Runtime error: error opening device /host/dev/falco0.

[jzeng4]

Describe the bug
Used the official docker images: https://hub.docker.com/r/falcosecurity/falco
Run this images with "privileged" and got the errors:

2022-05-31T21:43:16+0000: Unable to load the driver.
2022-05-31T21:43:16+0000: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded.. Exiting.

How to reproduce it

Locally:

• docker pull falcosecurity/falco
• docker run -it --privileged --cap-add sys_admin falcosecurity/falco

And also the same error happened on GKE.

Expected behaviour
It should succeed to run since the privileged mode is provided.

Screenshots

Environment

• Falco version:

falco version=0.31.1, driver version=b7eb0dd65226a8dc254d228c8d950d07bf3521d2

• System info:

• Cloud provider or hardware configuration:
  virtualbox on mac
• OS:

NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

• Kernel:

Linux ubuntu 5.4.0-113-generic #127~18.04.1-Ubuntu SMP Wed May 18 15:40:23 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

• Installation method:

container images:

falcosecurity/falco latest 9481e3be1be1 2 months ago 754MB
Additional context

[jzeng4]

https://falco.org/docs/getting-started/running/

This gives the answer. But I wonder if we can run falco on non-docker environment.

[jasondellaluce]

@jzeng4, would you expand on what were your findings in the documentation? Were you able to solve your issue?

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Jaideep1997]

docker run -it --privileged --cap-add sys_admin falcosecurity/falco
it gives me this error :

• Running dkms build failed, couldn't find /var/lib/dkms/falco/4.0.0+driver/build/make.log (with GCC /usr/bin/gcc)
  install: /usr/lib/gcc/x86_64-linux-gnu/5/
• Trying to dkms install falco module with GCC /usr/bin/gcc-5
  DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
• Running dkms build failed, couldn't find /var/lib/dkms/falco/4.0.0+driver/build/make.log (with GCC /usr/bin/gcc-5)
  install: /usr/lib/gcc/x86_64-linux-gnu/6/
• Trying to dkms install falco module with GCC /usr/bin/gcc-6
  DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
• Running dkms build failed, couldn't find /var/lib/dkms/falco/4.0.0+driver/build/make.log (with GCC /usr/bin/gcc-6)
  install: /usr/lib/gcc/x86_64-linux-gnu/8/
• Trying to dkms install falco module with GCC /usr/bin/gcc-8
  DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
• Running dkms build failed, couldn't find /var/lib/dkms/falco/4.0.0+driver/build/make.log (with GCC /usr/bin/gcc-8)
• Trying to load a system falco module, if present
  Consider compiling your own falco driver and loading it or getting in touch with the Falco community
  2023-04-04T07:37:02+0000: Falco version: 0.34.1 (x86_64)
  2023-04-04T07:37:02+0000: Falco initialized with configuration file: /etc/falco/falco.yaml
  2023-04-04T07:37:02+0000: Loading rules from file /etc/falco/falco_rules.yaml
  2023-04-04T07:37:02+0000: Loading rules from file /etc/falco/falco_rules.local.yaml
  2023-04-04T07:37:02+0000: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
  2023-04-04T07:37:02+0000: Starting health webserver with threadiness 8, listening on port 8765
  2023-04-04T07:37:02+0000: Enabled event sources: syscall
  2023-04-04T07:37:02+0000: Opening capture with Kernel module
  2023-04-04T07:37:02+0000: Trying to inject the Kernel module and opening the capture again...
  2023-04-04T07:37:02+0000: Unable to load the driver
  2023-04-04T07:37:02+0000: An error occurred in an event source, forcing termination...
  Events detected: 0
  Rule counts by severity:
  Triggered rules by rule name:
  Error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded: No such file or directory

please help me to solve this

[asher-lab]

Hi All,

Below is my scenario in this case:

Root Cause : Installing falco in a KinD node is not possible

Error Encountered:
Error error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded: No such file or directory

Background of the issue: I'm trying to install Falco in containerized environment. Using the steps here for debian installation I tried to install it https://falco.org/docs/install-operate/installation/. However, I encountered some issues when starting the falco service due to issue ensuring that the linux-header module is installed inside the node I am currently in. It returns the following errors:

Unable to load the driver
Sat Sep 30 00:49:20 2023: An error occurred in an event source, forcing termination...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: error opening device /dev/falco0. Make sure you have root credentials and that the falco module is loaded: No such file or directory

Additionally, here are the errors encountered when I did performing the command to install the linux-headers

 apt install -y dkms make linux-headers-$(uname -r)
Reading state information... Done
E: Unable to locate package linux-headers-5.15.0-1047-azure
E: Couldn't find any package by glob 'linux-headers-5.15.0-1047-azure'

Impact on the system: Can't run Falco inside the worker node bootstrap using KinD (Kubernetes In Docker)

Solutions and Next steps: : Install Falco on a node that is independent (doesn't have an abstration just like in KinD where it doesn't really have its own Kernel)

 apt install -y dkms make linux-headers-$(uname **-r)
update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ (c++) in auto mode
Setting up build-essential (12.8ubuntu1.1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.9) ... completed
root@cks:~/kind#

Workaround: N/A as we performed an action step to install falco node via kubeadm and not using KinD.