search

falcosecurity / test-infra

Falco workflow & testing infrastructure
https://prow.falco.org
Apache License 2.0
31 stars 109 forks source link

Fail to download falco-probe module for falco v_0.22.1 #119

Closed rahul-kr4604 closed 4 years ago

rahul-kr4604 commented 4 years ago

As I install the Falco using DaemonSet (DS) on OCP cluster (platform RHCOS), DS creates the pods at each node, but state of Pods are CrashLoopBackOff. When I check the logs for pod I got the below logs:

Your kernel headers for kernel 3.10.0-1127.el7.x86_64 cannot be found at /lib/modules/3.10.0-1127.el7.x86_64/build or /lib/modules/3.10.0-1127.el7.x86_64/source.

Falco version: 0.22.1 Driver version: a259b4bf49c3330d9ad6c3eed9eb1a31954259a6

uname -r

4.18.0-147.5.1.el8_1.x86_64

As module is not present at specified URL in the above log.

I referred the installation steps given at: https://falco.org/docs/installation/

leodido commented 4 years ago

The drivers build grid has been moved to https://dl.bintray.com/falcosecurity/driver

Anyway, there is something I am not getting: why the probe the old script is looking for 3.10.0-1127.el7.x86_64 while you report uname -r is 4.18.0-147.5.1.el8_1.x86_64

Which is the kernel you are on?

rahul-kr4604 commented 4 years ago

I am using kernel 4.18.0-147.5.1.el8_1.x86_64.

When I installed this on minikube, it installed smoothly.

fntlnz commented 4 years ago

Pre-compiled modules are a best-effort service that the Falco maintainers provide to the OSS community.

As @leodido mentioned, for technical reasons, the build of pre-compiled modules was stopped between 0.18.0 and 0.22.1 - we are planning on getting that feature back with the next release.

Last but not least, we had a survey to ask our community what operating systems to prioritize a while back and RHCOS wasn't mentioned. CoreOS was but with only 4 votes.

What is a good workaround?

Both the kernel you mentioned (I'm confused on what is the right one, maybe you didn't share the right folder in your container) can build the Falco driver.

You can follow the instructions here to build it from source.

What you can do to help us achieve this?

Having a driverkit builder for the operating system you are wanting would be a great way for you to be involved in the Falco project. You can start a thread in our mailing list and directly mention me for pointers, in the meanwhile look here.

fntlnz commented 4 years ago

I moved this issue to test-infra, the main Falco project is not responsible for the driver build procedure.

rahul-kr4604 commented 4 years ago

Thanks for your reply!!

As @leodido mentioned, for technical reasons, the build of pre-compiled modules was stopped between 0.18.0 and 0.22.1 - we are planning on getting that feature back with the next release.

If I install Falco version below v0.18.0, will it be able to get the pre-compiled module during installation.

I'm confused on what is the right one, maybe you didn't share the right folder in your container

As kernel version mentioned in "uname -r" is the kernel version of master node in the cluster. The log attached in above comment, is about the pod created on the worker node in the cluster, which has kernel version 3.10.0-1127.el7.x86_64, so the configuration was correct.

You can follow the instructions here to build it from source.

I will try to install Falco from source code.

What you can do to help us achieve this?

Having a driverkit builder for the operating system you are wanting would be a great way for you to be involved in the Falco project. You can start a thread in our mailing list and directly mention me for pointers, in the meanwhile look here.

I have joined the CNCF Falco group.

NissesSenap commented 4 years ago

Any updates on this?

rahul-kr4604 commented 4 years ago

I have built the kernel module from source, it is working fine. So closing this issue.