falco: falco failed to run in kind

What happened: falco failed to run in kind.

$ kubectl logs falco-1575678340-6fxr4
* Setting up /usr/src links from host
* Unloading falco-probe, if present
* Running dkms install for falco
Error! echo
Your kernel headers for kernel 4.9.184-linuxkit cannot be found at
/lib/modules/4.9.184-linuxkit/build or /lib/modules/4.9.184-linuxkit/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.17.1/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 4.9.184-linuxkit
Found kernel config at /proc/config.gz
* Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.17.1-x86_64-4.9.184-linuxkit-aa7fd392e72f1a4dcbe68e1d89467b54.ko
curl: (22) The requested URL returned error: 404 Not Found
Download failed, consider compiling your own falco-probe and loading it or getting in touch with the sysdig community
Sat Dec  7 00:26:13 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Sat Dec  7 00:26:13 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Sat Dec  7 00:26:14 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Sat Dec  7 00:26:14 2019: Unable to load the driver. Exiting.
Sat Dec  7 00:26:14 2019: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

What you expected to happen: falco DaemonSet is successfully running.

How to reproduce it (as minimally and precisely as possible):

$ helm install stable/falco --generate-name
# or
$ kubectl create deploy falco --image=falcosecurity/falco:0.17.1

Anything else we need to know?:

Environment:

  • Falco version (use falco --version): 0.17.1
  • System info <!-- Falco has a built-in support command you can use “falco --support | jq .system_info” -->
  • Cloud provider or hardware configuration: kind v0.6.1
  • OS (e.g: cat /etc/os-release): macOS Catalina 10.15.1
  • Kernel (e.g. uname -a):
  • Install tools (e.g. in kubernetes, rpm, deb, from source): kubernetes
  • Others:

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 1
  • Comments: 19 (17 by maintainers)

Most upvoted comments

I have finally found the problem, below the steps to make it work.

1. Install the driver on the host machine

Clone the Falco project and checkout the tag corresponding to the same Falco version used within the helm chart (0.20.0 in my case), then:

mkdir build
cd build
cmake ..
sudo make install_driver

2. Mount /dev on kind-control-plane To make the driver work, the host’s /dev must be accessible from within the container. To do that, kind requires the following:

kind-config.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  extraMounts:
  - hostPath: /dev
    containerPath: /dev

Then create the cluster so:

kind create cluster --config=./kind-config.yaml

3. DONE! You can now deploy Falco to kind’s cluster as usual. You should notice that the driver will automatically be loaded with modprobe:

* Trying to load a system falco-probe, if present
falco-probe found and loaded with modprobe
Fri Mar  6 14:54:49 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Fri Mar  6 14:54:49 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri Mar  6 14:54:51 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri Mar  6 14:54:54 2020: Starting internal webserver, listening on port 8765

@oke-py @markyjackson-taulia can you please take a look and let me know if that works for you too?

+8
leogr on Mar 6, 2020

At last, it worked fine! Thank you so much. I used ubuntu-18.04 on EC2.

install go

$ sudo add-apt-repository ppa:longsleep/golang-backports
$ sudo apt update
$ sudo apt install golang-go
$ go version
go version go1.14 linux/amd64

install docker

$ sudo apt-get update
$ sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) \
  stable"
$ sudo apt-get update
$ sudo apt-get install docker-ce docker-ce-cli containerd.io
$ sudo usermod -aG docker `whoami`
$ exit

re-login

set env-var

$ export GOPATH=~/go
$ export PATH=$PATH:$GOPATH/bin
$ export GO111MODULE="on"

install kernel module

$ docker pull falcosecurity/driverkit-builder
$ go get github.com/falcosecurity/driverkit
$ uname -v
#59-Ubuntu SMP Wed Dec 4 10:02:00 UTC 2019
$ uname -r
4.15.0-1057-aws
$ driverkit docker --output-module /tmp/falco.ko --kernelversion=59 --kernelrelease=4.15.0-1057-aws --driverversion=dev --target=ubuntu-aws
$ sudo cp /tmp/falco.ko /lib/modules/`uname -r`/falco.ko
$ sudo depmod
$ sudo modprobe falco
$ lsmod | grep -i falco

install kubectl & helm

$ curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
$ chmod +x ./kubectl
$ sudo mv ./kubectl /usr/local/bin/kubectl
$ curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | sudo bash
$ helm repo add stable https://kubernetes-charts.storage.googleapis.com/

install kind & create cluster

$ go get sigs.k8s.io/kind@v0.7.0
$ cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  extraMounts:
  - hostPath: /dev
    containerPath: /dev
EOF

install & run falco

$ helm install stable/falco --generate-name
$ kubectl get po -w
NAME                     READY   STATUS    RESTARTS   AGE
falco-1584781190-f5wdw   1/1     Running             0          30s
+4
oke-py on Mar 21, 2020

Hey @yashbhutwala as far as I know, Falco on Docker for Mac has a different kind of issue that’s related to linuxkit and @leodido is working on that. Feel free to open another issue in the falco repo and add more details.

+1
leogr on Mar 23, 2020

Thanks @leogr for stepping up and helping with this.

I’ll call it solved 😃

/close

+1
leodido on Mar 22, 2020

@oke-py here you find further details on how to install the kernel module using driverkit. Let me know!

+1
leogr on Mar 20, 2020

Related to this, I think we want to get the manifests for newer kubernetes versions in the Falco repo.

Also @oke-py thanks for getting this done on the helm charts! 👇 https://github.com/helm/charts/pull/17339

+1
fntlnz on Mar 8, 2020
Read more comments on GitHub
← falco: Falco crashing on Kubernetes with connection timeout
falco: Falco failing to start with kernel module not loaded →