404 on precompiled moduel

[joshkurz]

I know there are other issues related to this issue. This one helped me the most. #846

I was able to downgrade too 0.17.1 to get it working on the amz2 ami that EKS was running. I just updated the ami to a newer version and this error came back.

Curious if I should just compile the module myself and tell falco where to pull it from. Not 100% if that is an option. Just need a solution that doesn't break with each ami change.

* Setting up /usr/src links from host
* Unloading falco-probe, if present
* Running dkms install for falco
Error! echo
Your kernel headers for kernel 4.14.154-128.181.amzn2.x86_64 cannot be found at
/lib/modules/4.14.154-128.181.amzn2.x86_64/build or /lib/modules/4.14.154-128.181.amzn2.x86_64/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.17.1/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 4.14.154-128.181.amzn2.x86_64
Found kernel config at /host/boot/config-4.14.154-128.181.amzn2.x86_64
* Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.17.1-x86_64-4.14.154-128.181.amzn2.x86_64-2a1b4e38248e08669f1ed37604b3ad74.ko
curl: (22) The requested URL returned error: 404 Not Found
Download failed, consider compiling your own falco-probe and loading it or getting in touch with the sysdig community
Wed Feb 26 22:08:32 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Wed Feb 26 22:08:32 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Wed Feb 26 22:08:32 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Wed Feb 26 22:08:32 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Wed Feb 26 22:08:32 2020: Unable to load the driver. Exiting.
Wed Feb 26 22:08:32 2020: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

[thecodejunkie]

Also just ran into this

[fntlnz]

Hi @joshkurz thanks for bringing this up! We are aware of this.

We are not publishing the precompiled modules anymore since 0.18.0 because that part of the infrastructure was still on Sysdig infrastructure, while Falco is a CNCF project now.

We have plans to bring this back in a community-owned way using the same mechanisms we are putting in place for artifacts, see #1059

Read more about our plans with driverkit here

[joshkurz]

So is there a suggested workaround?

[jicowan]

@fntlnz I am also running into this issue. Should we download the Kernel Module via HTTPs instead?

[jicowan]

@joshkurz I got it to work by installing falco through the AL2 package manager.

[fntlnz]

The suggestion, for now, is to compile the kernel modules yourself or continue using 0.18.0 until we have finalzied the new plan.
You can find the list of Falco versions for which we have the precompiled module here. https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/index.html

[natalysheinin]

@fntlnz what is the suggestion/work-around for eBPF probes / GKE COS?

[saiharshitachava]

@fntlnz Do we have precomplied modules for SLES 12 at all?

[leodido]

@joshkurz The kernel module not found in the issue corpus is now available at https://dl.bintray.com/falcosecurity/driver/a259b4bf49c3330d9ad6c3eed9eb1a31954259a6/:falco_amazonlinux2_4.14.154-128.181.amzn2.x86_64_1.ko

Using the latest falcosecurity/falco:master, which contains the updated falco-driver-loader, it should download it from the drivers build grid (located here).

[leodido]

@saiharshitachava no we don't build drivers for SLES 12.

Feel free to submit a PR implementing a builder for it, in https://github.com/falcosecurity/driverkit for that.

[leodido]

@natalysheinin we don't provide yet prebuilt drivers for GKE COS but it's in the plan (falcosecurity/driverkit#60, also a good task for a contribution!)

[joshkurz]

@leodido thank you for the response. I see that the module is present at the link you sent, however, when I try to startup falco from master, it still tries to download the wrong DRIVER_VERSION, which causes it to 404.

* Setting up /usr/src links from host
* Unloading falco module, if present
* Running dkms build failed, couldn't find /var/lib/dkms/falco/47374b2b73734d509f3c99890c80be5242021c3d/build/make.log
* Trying to load a system falco driver, if present
* Trying to find a prebuilt falco module for kernel 4.14.171-136.231.amzn2.x86_64
* Trying to download prebuilt module from https://dl.bintray.com/falcosecurity/driver/47374b2b73734d509f3c99890c80be5242021c3d/falco_amazonlinux2_4.14.171-136.231.amzn2.x86_64_1.ko

I am running :master so not sure what other values I need to change to be able to use the DRIVER_VERSION a259b4bf49c3330d9ad6c3eed9eb1a31954259a6, which is where these are published.