falco: Debian pre-built modules failing

Describe the bug

Hello,

After the release of v0.35.0 addressing this other bug affecting Debian #2374, we realized the pre-built modules are failing when loading them under Debian, raising this error during Kubernetes init process (falco-driver-loader)

* Found a prebuilt falco module at /root/.falco/5.0.1+driver/x86_64/falco_debian_4.19.282-1-amd64_1.ko, loading it insmod: ERROR: could not insert module /root/.falco/5.0.1+driver/x86_64/falco_debian_4.19.282-1-amd64_1.ko: Invalid module format

This message can be observed in the OS dmesg falco: disagrees about version of symbol module_layout

How to reproduce it

Deploy https://github.com/falcosecurity/charts/tree/master/falco helm chart in a Kubernetes cluster using nodes with Debian (10 or 11)

Expected behaviour

The module should load ok

Environment

  • Falco version: v0.35.0
  • Cloud provider or hardware configuration: VMs with Vanilla K8s running in vmware
  • OS: PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"
  • Kernel: Linux kube1 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64 GNU/Linux
  • Installation method: Falco helm chart for K8s

Additional context

Issue #2374 is related, as https://github.com/falcosecurity/falco/issues/2374#issuecomment-1409850595 is having the same problem after the fix

Thanks in advance, best regards

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 18 (14 by maintainers)

Most upvoted comments

Yay then my patch is ok! Thank you very much for the quick response! We will fix the upstream artifacts (download.falco.org) asap, during next week!

+1
FedeDP on Jun 8, 2023

Whoa, thank you @FedeDP , im going to try to answer all your questions

Care to try using ebpf instead?

With epbf, falco-driver-loader ends ok:

* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/5.0.1%2Bdriver/x86_64/falco_debian_4.19.282-1-amd64_1.o
* Skipping compilation, eBPF probe is already present in /root/.falco/5.0.1+driver/x86_64/falco_debian_4.19.282-1-amd64_1.o
* eBPF probe located in /root/.falco/5.0.1+driver/x86_64/falco_debian_4.19.282-1-amd64_1.o
* Success: eBPF probe symlinked to /root/.falco/falco-bpf.o

But then, falco container fails with this error:

Thu Jun  8 16:57:44 2023: Enabled event sources: syscall
Thu Jun  8 16:57:44 2023: Opening 'syscall' source with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
Thu Jun  8 16:57:44 2023: An error occurred in an event source, forcing termination...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: BPF probe is compiled for 4.19.0-24-rt-amd64, but running version is 4.19.0-24-amd64

They differ! I can share the kmod with you , can you test if you can inject it?

I can confirm if i inject that module to the falco-driver-loader it works:

* Found a prebuilt falco module at /root/.falco/5.0.1+driver/x86_64/falco_debian_4.19.282-1-amd64_1.ko, loading it
* Success: falco module found and inserted

Falco container is reporting healthy status after the init, so i guess this is good

Also, can you share your /etc/os-release file?

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Please let me know if i forgot something, thank you for your quick support

+1
glpfloss on Jun 8, 2023
Read more comments on GitHub
← falco: Crashloopback on falco containers using using-falcosecuritydriver-loader-image
falco: double qoute in rule's condition is not working as expected →