[Feature] compile driver for Digitalocean k8s and provide it to download.falco.org

[rzemykers]

Motivation

At this moment I can't install falco in k8s in Digitalocean because there is no driver for kernel version in download.falco.org

Feature

please provide to download.falco.org module falco_debian_5.18.0-0.deb11.4-amd64_1

Alternatives

there is no alternatives because in k8s as a service you can't install linux-headers

Additional context

* Filename 'falco_debian_5.18.0-0.deb11.4-amd64_1.ko' is composed of:
 - driver name: falco
 - target identifier: debian
 - kernel release: 5.18.0-0.deb11.4-amd64
 - kernel version: 1
* Trying to download a prebuilt falco module from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_debian_5.18.0-0.deb11.4-amd64_1.ko
curl: (22) The requested URL returned error: 404 
Unable to find a prebuilt falco module ```

[Andreagit97]

Ei @rzemykers have you tried to use the modern bpf probe as a driver? This should work out of the box. Supposing you are using the helm chart as installation method you can use the following config https://github.com/falcosecurity/charts/blob/master/falco/README.md#daemonset

driver:
  enabled: true
  kind: modern-bpf

[rzemykers]

yay! it works! @Andreagit97 thank you!
Maybe modern-bpf should be default driver?

[Andreagit97]

The only issue with having it as a default driver is that it requires some recent bpf features like (ring-buffer, BTF, ...) that are available only on recent kernels (usually 5.8 is enough). In your case, you have a 5.18.0-0.deb11.4-amd64_1 so no issue at all, in other cases we could face some issues :/
BTW in the next future, we can think of putting it as a default driver and fallback to something else if the kernel is not recent enough :)

[FedeDP]

Btw this is interesting because kernel crawler does indeed crawl debian kernels: https://falcosecurity.github.io/kernel-crawler/?arch=x86_64&target=Debian

We might miss some mirrors perhaps.
I'd move this issue to the kernel crawler repo if you agree, for further investigation!

[rzemykers]

@FedeDP In my private k8s cluster also had problem with kind: module but I solved it by install linux headers

* Filename 'falco_debian_5.10.0-21-amd64_1.ko' is composed of:
 - driver name: falco
 - target identifier: debian
 - kernel release: 5.10.0-21-amd64
 - kernel version: 1
* Trying to download a prebuilt falco module from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_debian_5.10.0-21-amd64_1.ko
curl: (22) The requested URL returned error: 404

root@node5:~# uname -a
Linux node5 5.10.0-21-amd64 falcosecurity/libs#1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux```

[rzemykers]

I'd move this issue to the kernel crawler repo if you agree, for further investigation!

Yes, i agree.

[FedeDP]

Moved :)

[FedeDP]

@EXONER4TED , this might interest you!

[EXONER4TED]

Looking into this... maybe this is interesting. Here's me crawling Debian and grep'ing for that kernelrelease pasted above:

    {
      "kernelversion": 1,
      "kernelrelease": "5.18.16-1~bpo11+1-amd64",
      "target": "debian",
      "headers": [
        "http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-rt-amd64_5.18.16-1~bpo11+1_amd64.deb",
        "http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-common-rt_5.18.16-1~bpo11+1_all.deb",
        "http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-common_5.18.16-1~bpo11+1_all.deb",
        "http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-kbuild-5.18_5.18.16-1~bpo11+1_amd64.deb",
        "http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-cloud-amd64_5.18.16-1~bpo11+1_amd64.deb",
        "http://mirrors.edge.kernel.org/debian/pool/main/l/linux/linux-headers-5.18.0-0.deb11.4-amd64_5.18.16-1~bpo11+1_amd64.deb"
      ]
    },

I can get 5.18.16-1~bpo11+1-amd64 and not 5.18.0-0.deb11.4-amd64 - BUT the mirrors nearly all have 5.18.0-0.deb11.4 as part of the linux-headers package...

Also, looking at 5.10.0-21-amd64, I can't find that in the crawler, but CAN find that in mirror urls of a different kernel release...

    {
      "kernelversion": 1,
      "kernelrelease": "5.10.162-1-amd64",
      "target": "debian",
      "headers": [
        "http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-cloud-amd64_5.10.162-1_amd64.deb",
        "http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-common-rt_5.10.162-1_all.deb",
        "http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-rt-amd64_5.10.162-1_amd64.deb",
        "http://security.debian.org/pool/updates/main/l/linux/linux-kbuild-5.10_5.10.162-1_amd64.deb",
        "http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-common_5.10.162-1_all.deb",
        "http://security.debian.org/pool/updates/main/l/linux/linux-headers-5.10.0-21-amd64_5.10.162-1_amd64.deb"
      ]
    },

So either the crawler has a bug where it's misreporting or grouping these kernel headers... OR, debian just treats these a bit differently.

@rzemykers - I'm curious, can you try this download of a kernel module for your 5.10.0-21-amd64 node? 5.10.162-1-amd64

I would expect this to not work, but am curious if it loads correctly...

[FedeDP]

Yep; i tried to play a bit with this; at first i though we were just missing some mirrors; but then i quickly realized i cannot find 5.18.0-0.deb11.4-amd64 anywhere; i was thinking we might miss fetching from backports mirrors (and indeed we are), but adding it didn't make any change.

[FedeDP]

An user asked to add a driverkit config for a similar kernel, that we are not able to find: falcosecurity/test-infra#1097

[FedeDP]

@rzemykers i think you might be hit by falcosecurity/falco#2374.
Can you share uname -a output?

[rao-hassan-1]

root@cde-qd2mj:/sys/kernel# uname -a
Linux cde-qd2mj 5.10.0-0.deb10.17-amd64 #1 SMP Debian 5.10.136-1~deb10u3 (2022-09-06) x86_64 GNU/Linux

[FedeDP]

Yep, confirm! You are being affected by the aformentioned bug.

[FedeDP]

Oh i still want to wait for @rzemykers too :)

[rzemykers]

@FedeDP
on digitalocean:
Linux frontend-7tbpx 5.18.0-0.deb11.4-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.16-1~bpo11+1 (2022-08-12) x86_64 GNU/Linux

on k8s in homelab:
Linux nginx-hostname-77469bc69d-qsx87 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

uname -a was executed at pods

[FedeDP]

I think you are being hit by the same bug: falcosecurity/falco#2374.
On falcosecurity/falco#2377 i shared a test image; can you try with that? (falcosecurity/falco#2377 (comment))
It fixed the issue for @rao-hassan-1 !

EDIT: @rzemykers please let us know if that image works fine :) I can add that we ship the 5.18.16-1~bpo11+1 driver: https://download.falco.org/driver/site/index.html?lib=4.0.0%2Bdriver&target=debian&arch=x86_64&kind=kmod&search=falco_debian_5.18.16-1%7Ebpo11%2B1-amd64_1.ko

[FedeDP]

@rzemykers any news?

[FedeDP]

@rzemykers any news? Sorry for bothering you, but since we are approaching Falco 0.35 release, i want more data before eventually shipping my patch :)

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[FedeDP]

We have had multplie users stating that my patch fixed the issue! Moreover, it has now been shipped since more than a month.
We can safely close this one.
/close

[poiana]

@FedeDP: Closing this issue.

In response to this:

We have had multplie users stating that my patch fixed the issue! Moreover, it has now been shipped since more than a month.
We can safely close this one.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.