falco: Falco failing to start with kernel module not loaded
Describe the bug Falco failing to start
[root /]# /usr/bin/falco-driver-loader --compile
* Running falco-driver-loader for: falco version=0.33.0, driver version=3.0.1+driver, arch=x86_64, kernel release=4.18.0-372.26.1.el8_6.x86_64, kernel version=1
* Running falco-driver-loader with: driver=module, compile=yes, download=no
================ Cleaning phase ================
* 1. Check if kernel module 'falco' is still loaded:
- Kernel module 'falco' is still loaded.
- Trying to unload it with 'rmmod falco'...
- OK! Unloading 'falco' module succeeded.
* 2. Check all versions of kernel module 'falco' in dkms:
- There are some versions of 'falco' module in dkms.
* 3. Removing all the following versions from dkms:
3.0.1+driver
- Removing 3.0.1+driver...
Deleting module falco-3.0.1+driver completely from the DKMS tree.
- OK! Removing '3.0.1+driver' succeeded.
[SUCCESS] Cleaning phase correctly terminated.
================ Cleaning phase ================
* Looking for a falco module locally (kernel 4.18.0-372.26.1.el8_6.x86_64)
* Filename 'falco_rhel_4.18.0-372.26.1.el8_6.x86_64_1.ko' is composed of:
- driver name: falco
- target identifier: rhel
- kernel release: 4.18.0-372.26.1.el8_6.x86_64
- kernel version: 1
* Trying to dkms install falco module with GCC /usr/bin/gcc
Sign command: /lib/modules/4.18.0-372.26.1.el8_6.x86_64/build/scripts/sign-file
Binary /lib/modules/4.18.0-372.26.1.el8_6.x86_64/build/scripts/sign-file not found, modules won't be signed
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
Creating symlink /var/lib/dkms/falco/3.0.1+driver/source -> /usr/src/falco-3.0.1+driver
* Running dkms build failed, couldn't find /var/lib/dkms/falco/3.0.1+driver/build/make.log (with GCC /usr/bin/gcc)
* Trying to load a system falco module, if present
* Success: falco module found and loaded with modprobe
[root /]# /usr/bin/falco -v --cri /run/containerd/containerd.sock
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: unable to open '/sys/module/falco/parameters/g_buffer_bytes_dim': Errno 2. Please ensure the kernel module is already loaded.
2022-11-03T10:11:20+0000 INFO --- logging initialized ---
2022-11-03T10:11:21+0000 SUBDEBUG Installed: falco-0.33.0-1.x86_64
2022-11-03T10:11:23+0000 INFO Creating symlink /var/lib/dkms/falco/3.0.1+driver/source -> /usr/src/falco-3.0.1+driver
Module build for the currently running kernel was skipped since the
kernel source for this kernel does not seem to be installed.
Created symlink /etc/systemd/system/multi-user.target.wants/falco.service → /usr/lib/systemd/system/falco.service.
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
How to reproduce it
Expected behaviour Falco should come up
Screenshots
Environment
- Falco version: 0.33.0
- System info:
{"machine":"x86_64","nodename":"###","release":"4.18.0-372.26.1.el8_6.x86_64","sysname":"Linux","version":"#1 SMP Sat Aug 27 02:44:20 EDT 2022"}
- Cloud provider or hardware configuration:
- OS:
- Kernel:
4.18.0-372.26.1.el8_6.x86_64 #1 SMP Sat Aug 27 02:44:20 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
- Installation method: Kube installing from RPM
Additional context
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 36 (17 by maintainers)
Aha it’s all good, turned out to all be user error in the end anyway!
Just managed to exec into the pod early enough and it looks like falco is running early for some reason, so I’ll investigate that
Thank you! I’ll give that a go and report back 😄
It tries to build the 3.0.1 driver, but it cannot because you miss kernel src/headers for your currently running kernel:
Then, it fallbacks at loading a system falco module, if found (and of course, it finds the old 2.0.0 one!).