search

falcosecurity / test-infra

Falco workflow & testing infrastructure
https://prow.falco.org
Apache License 2.0
31 stars 110 forks source link

[Missing Driver] falco_amazonlinux2_5.4.219-126.411.amzn2.x86_64_1.ko #908

Closed danielc103 closed 1 year ago

danielc103 commented 1 year ago

Describe the bug

Falco pod is failing to run (start) due to a missing driver .

https://download.falco.org/?prefix=driver/2.0.0%2Bdriver/x86_64/

Error log

falco-driver-loader * Looking for a falco module locally (kernel 5.4.219-126.411.amzn2.x86_64) falco-driver-loader * Trying to download a prebuilt falco module from https://download.falco.org/driver/2.0.0%2Bdriver/x86_64/falco_amazonlinux2_5.4.219-126.411.amzn2.x86_64_1.ko falco-driver-loader curl: (22) The requested URL returned error: 404 falco-driver-loader Unable to find a prebuilt falco module

How to reproduce it

Create pod(s) on new AMI with updated kernel.

Expected behaviour

Successfully download and install prebuilt module.

Environment

eks - v1.22.15

idoajfrog commented 1 year ago

+1 I'm experiencing a similar issue, falco_amazonlinux2_5.4.219-126.411.amzn2.x86_64_1.o driver is missing on aws eks. 

│ * Setting up /usr/src links from host                                                                                                                                                                      │
│ * Running falco-driver-loader for: falco version=0.31.1, driver version=b7eb0dd65226a8dc254d228c8d950d07bf3521d2                                                                                           │
│ * Running falco-driver-loader with: driver=bpf, compile=yes, download=yes                                                                                                                                  │
│ * Mounting debugfs                                                                                                                                                                                         │
│ * Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/b7eb0dd65226a8dc254d228c8d950d07bf3521d2/falco_amazonlinux2_5.4.219-126.411.amzn2.x86_64_1.o                             │
│ curl: (22) The requested URL returned error: 404                                                                                                                                                           │
│ Unable to find a prebuilt falco eBPF probe                                                                                                                                                                 │
│ * Trying to compile the eBPF probe (falco_amazonlinux2_5.4.219-126.411.amzn2.x86_64_1.o)                                                                                                                   │
│ make[1]: *** /lib/modules/5.4.219-126.411.amzn2.x86_64/build: No such file or directory.  Stop.                                                                                                            │
│ make: *** [Makefile:20: all] Error 2                                                                                                                                                                       │
│ mv: cannot stat '/usr/src/falco-b7eb0dd65226a8dc254d228c8d950d07bf3521d2/bpf/probe.o': No such file or directory                                                                                           │
│ Unable to load the falco eBPF probe                                                                                                                                                                        │
│ 2022-11-20T12:27:25+0000: Falco version 0.31.1 (driver version b7eb0dd65226a8dc254d228c8d950d07bf3521d2)                                                                                                   │
│ 2022-11-20T12:27:25+0000: Falco initialized with configuration file /etc/falco/falco.yaml                                                                                                                  │
│ 2022-11-20T12:27:25+0000: Loading rules from file /etc/falco/rules.d/falco_rules_modified.yaml:                                                                                                            │
│ 2022-11-20T12:27:25+0000: Loading rules from file /etc/falco/rules.d/jfrog_rules.yaml:                                                                                                                     │
│ Rules match ignored syscall: warning (ignored-evttype):                                                                                                                                                    │
│          loaded rules match the following events: access,brk,close,cpu_hotplug,drop,epoll_wait,eventfd,fcntl,fstat,fstat64,futex,getcwd,getdents,getdents64,getegid,geteuid,getgid,getpeername,getresgid,g │
│ etresuid,getrlimit,getsockname,getsockopt,getuid,infra,k8s,llseek,lseek,lstat,lstat64,mesos,mmap,mmap2,mprotect,munmap,nanosleep,notification,page_fault,poll,ppoll,pread,preadv,procinfo,pwrite,pwritev,r │
│ ead,readv,recv,recvmmsg,select,semctl,semget,semop,send,sendfile,sendmmsg,setrlimit,shutdown,signaldeliver,splice,stat,stat64,switch,sysdigevent,timerfd_create,write,writev;                              │
│          but these events are not returned unless running falco with -A                                                                                                                                    │
│ 2022-11-20T12:27:25+0000: Unable to load the driver.                                                                                                                                                       │
│ 2022-11-20T12:27:25+0000: Runtime error: can't open BPF probe '/root/.falco/falco-bpf.o': Errno 2. Exiting.                                                                                                │
│ Stream closed EOF for jfrog-saas-prod-apse1-falco/jfrog-saas-prod-apse1-falco-925qj (falco)
danielc103 commented 1 year ago

seems there was a PR for this that went stale?

https://github.com/falcosecurity/test-infra/pull/900

dienbio commented 1 year ago

having the same issue, PR#900 have this drivers, but driver not appear here yet https://download.falco.org/?prefix=driver/3.0.1%2Bdriver/x86_64/

maxgio92 commented 1 year ago

Hi all, thanks for opening an issue and sorry for the late response.

At the moment the currently supported driver versions for the prebuilt drivers, are:

E.g., I see that for the latest version (v3.0.1) of the driver, it is distributed for the kernel amazonlinux2 5.4.219-126.411.amzn2.x86_64_1:

Is there something else we could help with @danielc103 @idoajfrog @dienbio?

Thank you fo

danielc103 commented 1 year ago

Thank you @maxgio92

If I wanted to contribute in the future for adding new kernels, how would I go about doing that?

maxgio92 commented 1 year ago

Hey @danielc103, thank you!

You can generate configurations for new kernel releases to build drivers this way:

The configurations are then consumed by driverkit in our CI. You can find more info in the FAQ here.

You can find examples of configurations in this repository, at the paths: driverkit/config/<driver version>/<architecture>/<linux distribution>_<kernel release name>_<kernel build version>.yaml files.

maxgio92 commented 1 year ago

In the meantime @danielc103 here https://github.com/falcosecurity/test-infra/pull/924 you can find a PR to improve this documentation :-)

idoajfrog commented 1 year ago

Hi @maxgio92, Thanks for the help and sorry for the delay! It looks like even though the driver is available Falco pods can pull it, The URL that I'm getting in the logs is - https://download.falco.org/driver/b7eb0dd65226a8dc254d228c8d950d07bf3521d2/falco_amazonlinux2_5.4.219-126 I'm getting 404 from it. Is it related to the app configuration?