Falco (0.21.0) does not run on Bottlerocket (Kernel 5.4.16)

[zmarouf]

Describe the bug

Falco fails to launch on new AWS Bottlerocket instances (used by EKS for example)
The precompiled module for Kernel 5.4.16 doesn't exist

• Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.18.0-x86_64-5.4.16-e588f41ee461ca8ac014433f99d6813b.ko
  curl: (22) The requested URL returned error: 404 Not Found

How to reproduce it

Create a an instance using the Bottlerocket AMI.
I created an EKS nodegroup with the following flags --node-ami-family BottleRocket --node-ami auto-ssm

Expected behaviour

Falco is able to run on Bottlerocket.

Screenshots

Environment

• Falco version: 0.21.0
• System info:

{
  "machine": "x86_64",
  "nodename": "falco-daemonset-6l4j4",
  "release": "5.4.16",
  "sysname": "Linux",
  "version": "#1 SMP Sat Mar 7 00:28:11 UTC 2020"
}

• Cloud provider or hardware configuration: AWS EC2 (via EKS)
• OS: (after running sheltie from the admin container)

NAME=Bottlerocket
ID=bottlerocket
PRETTY_NAME="Bottlerocket OS 0.3.1"
VARIANT_ID=aws-k8s-1.15
VERSION_ID=0.3.1
BUILD_ID=8a0c0b3

• Kernel: 5.4.16
• Installation method: Kubernetes (EKS)
  Additional context
  I'm about to try compiling the kernel module myself but it's my first time doing this – so I wanted to create an issue just in case.

[zmarouf]

FYI I tried with 0.18.0 and I know you stopped compiling probes for now so I'm trying to use https://github.com/falcosecurity/driverkit

[zmarouf]

• Asking for advice here -> Falco support bottlerocket-os/bottlerocket#862
• The approach used in Support linuxkit driverkit#22 might be of help

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.