of the day.

[yf-0dyssey]

@alacuku OK . I understand and thanks you very much. I'll close this issue. Good Luck! :)