falco: falco --modern-bpf fail (libbpf: failed to find valid kernel BTF)

Describe the bug

After managing to get the build limping along with some tape and chewing gum, as described in issue #2343, I got to a stage where I can test the resulting .deb. Sadly it fail to load like this:

Mon Jan 16 10:58:26 2023: Falco version: 0.33.1-1 (x86_64)
Mon Jan 16 10:58:26 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Mon Jan 16 10:58:26 2023: Loading rules from file /etc/falco/falco_rules.yaml
Mon Jan 16 10:58:26 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Mon Jan 16 10:58:26 2023: Loading rules from file /etc/falco/rules.d/nidhogg.yml
Rules match ignored syscall: warning (ignored-evttype):
Loaded rules match the following events: ppoll, semop, getdents, signaldeliver, getresuid, getegid, geteuid, getuid, sendfile, getresgid, pwrite, preadv, page_fault, pwritev, munlock, sendmmsg, io_uring_enter, fstat64, mlock2, getdents64, mlock, mlockall, fsconfig, select, copy_file_range, io_uring_register, getcwd, mmap2, mprotect, send, writev, recvmmsg, lseek, poll, munmap, llseek, epoll_wait, stat64, access, fstat, lstat, stat, futex, lstat64, pluginevent, getpeername, semget, write, brk, getsockname, pread, setsockopt, recv, getgid, nanosleep, readv, getrlimit, switch, semctl, munlockall, mmap, splice, read
But these events are not returned unless running falco with -A
Mon Jan 16 10:58:26 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Mon Jan 16 10:58:26 2023: Starting health webserver with threadiness 1, listening on port 8765
Mon Jan 16 10:58:26 2023: Enabled event sources: syscall
Mon Jan 16 10:58:26 2023: Opening capture with modern BPF probe
libbpf: failed to find valid kernel BTF
libbpf: Error loading vmlinux BTF: -3
libbpf: failed to load object 'bpf_probe'
libbpf: failed to load BPF skeleton 'bpf_probe': -3
libpman: failed to load BPF object (errno: 3 | message: No such process)
Mon Jan 16 10:58:26 2023: An error occurred in an event source, forcing termination...
Error: 
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:

After some web searches and stracing, I suspect this is because the code fail to find the Linux kernel in boot. The code look for /boot/vmlinux-6.0.0-6-amd64, while the installed image is /boot/vmlinuz-6.0.0-6-amd64. Note the x->z difference signaling a compressed kernel. Any idea how to get around this?

How to reproduce it

Build Debian package using git repo from https://salsa.debian.org/pere/falco.git (run ‘debuild’ from the devscripts package after running ‘sudo apt build-dep .’ in the git repo.

Expected behaviour

I expected falco to load the bpf module and start running, not exit with an error message.

Environment*

  • Falco version: 0.33.1
  • System info:
{
  "machine": "x86_64",
  "nodename": "testbox",
  "release": "6.0.0-6-amd64",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1 (2022-12-09)"
}
  • OS: Debian Bookworm in libvirt virtual machine

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 24 (11 by maintainers)

Most upvoted comments

[Andrea Terzolo]

Ok I can do that, probably they will have some questions regarding your machine, in that case, I will notify you here

The machine is a Qemu based virtual machine with a Debian Bookworm installation. <URL: https://tracker.debian.org/pkg/libbpf > show the version installed on Bookworm at the moment is 1.1.0-1.

– Happy hacking Petter Reinholdtsen

+1
petterreinholdtsen on Jan 17, 2023
Read more comments on GitHub
← falco: Failure to find a BPF probe on Container Optimized OS
falco: Falco 0.30.0 High CPU Usage when Meeting Tons of System Calls in Kubernetes →