falco: SSL server failed to start

What happened:

I enabled SSL support in Falco configuration file but then the server failed to start. Its logs:

** CONFIG_BPF_JIT enabled and/or use --net=host if      **
** running inside a container.                          **
**********************************************************
* BPF probe located, it's now possible to start sysdig
Thu Sep 26 06:37:19 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Sep 26 06:37:19 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Thu Sep 26 06:37:20 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu Sep 26 06:37:20 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Thu Sep 26 06:37:20 2019: Starting internal webserver, listening on port 443 (SSL)
Thu Sep 26 06:37:20 2019: Runtime error: Could not create embedded webserver: null context when constructing CivetServer. Possible problem binding to port.. Exiting.

What you expected to happen:

Falco server can start successfully with SSL support.

How to reproduce it (as minimally and precisely as possible):

  1. Following official docs: https://falco.org/docs/installation/ to install Falco in daemonset .
  2. modify falco-config/falco.yaml and open the SSL flag:
webserver:
  enabled: true
  listen_port: 443 
  k8s_audit_endpoint: /k8s-audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

The SSL certificate is generated following the comment:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem $ cat certificate.pem key.pem > falco.pem $ sudo cp falco.pem /etc/falco/falco.pem

After that the daemonset can’t start successfully, but it can start after I set “ssl_enabled: false”.

And the falco.pem is passed to POD via ConfigMap “falco-config”

Anything else we need to know?:

Environment:

  • Falco version (use falco --version): image “falcosecurity/falco:latest”
  • System info <!-- Falco has a built-in support command you can use “falco --support | jq .system_info” -->
  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release): 18.04.1 LTS (Bionic Beaver)
  • Kernel (e.g. uname -a): 4.15.0-51-generic
  • Install tools (e.g. in kubernetes, rpm, deb, from source): Kubernetes
  • Others:

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 31 (19 by maintainers)

Most upvoted comments

Is it possible to get an update on this? It looks like the issue is still present in falcosecurity/falco:0.18.0. This issue prevents operators from running falco in an SSL everywhere type of environment.

Here is what I’m seeing:

2019-12-06T01:32:56+0000: Runtime error: Could not create embedded webserver: null context when constructing CivetServer. Possible problem binding to port.. Exiting.
+2
mac-abdon on Dec 6, 2019

Following up on what @fntlnz suggested, I have tried the following workaround in the Falco daemonset to fix this issue.

    lifecycle:
      postStart:
        exec:
          command:
          - /bin/sh
          - -c
          - ln -s /host/usr/lib64/libcrypto.so.10  /lib/libcrypto.so && ln -s
            /host/usr/lib64/libssl.so.10   /lib/libssl.so

I have only tested this out in the following image: docker.io/falcosecurity/falco:0.18.0. Hope it helps someone.

+1
kevin90n on Aug 15, 2020

The bug still exists for me after I changed the port to 8765

$ kubectl get svc
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
falco-service   ClusterIP   10.68.60.248   <none>        8765/TCP   8m39s

$ kubectl logs -f falco-daemonset-m79qf
* Setting up /usr/src links from host
* Mounting debugfs
Found kernel config at /host/boot/config-4.15.0-65-generic
* Trying to compile BPF probe falco-probe-bpf (falco-probe-bpf-0.18.0-x86_64-4.15.0-65-generic-0f4107e0067519c431f6d4e50493a152.o)
**********************************************************
** BPF doesn't have JIT enabled, performance might be   **
** degraded. Please ensure to run on a kernel with      **
** CONFIG_BPF_JIT enabled and/or use --net=host if      **
** running inside a container.                          **
**********************************************************
* BPF probe located, it's now possible to start sysdig
Tue Dec 31 03:55:44 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Dec 31 03:55:44 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Dec 31 03:55:44 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Dec 31 03:55:44 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Tue Dec 31 03:55:44 2019: Starting internal webserver, listening on port 8765 (SSL)
Tue Dec 31 03:55:44 2019: Runtime error: Could not create embedded webserver: null context when constructing CivetServer. Possible problem binding to port.. Exiting.

$ sudo netstat -lnp | grep 8765
<nothing output>

I’m sure no other process is binding to 8765.

+1
WeiZhang555 on Dec 31, 2019

Working on this branch: https://github.com/falcosecurity/falco/compare/860-fix-civet-ssl

+1
fntlnz on Oct 1, 2019
Read more comments on GitHub
← falco: Runtime error: Socket handler (k8s_pod_handler_state): read more than 30MB of data
falco: [UMBRELLA] Missing syscalls →