falcoctl-artifact-follow.service crashes after RPM based install

[simonc6372]

Hi,
Installing falco via RPM on a brand new install ends up with falcoctl-artifact-follow.service repeatedly failing with the error

falcoctl-artifact-follow.service: Failed to set up mount namespacing: /run/systemd/unit-root/usr/share/falco: No such file or directory
(falcoctl)[5475]: falcoctl-artifact-follow.service: Failed at step NAMESPACE spawning /usr/bin/falcoctl: No such file or directory

This is based on an OpenSUSE Tumbleweed installation,

Creating the empty directory /usr/share/falco fixes the problem.

This empty directory should be included in the RPM package.

The systemd service file /usr/lib/systemd/system/falcoctl-artifact-follow.service expects to have read-write access to /usr/share/falco, however that directory is not part of the RPM based install, and is not created as a post installs script, so the service repeatedly fails.

• Install the RPM installation on a brand new openSUSE system (probably the same for any RPM based distro)
• start falco services
• monitor logs via systemctl -lf and observe

Feb 20 14:10:30 cat.snc.me.uk systemd[1]: Started Falcoctl Artifact Follow: automatic artifacts update service.
Feb 20 14:10:30 cat.snc.me.uk (falcoctl)[5441]: falcoctl-artifact-follow.service: Failed to set up mount namespacing: /run/systemd/unit-root/usr/share/falco: No such file or directory
Feb 20 14:10:30 cat.snc.me.uk (falcoctl)[5441]: falcoctl-artifact-follow.service: Failed at step NAMESPACE spawning /usr/bin/falcoctl: No such file or directory
Feb 20 14:10:30 cat.snc.me.uk systemd[1]: falcoctl-artifact-follow.service: Main process exited, code=exited, status=226/NAMESPACE
Feb 20 14:10:30 cat.snc.me.uk systemd[1]: falcoctl-artifact-follow.service: Failed with result 'exit-code'.

Expected behaviour
service to keep running.

Environment

• Falco version:

Tue Feb 20 14:13:24 2024: Falco version: 0.37.1 (x86_64)

# rpm -qa |grep falco
falco-0.37.1-1.x86_64

• System info:

{
  "machine": "x86_64",
  "nodename": "worker1.mydomain",
  "release": "6.7.4-1-default",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT_DYNAMIC Tue Feb  6 05:32:37 UTC 2024 (01735a3)"
}

• Cloud provider or hardware configuration:
  n/a

• OS:

# cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20240216"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20240216"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
# CPE 2.3 format, boo#1217921
CPE_NAME="cpe:2.3:o:opensuse:tumbleweed:20240216:*:*:*:*:*:*:*"
#CPE 2.2 format
#CPE_NAME="cpe:/o:opensuse:tumbleweed:20240216"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"

• Kernel:

> uname -a
Linux worker1.snc.me.uk 6.7.4-1-default #1 SMP PREEMPT_DYNAMIC Tue Feb  6 05:32:37 UTC 2024 (01735a3) x86_64 x86_64 x86_64 GNU/Linux

• Installation method:
  RPM based install

Additional context

[FedeDP]

Hi! Thanks for opening this issue and also for tracking down the root cause.
This is because in 0.37.0 Falco dropped bundled plugins (ie: plugins shipped within the deb/rpm/tar.gz packages), therefore we don't have /usr/share/falco created by default anymore.
cc @alacuku should we let Falcoctl create the folder for us, if it is non-existent? Or should Falco create the folder empty?

EDIT: see https://github.com/falcosecurity/falco/blob/master/scripts/systemd/falcoctl-artifact-follow.service#L17.

[FedeDP]

/assign

[simonc6372]

The directory has to be there for systemd to start the binary.
It should probably be packaged as an empty dir in the RPM package, or created by the RPM post-install script.

[FedeDP]

Opened the fixing PR! Thank you very much!
/milestone 0.38.0