Closed HarishKM7 closed 1 year ago
Having the same issue. I was able to go into the admin container in BottleRocket, pull the source, and build thru cmake, and then pull the precompiled probe.o
from an s3 bucket (which you can check out here if so desired ), but then I got the following error
Error: invalid filler name: sys_epoll_create_e
And it crashloops. I see a similar issue from a while ago on an AL2 build that was fixed by this PR, so hopeful that this can be resolved as well
Hi! Sorry for the long delay!
@maynardflies i think you built libs master and you want to run it against Falco 0.33 libs?
We added sys_epoll_create
support in the meantime, but Falco isn't built with the libs that support it.
So, you should build driver at the 3.0.1+driver
tag, that is the one used by Falco 0.33.
@HarishKM7 weird!
Given your output, it seems like dep file .exec-cmd.o.d
is not present:
exec-cmd.c:210:1: fatal error: opening dependency file /host/usr/src/kernels/5.10.135/tools/objtool/.exec-cmd.o.d: Permission denied }
bash-5.1# ls -al /usr/src/kernels/5.10.135/tools/objtool/ | grep exec -rw-r--r--. 1 root root 5284 Nov 9 05:14 .exec-cmd.o.cmd -rw-r--r--. 1 root root 156576 Nov 9 05:14 exec-cmd.o
But i never saw this issue before. I will play around it to see if we need any fix!
Note: we do not support pre-built drivers for Bottlerocket, since it is unsupported on kernel-crawler and driverkit yet.
PS: we will gladly accept any PR in that direction though :)
/assign
Did you read https://github.com/bottlerocket-os/bottlerocket/issues/862? It seems like it answers many questions!
And this comment too: https://github.com/bottlerocket-os/bottlerocket/issues/2275#issuecomment-1186315503
I started the work to add support for bottlerocket to our infra: https://github.com/falcosecurity/kernel-crawler/pull/79. Basically, we need 3 pieces glued together:
I will keep you updated about any news!
Sorry about the delay on this answer. Yes I have read this thread many times :) the results don't match it anymore, presumably because many versions of both BR and Falco have been released since Mar2020-Jan2021 and that functionality has broken
On Tue, Dec 6, 2022 at 8:37 AM Federico Di Pierro @.***> wrote:
Did you read bottlerocket-os/bottlerocket#862 https://github.com/bottlerocket-os/bottlerocket/issues/862? It seems like it answers many questions!
— Reply to this email directly, view it on GitHub https://github.com/falcosecurity/libs/issues/706#issuecomment-1339401557, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD2HUB7IENODOX3J5PKPUELWL46STANCNFSM6AAAAAAR3C3FZM . You are receiving this because you were mentioned.Message ID: @.***>
Not sure I saw this one
On Tue, Dec 6, 2022 at 8:43 AM Federico Di Pierro @.***> wrote:
And this comment too: bottlerocket-os/bottlerocket#2275 (comment) https://github.com/bottlerocket-os/bottlerocket/issues/2275#issuecomment-1186315503
— Reply to this email directly, view it on GitHub https://github.com/falcosecurity/libs/issues/706#issuecomment-1339408359, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD2HUB6WFEBVQX2MMMS4AK3WL47JRANCNFSM6AAAAAAR3C3FZM . You are receiving this because you were mentioned.Message ID: @.***>
The aforementioned comment (https://github.com/bottlerocket-os/bottlerocket/issues/2275#issuecomment-1186315503) is coming from a July thread, so not that far away(possibly with Falco 0.33)!
Yes and I can confirm with that setup, the build does work (albeit with some compilation warnings in falco-driver-loader) and the pods come up clean in the helm chart approach. Obviously we want to try and bake this straight into the machine image to avoid privileged pods as much as possible but this is a good step forward
Given latest kernel-crawler output: https://github.com/falcosecurity/kernel-crawler/pull/79#issuecomment-1348155276, i was able to correctly build kmod and eBPF probe using patched driverkit: https://github.com/falcosecurity/driverkit/pull/239.
I also updated Falco driver-loader script to correctly manage bottlerocket: https://github.com/falcosecurity/falco/pull/2318.
Everything is still wip
because i've yet to test everything on a real bottlerocket instance.
Next kernel-crawler run will discover bottlerocket kernels; next, once driverkit PR is merged, we will need to tag a new driverkit release, bump driverkit in test-infra and add test-infra config for bottlerocket jobs ;)
We now have bottlerocket entries in kernel-crawler generated json: https://falcosecurity.github.io/kernel-crawler/?arch=x86_64&target=BottleRocket.
OK everything is now in place! :rocket: Drivers will start being built next monday, but your falco-driver-loader script won't be able to retrieve them because some changes were needed to it. You will need Falco 0.34 that is expected to be released around end of january ;)
awesome news! We will absolutely check it out as soon as 0.34 drops :) Thanks for the great work!
Falco 0.34 is out, and should work out of the box on Bottlerocket! :rocket: If you are able to test, we might want to close this one ;)
(You can see currently provided driver here: https://download.falco.org/driver/site/index.html?lib=4.0.0%2Bdriver&target=bottlerocket&arch=all&kind=all)
@HarishKM7 any news? :) Thank you!
Thanks for the fix everyone. Unfortunately, I won't be able to test it at least for the next few weeks. I'll try to test & reply as soon as I can. 🙂
Falco Helm chart version 3.1.2 installed successfully on Amazon EKS 1.24 with Bottlerocket 1.12 worker nodes & these Helm value overrides:
driver:
kind: ebpf
falcosidekick:
enabled: true
webui:
enabled: true
ingress:
enabled: true
hosts:
- host: ...
paths:
- path: /
Bug Description
The
falco-driver-loader
init container of thefalco
pod tries to compile an eBPF probe & fails.Steps to Reproduce
Check logs of the
falco-driver-loader
init container of thefalco
pod.Expected Behaviour
Actual Behaviour
The
falco-driver-loader
init container of thefalco
pod fails with these logs:Relevant info from a BottleRocket EKS worker node:
Environment
Falco Helm Chart Version: 2.2.0 Falco App Version: 0.33.0
Amazon EKS Kubernetes Version: 1.23 BottleRocket AMI Version: 1.10.1-5d27ae74