unable to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.18.0-x86_64-4.14.138%2B-3ed0774cb82bc5c7 f3b6f5190c3b82ef.ko

[Guru-Prasad96]

What happened:
Tried to install falco in GKE.
the falco pod went into CrashLoopBackOff status with the following error:

Setting up /usr/src links from host

• Unloading falco-probe, if present
• Running dkms install for falco
  Error! echo
  Your kernel headers for kernel 4.14.138+ cannot be found at
  /lib/modules/4.14.138+/build or /lib/modules/4.14.138+/source.
• Running dkms build failed, couldn't find /var/lib/dkms/falco/0.18.0/build/make.log
• Trying to load a system falco-probe, if present
• Trying to find precompiled falco-probe for 4.14.138+
  Found kernel config at /proc/config.gz
• Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.18.0-x86_64-4.14.138%2B-3ed0774cb82bc5c7
  f3b6f5190c3b82ef.ko
  curl: (22) The requested URL returned error: 404 Not Found
  Download failed, consider compiling your own falco-probe and loading it or getting in touch with the sysdig community
  Wed Jan 22 11:32:10 2020: Falco initialized with configuration file /etc/falco/falco.yaml
  Wed Jan 22 11:32:10 2020: Loading rules from file /etc/falco/falco_rules.yaml:
  Wed Jan 22 11:32:11 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
  Wed Jan 22 11:32:11 2020: Unable to load the driver. Exiting.
  Wed Jan 22 11:32:11 2020: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

What you expected to happen:
Expected pre-compiled falco probe to loaded

How to reproduce it (as minimally and precisely as possible):
To instal falco in GKE run the below command
helm install --name falco stable/falco

Anything else we need to know?:

• Falco version : 0.18.0

• OS : linux

Others:
Found a similar issue for falco version 0.17.0 (issue#846)

[dodilp]

I'm also running into this issue.

[dodilp]

Can someone from the falco-security team please help? ^^@mfdii

[mfdii]

You need to pass the option to the helm chart to enable ebpf as the kernel module is not supported on COS based GKE clusters.

ebpf.enabled=true

[omissis]

Hi, I see this happening on minikube v1.7.1 (k8s v1.17.2) using the xhyve driver on MacOS 10.14. I am installing via helm chart (1.1.1). I tried specifying the image tag, using 0.19.0 first and 0.18.0 later and both can't seem to download the precompiled module.

v0.19.0

* Setting up /usr/src links from host
* Unloading falco-probe, if present
* Running dkms install for falco
Creating symlink /var/lib/dkms/falco/0.19.0/source ->
                 /usr/src/falco-0.19.0
DKMS: add completed.
Error! echo
Your kernel headers for kernel 4.19.88 cannot be found at
/lib/modules/4.19.88/build or /lib/modules/4.19.88/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.19.0/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 4.19.88
Found kernel config at /proc/config.gz
* Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.19.0-x86_64-4.19.88-a8e0cc6eff426c01060d2acd65278ed4.ko
curl: (22) The requested URL returned error: 404 Not Found
Download failed, consider compiling your own falco-probe and loading it or getting in touch with the Falco community
Fri Feb  7 08:26:41 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Fri Feb  7 08:26:41 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri Feb  7 08:26:42 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri Feb  7 08:26:43 2020: Unable to load the driver. Exiting.
Fri Feb  7 08:26:43 2020: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

v0.18.0

* Setting up /usr/src links from host
* Unloading falco-probe, if present
* Running dkms install for falco
Error! echo
Your kernel headers for kernel 4.19.88 cannot be found at
/lib/modules/4.19.88/build or /lib/modules/4.19.88/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.18.0/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 4.19.88
Found kernel config at /proc/config.gz
* Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.18.0-x86_64-4.19.88-a8e0cc6eff426c01060d2acd65278ed4.ko
curl: (22) The requested URL returned error: 404 Not Found
Download failed, consider compiling your own falco-probe and loading it or getting in touch with the sysdig community
Fri Feb  7 08:23:20 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Fri Feb  7 08:23:20 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri Feb  7 08:23:21 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri Feb  7 08:23:22 2020: Unable to load the driver. Exiting.
Fri Feb  7 08:23:22 2020: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

I also noted that the files at https://s3.amazonaws.com/download.draios.com don't include any of the probe files.

[omissis]

Update for whoever is having the same problem in the future: it turned out that probes aren't compiled anymore starting with 0.19.0, as the organisation is migrating to a new infrastructure. Once that'll be done builds will be a thing again but until then the module needs to be built from scratch.
I experienced the same problem on 0.18.0 as my k8s' kernel version did not have a corresponding compiled version as well. To see what pre-built probes are available, have a look here: https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/index.html

[afbjorklund]

The plan is to provide a system kernel module for falco 0.19.0, with the release of minikube 1.8.0

KERNEL_VERSION=4.19.94

/lib/modules/${KERNEL_VERSION}/extra/falco-probe.ko

Workaround before that happens, is to pin the versions to the last sysdig build: 0.17.1 on 1.4.0 :

https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.17.1-x86_64-4.15.0-fd2ad9abe1fbd214ccda2a8c7e1b89e3.ko

https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.17.1-x86_64-4.15.0-fd2ad9abe1fbd214ccda2a8c7e1b89e3.ko

[terenceli]

I meet this issue too. Hope the Falco team can provide the docs for compile the kernel module for minikube VM.

[omissis]

I took the time to put together a dev environment that should help setting up a few flavours of kubernetes locally where to run falco with ease: https://github.com/omissis/falco-kubernetes, I hope that can help

[afbjorklund]

The 0.19.0 module has been added (to minikube), will upgrade to 0.20.0 before the release.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[fntlnz]

@Guru-Prasad96 - we finally have the new mechanism for pre-built kernel modules and BPF probes in place. However, from your issue here you reported linux as os, being Falco a software that runs on OSes built on the Linux kernel, we expect Debian or CentOS or Ubuntu or any distro as response to OS here.

I'm closing this because of the new context here and also because this went a bit off-topic, but feel free to open a new issue in case you need.

New home for pre-built drivers:
https://dl.bintray.com/falcosecurity/driver/