[Feature] compile driver for Digitalocean k8s and provide it to download.falco.org
rzemykers opened this issue ยท 22 comments
Motivation
At this moment I can't install falco in k8s in Digitalocean because there is no driver for kernel version in download.falco.org
Feature
please provide to download.falco.org module falco_debian_5.18.0-0.deb11.4-amd64_1
Alternatives
there is no alternatives because in k8s as a service you can't install linux-headers
Additional context
* Filename 'falco_debian_5.18.0-0.deb11.4-amd64_1.ko' is composed of:
- driver name: falco
- target identifier: debian
- kernel release: 5.18.0-0.deb11.4-amd64
- kernel version: 1
* Trying to download a prebuilt falco module from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_debian_5.18.0-0.deb11.4-amd64_1.ko
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt falco module ```
Ei @rzemykers have you tried to use the modern bpf probe as a driver? This should work out of the box. Supposing you are using the helm chart as installation method you can use the following config https://github.com/falcosecurity/charts/blob/master/falco/README.md#daemonset
driver:
enabled: true
kind: modern-bpfyay! it works! @Andreagit97 thank you!
Maybe modern-bpf should be default driver?
The only issue with having it as a default driver is that it requires some recent bpf features like (ring-buffer, BTF, ...) that are available only on recent kernels (usually 5.8 is enough). In your case, you have a 5.18.0-0.deb11.4-amd64_1 so no issue at all, in other cases we could face some issues :/
BTW in the next future, we can think of putting it as a default driver and fallback to something else if the kernel is not recent enough :)
Btw this is interesting because kernel crawler does indeed crawl debian kernels: https://falcosecurity.github.io/kernel-crawler/?arch=x86_64&target=Debian
We might miss some mirrors perhaps.
I'd move this issue to the kernel crawler repo if you agree, for further investigation!
@FedeDP In my private k8s cluster also had problem with kind: module but I solved it by install linux headers
* Filename 'falco_debian_5.10.0-21-amd64_1.ko' is composed of:
- driver name: falco
- target identifier: debian
- kernel release: 5.10.0-21-amd64
- kernel version: 1
* Trying to download a prebuilt falco module from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_debian_5.10.0-21-amd64_1.ko
curl: (22) The requested URL returned error: 404
root@node5:~# uname -a
Linux node5 5.10.0-21-amd64 falcosecurity/libs#1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux```
I'd move this issue to the kernel crawler repo if you agree, for further investigation!
Yes, i agree.
Moved :)
@EXONER4TED , this might interest you!
Looking into this... maybe this is interesting. Here's me crawling Debian and grep'ing for that kernelrelease pasted above:
{
"kernelversion": 1,
"kernelrelease": "5.18.16-1~bpo11+1-amd64",
"target": "debian",
"headers": [
"http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-rt-amd64_5.18.16-1~bpo11+1_amd64.deb",
"http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-common-rt_5.18.16-1~bpo11+1_all.deb",
"http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-common_5.18.16-1~bpo11+1_all.deb",
"http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-kbuild-5.18_5.18.16-1~bpo11+1_amd64.deb",
"http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-cloud-amd64_5.18.16-1~bpo11+1_amd64.deb",
"http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-amd64_5.18.16-1~bpo11+1_amd64.deb"
]
},
I can get 5.18.16-1~bpo11+1-amd64 and not 5.18.0-0.deb11.4-amd64 - BUT the mirrors nearly all have 5.18.0-0.deb11.4 as part of the linux-headers package...
Also, looking at 5.10.0-21-amd64, I can't find that in the crawler, but CAN find that in mirror urls of a different kernel release...
{
"kernelversion": 1,
"kernelrelease": "5.10.162-1-amd64",
"target": "debian",
"headers": [
"http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-cloud-amd64_5.10.162-1_amd64.deb",
"http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-common-rt_5.10.162-1_all.deb",
"http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-rt-amd64_5.10.162-1_amd64.deb",
"http://security.debian.org/pool/updates/main/l/linux/linux-kbuild-5.10_5.10.162-1_amd64.deb",
"http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-common_5.10.162-1_all.deb",
"http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-amd64_5.10.162-1_amd64.deb"
]
},
So either the crawler has a bug where it's misreporting or grouping these kernel headers... OR, debian just treats these a bit differently.
@rzemykers - I'm curious, can you try this download of a kernel module for your 5.10.0-21-amd64 node? 5.10.162-1-amd64
I would expect this to not work, but am curious if it loads correctly...
Yep; i tried to play a bit with this; at first i though we were just missing some mirrors; but then i quickly realized i cannot find 5.18.0-0.deb11.4-amd64 anywhere; i was thinking we might miss fetching from backports mirrors (and indeed we are), but adding it didn't make any change.
An user asked to add a driverkit config for a similar kernel, that we are not able to find: falcosecurity/test-infra#1097
@rzemykers i think you might be hit by falcosecurity/falco#2374.
Can you share uname -a output?
root@cde-qd2mj:/sys/kernel# uname -a
Linux cde-qd2mj 5.10.0-0.deb10.17-amd64 #1 SMP Debian 5.10.136-1~deb10u3 (2022-09-06) x86_64 GNU/Linux
Yep, confirm! You are being affected by the aformentioned bug.
Oh i still want to wait for @rzemykers too :)
@FedeDP
on digitalocean:
Linux frontend-7tbpx 5.18.0-0.deb11.4-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.16-1~bpo11+1 (2022-08-12) x86_64 GNU/Linux
on k8s in homelab:
Linux nginx-hostname-77469bc69d-qsx87 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
uname -a was executed at pods
I think you are being hit by the same bug: falcosecurity/falco#2374.
On falcosecurity/falco#2377 i shared a test image; can you try with that? (falcosecurity/falco#2377 (comment))
It fixed the issue for @rao-hassan-1 !
EDIT: @rzemykers please let us know if that image works fine :) I can add that we ship the 5.18.16-1~bpo11+1 driver: https://download.falco.org/driver/site/index.html?lib=4.0.0%2Bdriver&target=debian&arch=x86_64&kind=kmod&search=falco_debian_5.18.16-1%7Ebpo11%2B1-amd64_1.ko
@rzemykers any news?
@rzemykers any news? Sorry for bothering you, but since we are approaching Falco 0.35 release, i want more data before eventually shipping my patch :)
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
We have had multplie users stating that my patch fixed the issue! Moreover, it has now been shipped since more than a month.
We can safely close this one.
/close
@FedeDP: Closing this issue.
In response to this:
We have had multplie users stating that my patch fixed the issue! Moreover, it has now been shipped since more than a month.
We can safely close this one.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.