Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BPF_PROBE environment variable is not consistent #1049

Closed
fntlnz opened this issue Feb 18, 2020 · 0 comments · Fixed by #1050
Closed

BPF_PROBE environment variable is not consistent #1049

fntlnz opened this issue Feb 18, 2020 · 0 comments · Fixed by #1050
Labels

Comments

@fntlnz
Copy link
Contributor

fntlnz commented Feb 18, 2020

Describe the bug

In #922 the legacy SYSDIG_PROBE environment variable was renamed to BPF_PROBE to continue our efforts in removing all the references from the Falco codebase.

However, as of 0.19.0 the environment variable is changed to BPF_PROBE only for the falco-probe-loader while falco itself still picks SYSDIG_PROBE.

Also our kubernetes deployment scripts are broken because they want you to use BPF_PROBE while it's not usable right now. https://github.com/falcosecurity/falco/blob/fix/probe-environment/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml#L42

How to reproduce it

Start falco 0.19.0 with the BPF_PROBE environment variable and notice it will just use the kernel module.

IMPORTANT: Also, even if we use the SYSDIG_BPF_PROBE variable, it will not be able to find the probe at the default location because it points still to ~/.sysdig and not to ~/.falco which is where the probe is created now by the falco-probe-loader.

This is what happens, notice the ~/.sysdig path

SYSDIG_BPF_PROBE="" falco
Tue Feb 18 09:41:18 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Feb 18 09:41:18 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Feb 18 09:41:19 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Feb 18 09:41:19 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Tue Feb 18 09:41:19 2020: Runtime error: can't open BPF probe '/root/.sysdig/falco-probe-bpf.o': Errno 2. Exiting.

Expected behaviour

Falco uses the BPF_PROBE environment variable.

This is what is expected when the probe is not in the filesystem

sudo BPF_PROBE="" ./userspace/falco/falco -r ../rules/falco_rules.yaml
Tue Feb 18 10:32:47 2020: Falco initialized with configuration file /home/fntlnz/Projects/falcosecurity/falco/falco.yaml
Tue Feb 18 10:32:47 2020: Loading rules from file ../rules/falco_rules.yaml:
Tue Feb 18 10:32:48 2020: Unable to load the driver. Exiting.
Tue Feb 18 10:32:48 2020: Runtime error: can't open BPF probe '/root/.falco/falco-probe-bpf.o': Errno 2. Exiting.

Notice how the path is ~/.falco now.

And if the probe is on the filesystem at /root/.falco/falco-probe-bpf.o Falco should just work after loading it by default.

Screenshots

Environment

  • Falco version:
  • System info: 0.19.0
  • Cloud provider or hardware configuration:
  • OS: Any
  • Kernel: Any
  • Installation method: Any

Additional context
This probably needs changes in the helm chart and a revision

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
1 participant