GCP VM kernels are not being discovered by the kernel-crawler

[IanRobertson-wpe]

Describe the bug

I was looking into why my GCP VMs aren't pulling in any pre-built kernels from downloads.falco.org. It seems like the kernel crawler isn't picking up "ubuntu-generic" version for GCP.

For example, Falco is looking for a driver https://download.falco.org/driver/2.0.0%2Bdriver/falco_ubuntu-generic_5.4.0-1083-gcp_91.o. I spent some time working with test-infra and driverkit and found the following config file works to generate the driver, but I don't see anything in https://raw.githubusercontent.com/falcosecurity/kernel-crawler/main/kernels/x86_64/list.json that looks similar to this config, with "ubuntu-generic" and "-gcp".

kernelversion: 91 kernelrelease: 5.4.0-1083-gcp target: ubuntu-generic architecture: amd64 output: module: output/39ae7d40496793cf3d3e7890c9bbdc202263836b/falco_ubuntu-generic_5.4.0-1083-gcp_91.ko probe: output/39ae7d40496793cf3d3e7890c9bbdc202263836b/falco_ubuntu-generic_5.4.0-1083-gcp_91.o kernelurls: ["http://security.ubuntu.com/ubuntu/pool/main/l/linux-gcp/linux-gcp-headers-5.4.0-1083_5.4.0-1083.91_amd64.deb","http://security.ubuntu.com/ubuntu/pool/main/l/linux-gcp/linux-headers-5.4.0-1083-gcp_5.4.0-1083.91_amd64.deb","http://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-gcp/linux-gcp-headers-5.4.0-1083_5.4.0-1083.91_amd64.deb","http://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-gcp/linux-headers-5.4.0-1083-gcp_5.4.0-1083.91_amd64.deb"]

For reference, a uname -r on an example system returns 5.4.0-1083-gcp, and a uname -a returns Linux hostname 5.4.0-1083-gcp #91~18.04.1-Ubuntu SMP Mon Jul 11 10:24:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux.

How to reproduce it

1. Create a GCP Compute Engine VM using Ubuntu 5.4+ (other versions may be applicable as well).
2. Observe the kernel version reported via uname -a.
3. Observe no configs by kernel-crawler are produced with that pattern ubuntu-generic_a.b.c-d-gcp_e.

Expected behaviour

Kernel-crawler should detect this flavor and generate driver config files so that the drivers can be built and populated in the download repo.

Screenshots

N/A

Environment

• Falco version: 0.31.1
• System info: { "machine": "x86_64", "nodename": "hostname", "release": "5.4.0-1083-gcp", "sysname": "Linux", "version": "#91~18.04.1-Ubuntu SMP Mon Jul 11 10:24:10 UTC 2022" }
• Cloud provider or hardware configuration: GCP Compute Engine
• OS: Ubuntu 18.04.6 LTS
• Kernel: Linux hostname 5.4.0-1083-gcp #91~18.04.1-Ubuntu SMP Mon Jul 11 10:24:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
• Installation method: deb

Additional context

[FedeDP]

I think the issue is that at the moment, driverkit (and therefore kernel-crawler) only supports ubuntu-generic and ubuntu-aws.

On kernel-crawler and driverkit, the issue is now gone (ie: we support all ubuntu flavors) thanks to #29 and https://github.com/falcosecurity/driverkit/pull/161 . But we have still to find an agreement about what to do in test-infra; we have an open PR: https://github.com/falcosecurity/test-infra/pull/772.

So, basically, this issue should solve itself once we manage to completely fix our ubuntu support in test-infra, and a new version of driverkit is then released.

Indeed, latest crawled kernels(https://raw.githubusercontent.com/falcosecurity/kernel-crawler/6619cf9f7e3e02f2b1ab58426a5cea05a9e04fd3/kernels/x86_64/list.json) have this entry:

 {
      "kernelversion": "91",
      "kernelrelease": "5.4.0-1083-gcp",
      "target": "ubuntu",
      "headers": [
        "http://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-gcp/linux-headers-5.4.0-1083-gcp_5.4.0-1083.91_amd64.deb",
        "http://security.ubuntu.com/ubuntu/pool/main/l/linux-gcp/linux-gcp-headers-5.4.0-1083_5.4.0-1083.91_amd64.deb",
        "http://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-gcp/linux-gcp-headers-5.4.0-1083_5.4.0-1083.91_amd64.deb",
        "http://security.ubuntu.com/ubuntu/pool/main/l/linux-gcp/linux-headers-5.4.0-1083-gcp_5.4.0-1083.91_amd64.deb"
      ]
    },

(this is taken from the bot - opened PR).

[FedeDP]

I think this issue is already solved, but i will leave this open as a remainder to fix test-infra asap :)

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/kernel-crawler/issues/37#issuecomment-1396694802): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.