falco: Falco pod failure for GKE 5.10.133+ kernel

Describe the bug

Helm chart installation fails for container optimized OS for GKE kernel 5.10.133+

How to reproduce it

helm install falco-gke falcosecurity/falco --set driver.kind=ebpf
NAME: falco-gke
LAST DEPLOYED: Fri Dec 16 04:20:38 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Falco agents are spinning up on each node in your cluster. After a few
seconds, they are going to start monitoring your containers looking for
security issues.

Pod deployment is still unstable after doing a shell to one of the pods below is the error I am seeing. After hitting the driver url https://download.falco.org/driver/3.0.1%2Bdriver/x86_64/falco_cos_5.10.133%2B_1.o I see the file is missing.

* Filename 'falco_cos_5.10.133+_1.o' is composed of:
 - driver name: falco
 - target identifier: cos
 - kernel release: 5.10.133+
 - kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/3.0.1%2Bdriver/x86_64/falco_cos_5.10.133%2B_1.o
curl: (7) Failed to connect to download.falco.org port 443: Connection timed out
Unable to find a prebuilt falco eBPF probe
* COS detected (build 16623.227.33), using COS kernel headers
* Found kernel config at /proc/config.gz
* Downloading https://storage.googleapis.com/cos-tools/16623.227.33/kernel-headers.tgz
* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.33.0, driver version=3.0.1+driver, arch=x86_64, kernel release=5.10.133+, kernel version=1
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
mount: /sys/kernel/debug: cannot mount nodev read-only.
* Filename 'falco_cos_5.10.133+_1.o' is composed of:
 - driver name: falco
 - target identifier: cos
 - kernel release: 5.10.133+
 - kernel version: 1

Screenshots Screenshot 2022-12-16 at 4 40 20 AM

Environment

falco version=0.33.0, driver version=3.0.1+driver, arch=x86_64, kernel release=5.10.133+, kernel version=1

Additional context

Tried the driverkit repo build as well but still failing with below error:

go run main.go docker -c gke-driver.yaml 
INFO using config file                             file=gke-driver.yaml
ERRO error validating build options                error="target must be a valid target ([fedora vanilla amazonlinux2 debian centos rocky ubuntu almalinux amazonlinux photon redhat arch opensuse minikube amazonlinux2022 flatcar])"

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

@leogr I can actually close it unless @eljefedelrodeodeljefe wants it to still keep it open.

+1
ronniee007 on May 24, 2023

Hey @ronniee007

Is this still an issue?

+1
leogr on May 8, 2023
Read more comments on GitHub
← falco: Falco failing to start with kernel module not loaded
falco: Falco Provides Unclear Error Message When Kevt in Condition and Source Type is Syscall →