You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #922 the legacy SYSDIG_PROBE environment variable was renamed to BPF_PROBE to continue our efforts in removing all the references from the Falco codebase.
However, as of 0.19.0 the environment variable is changed to BPF_PROBE only for the falco-probe-loader while falco itself still picks SYSDIG_PROBE.
Start falco 0.19.0 with the BPF_PROBE environment variable and notice it will just use the kernel module.
IMPORTANT: Also, even if we use the SYSDIG_BPF_PROBE variable, it will not be able to find the probe at the default location because it points still to ~/.sysdig and not to ~/.falco which is where the probe is created now by the falco-probe-loader.
This is what happens, notice the ~/.sysdig path
SYSDIG_BPF_PROBE="" falco
Tue Feb 18 09:41:18 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Feb 18 09:41:18 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Feb 18 09:41:19 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Feb 18 09:41:19 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Tue Feb 18 09:41:19 2020: Runtime error: can't open BPF probe '/root/.sysdig/falco-probe-bpf.o': Errno 2. Exiting.
Expected behaviour
Falco uses the BPF_PROBE environment variable.
This is what is expected when the probe is not in the filesystem
sudo BPF_PROBE="" ./userspace/falco/falco -r ../rules/falco_rules.yaml
Tue Feb 18 10:32:47 2020: Falco initialized with configuration file /home/fntlnz/Projects/falcosecurity/falco/falco.yaml
Tue Feb 18 10:32:47 2020: Loading rules from file ../rules/falco_rules.yaml:
Tue Feb 18 10:32:48 2020: Unable to load the driver. Exiting.
Tue Feb 18 10:32:48 2020: Runtime error: can't open BPF probe '/root/.falco/falco-probe-bpf.o': Errno 2. Exiting.
Notice how the path is ~/.falco now.
And if the probe is on the filesystem at /root/.falco/falco-probe-bpf.o Falco should just work after loading it by default.
Screenshots
Environment
Falco version:
System info: 0.19.0
Cloud provider or hardware configuration:
OS: Any
Kernel: Any
Installation method: Any
Additional context
This probably needs changes in the helm chart and a revision
The text was updated successfully, but these errors were encountered:
Describe the bug
In #922 the legacy
SYSDIG_PROBE
environment variable was renamed toBPF_PROBE
to continue our efforts in removing all the references from the Falco codebase.However, as of 0.19.0 the environment variable is changed to
BPF_PROBE
only for thefalco-probe-loader
while falco itself still picksSYSDIG_PROBE
.Also our kubernetes deployment scripts are broken because they want you to use
BPF_PROBE
while it's not usable right now. https://github.com/falcosecurity/falco/blob/fix/probe-environment/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml#L42How to reproduce it
Start falco 0.19.0 with the
BPF_PROBE
environment variable and notice it will just use the kernel module.IMPORTANT: Also, even if we use the
SYSDIG_BPF_PROBE
variable, it will not be able to find the probe at the default location because it points still to~/.sysdig
and not to~/.falco
which is where the probe is created now by thefalco-probe-loader
.This is what happens, notice the
~/.sysdig
pathExpected behaviour
Falco uses the
BPF_PROBE
environment variable.This is what is expected when the probe is not in the filesystem
Notice how the path is
~/.falco
now.And if the probe is on the filesystem at
/root/.falco/falco-probe-bpf.o
Falco should just work after loading it by default.Screenshots
Environment
Additional context
This probably needs changes in the helm chart and a revision
The text was updated successfully, but these errors were encountered: