GCP install no systemd unit file

[rayanebel]

Hi eveyrone,

I'm trying to install falco 0.28 in a kubeadm cluster running on a GCP vms. I followed the install instruction in the documentation to install falco directly on the system and not in the kubernetes cluster. Installation is working but I can't start falco because there is not systemd unit file and if I don't make a mistake and according to the release notes I should have a systemd unit file created in deb package.

$ apt-get install -y falco

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  dkms
Suggested packages:
  menu
The following NEW packages will be installed:
  dkms falco
0 upgraded, 2 newly installed, 0 to remove and 30 not upgraded.
Need to get 0 B/5533 kB of archives.
After this operation, 15.4 MB of additional disk space will be used.
Selecting previously unselected package dkms.
(Reading database ... 142707 files and directories currently installed.)
Preparing to unpack .../dkms_2.3-3ubuntu9.7_all.deb ...
Unpacking dkms (2.3-3ubuntu9.7) ...
Selecting previously unselected package falco.
Preparing to unpack .../falco_0.28.0_amd64.deb ...
Unpacking falco (0.28.0) ...
Setting up dkms (2.3-3ubuntu9.7) ...
Setting up falco (0.28.0) ...
Loading new falco-5c0b863ddade7a45568c0ac97d037422c9efb750 DKMS files...
Building for 5.4.0-1042-gcp
Building initial module for 5.4.0-1042-gcp
Secure Boot not enabled on this system.
Done.
falco:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.4.0-1042-gcp/updates/dkms/
depmod....
DKMS: install completed.

systemctl status falco

Unit falco.service could not be found.

How to reproduce it

• Install falco by following this https://falco.org/docs/getting-started/installation/#installing

Environment

• Falco version:

Falco version: 0.28.0
Driver version: 5c0b863ddade7a45568c0ac97d037422c9efb750

• System info:
• Cloud provider : GCP
• OS:

NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

• Kernel:
  Linux cks-master 5.4.0-1042-gcp #45~18.04.1-Ubuntu SMP Tue Apr 13 18:51:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

• Installation method:
  DEB

[leogr]

This is probably related to #1448 (that's part of the 0.28.0 release).
@jenting any idea?

[leogr]

Update

I have tried to reproduce the issue and I might have found the mistake. Have you run systemctl enable falco?

For me the status was available after I enabled the systemd unit, see my log 👇

$ systemctl status falco
Unit falco.service could not be found.

$ systemctl enable falco
Created symlink /etc/systemd/system/multi-user.target.wants/falco.service → /usr/lib/systemd/system/falco.service.

$ systemctl status falco
● falco.service - Falco: Container Native Runtime Security
   Loaded: loaded (/usr/lib/systemd/system/falco.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: https://falco.org/docs/

Also, as expected, Falco ran once I started the service:

$ systemctl start falco

$ systemctl status falco
● falco.service - Falco: Container Native Runtime Security
   Loaded: loaded (/usr/lib/systemd/system/falco.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-04-22 10:22:49 UTC; 26s ago
     Docs: https://falco.org/docs/
  Process: 10280 ExecStartPre=/sbin/modprobe falco (code=exited, status=0/SUCCESS)
 Main PID: 10292 (falco)
    Tasks: 5 (limit: 4915)
   CGroup: /system.slice/falco.service
           └─10292 /usr/bin/falco --pidfile=/var/run/falco.pid
Apr 22 10:22:49 falco-0-28-test-systemd falco[10292]: Thu Apr 22 10:22:49 2021: Falco version 0.28.0 (driver version 5c0b863ddade7a45568c0ac97d037422c9efb750)
Apr 22 10:22:49 falco-0-28-test-systemd falco[10292]: Thu Apr 22 10:22:49 2021: Falco initialized with configuration file /etc/falco/falco.yaml
Apr 22 10:22:49 falco-0-28-test-systemd falco[10292]: Thu Apr 22 10:22:49 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Apr 22 10:22:49 falco-0-28-test-systemd falco[10292]: Loading rules from file /etc/falco/falco_rules.yaml:
Apr 22 10:22:50 falco-0-28-test-systemd falco[10292]: Loading rules from file /etc/falco/falco_rules.local.yaml:
Apr 22 10:22:50 falco-0-28-test-systemd falco[10292]: Thu Apr 22 10:22:50 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Apr 22 10:22:50 falco-0-28-test-systemd falco[10292]: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Apr 22 10:22:50 falco-0-28-test-systemd falco[10292]: Thu Apr 22 10:22:50 2021: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Apr 22 10:22:50 falco-0-28-test-systemd falco[10292]: Starting internal webserver, listening on port 8765
Apr 22 10:22:50 falco-0-28-test-systemd falco[10292]: Thu Apr 22 10:22:50 2021: Starting internal webserver, listening on port 8765

@rayanebel Can you confirm that works for you too?

[rayanebel]

Hello @leogr
I can confirm that is working for me as well :)
Thanks.

[leogr]

Great!

So I'm closing this issue since I think that's the wanted behavior. In case you feel like we miss something in Falco documentation, feel free to propose any improvement to https://github.com/falcosecurity/falco-website

Thanks