charts: Unable to run on Docker for Mac on Apple M1
Describe the bug
I am unable to run Falco on Docker for Mac, this is an Apple M1 device.
How to reproduce it
% helm upgrade --install falco falcosecurity/falco --set ebpf.enabled=false --set webserver.enabled=false --set programOutput.enabled=true --set programOutput.program="jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/xxx"
# or
% helm upgrade --install falco falcosecurity/falco --set ebpf.enabled=true --set webserver.enabled=false --set programOutput.enabled=true --set programOutput.program="jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/xxx"
Outcome: With eBPF:
* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.29.1, driver version=17f5df52a7d9ed6bb12d3b1768460def8439936d
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/17f5df52a7d9ed6bb12d3b1768460def8439936d/falco__5.10.25-linuxkit_1.o
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt falco eBPF probe
* Trying to compile the eBPF probe (falco__5.10.25-linuxkit_1.o)
make[1]: *** /lib/modules/5.10.25-linuxkit/build: No such file or directory. Stop.
make: *** [Makefile:18: all] Error 2
/bin/mv: cannot stat '/usr/src/falco-17f5df52a7d9ed6bb12d3b1768460def8439936d/bpf/probe.o': No such file or directory
Unable to load the falco eBPF probe
Tue Jul 20 08:53:43 2021: Falco version 0.29.1 (driver version 17f5df52a7d9ed6bb12d3b1768460def8439936d)
Tue Jul 20 08:53:43 2021: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Jul 20 08:53:43 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Jul 20 08:53:44 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Jul 20 08:53:45 2021: Unable to load the driver.
Tue Jul 20 08:53:45 2021: Runtime error: can't open BPF probe '/root/.falco/falco-bpf.o': Errno 2. Exiting.
or without:
qemu-x86_64: /qemu/linux-user/mmap.c:302: mmap_find_vma: Assertion `h2g_valid(ptr)' failed.
* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.29.1, driver version=17f5df52a7d9ed6bb12d3b1768460def8439936d
* Running falco-driver-loader with: driver=module, compile=yes, download=yes
* Unloading falco module, if present
* Trying to load a system falco module, if present
* Looking for a falco module locally (kernel 5.10.25-linuxkit)
* Trying to download a prebuilt falco module from https://download.falco.org/driver/17f5df52a7d9ed6bb12d3b1768460def8439936d/falco__5.10.25-linuxkit_1.ko
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt falco module
* Trying to dkms install falco module with GCC /usr/bin/gcc
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc)
* Trying to dkms install falco module with GCC /usr/bin/gcc-8
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc-8)
* Trying to dkms install falco module with GCC /usr/bin/gcc-6
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc-6)
* Trying to dkms install falco module with GCC /usr/bin/gcc-5
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc-5)
Consider compiling your own falco driver and loading it or getting in touch with the Falco community
Tue Jul 20 08:52:50 2021: Falco version 0.29.1 (driver version 17f5df52a7d9ed6bb12d3b1768460def8439936d)
Tue Jul 20 08:52:50 2021: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Jul 20 08:52:50 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Jul 20 08:52:51 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Jul 20 08:52:52 2021: Unable to load the driver.
Tue Jul 20 08:52:52 2021: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded.. Exiting.
About this issue
- Original URL
- State: open
- Created 3 years ago
- Reactions: 1
- Comments: 34 (24 by maintainers)
@alacuku @hazcod
Docker for Desktop’s kernels are built via the
linuxkittooling. The artifacts, including the source code and development headers are stored in a Docker image athttps://hub.docker.com/r/docker/for-desktop-kernel/tags.A means of retrieval would be (for the current kernel, 5.15.49):
With the headers being stored in the file
out/kernel-headers.tar.I think Docker could do a better job of documenting where to find these artifacts for improved integration with tooling that requires the kernel headers.
A member of my team has successfully built and installed Falco on Docker for Mac on Apple M1 using the kernel headers in the docker image.
I bumped into this issue with driver.kind=ebpf, but upon changing to driver.kind=modern-bpf, it fixed my issue while running with docker desktop in mac (intel).
helm install falco -n falco --set driver.kind=modern-bpf --set tty=true falcosecurity/falco \We do not build
kernel modulesorprobesfor Docker for Mac. If anyone wants to contribute to kernel-crawler in order to get the kernel header would be much appreciated!Anyway, the
modern probeshould work out of the box!This is very interesting! Thank you!
cc @falcosecurity/driverkit-maintainers cc @maxgio92