Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to deploy falco on GKE #920

Closed
Kaizhe opened this issue Nov 6, 2019 · 7 comments
Closed

Failed to deploy falco on GKE #920

Kaizhe opened this issue Nov 6, 2019 · 7 comments
Labels
kind/bug wontfix

Comments

@Kaizhe
Copy link
Contributor

Kaizhe commented Nov 6, 2019

What happened:
Failed to deploy falco on GKE

What you expected to happen:
Falco run successfully on GKE

How to reproduce it (as minimally and precisely as possible):
Bring up a GKE cluster (default one), deploy falco from market place

Anything else we need to know?:

Kaizhes-MacBook-Pro:rules kaizhehuang$ kubectl logs -f falco-security-1-fkc8b 
* Setting up /usr/src links from host
* Mounting debugfs
Found kernel config at /proc/config.gz
* COS detected (build 11647.329.0), downloading and setting up kernel headers
* Downloading https://storage.googleapis.com/cos-tools/11647.329.0/kernel-src.tar.gz
* Extracting kernel sources
* Configuring kernel
scripts/sign-file.c:25:30: fatal error: openssl/opensslv.h: No such file or directory
compilation terminated.
make[1]: *** [scripts/Makefile.host:102: scripts/sign-file] Error 1
make: *** [Makefile:574: scripts] Error 2
* Trying to compile BPF probe falco-probe-bpf (falco-probe-bpf-0.14.0-x86_64-4.14.145+-e2bdf498e5c7b4a4b60c9d2f4c53f14d.o)
In file included from /usr/src/falco-0.14.0/bpf/probe.c:23:
/usr/src/falco-0.14.0/bpf/fillers.h:2006:26: error: no member named 'loginuid' in 'struct task_struct'
                loginuid = _READ(task->loginuid);
                                 ~~~~  ^
/usr/src/falco-0.14.0/bpf/plumbing_helpers.h:18:28: note: expanded from macro '_READ'
#define _READ(P) ({ typeof(P) _val;                             \
                           ^
In file included from /usr/src/falco-0.14.0/bpf/probe.c:23:
/usr/src/falco-0.14.0/bpf/fillers.h:2006:26: error: no member named 'loginuid' in 'struct task_struct'
                loginuid = _READ(task->loginuid);
                                 ~~~~  ^
/usr/src/falco-0.14.0/bpf/plumbing_helpers.h:20:44: note: expanded from macro '_READ'
                    bpf_probe_read(&_val, sizeof(_val), &P);    \
                                                         ^
In file included from /usr/src/falco-0.14.0/bpf/probe.c:23:
/usr/src/falco-0.14.0/bpf/fillers.h:2006:12: error: assigning to 'kuid_t' from incompatible type 'void'
                loginuid = _READ(task->loginuid);
                         ^ ~~~~~~~~~~~~~~~~~~~~~
3 errors generated.
make[2]: *** [/usr/src/falco-0.14.0/bpf/Makefile:33: /usr/src/falco-0.14.0/bpf/probe.o] Error 1
make[1]: *** [Makefile:1543: _module_/usr/src/falco-0.14.0/bpf] Error 2
make: *** [Makefile:18: all] Error 2
mv: cannot stat '/usr/src/falco-0.14.0/bpf/probe.o': No such file or directory
* Trying to download precompiled BPF probe from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-bpf-0.14.0-x86_64-4.14.145%2B-e2bdf498e5c7b4a4b60c9d2f4c53f14d.o
curl: (22) The requested URL returned error: 404 Not Found
* Failure to find a BPF probe
Wed Nov  6 22:13:23 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Wed Nov  6 22:13:23 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Wed Nov  6 22:13:25 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Wed Nov  6 22:13:25 2019: Unable to load the driver. Exiting.
Wed Nov  6 22:13:25 2019: Runtime error: can't open BPF probe '/root/.sysdig/falco-probe-bpf.o': No such file or directory. Exiting.

Environment:

  • Falco version (use falco --version):
  • System info
  • Cloud provider or hardware configuration: GKE
  • OS (e.g: cat /etc/os-release): Google COS
  • Kernel (e.g. uname -a): Linux gke-k8s-research-2-default-pool-f13e4da8-cs4g 4.14.145+ Digwatch compiler #1 SMP Tue Oct 8 03:03:11 PDT 2019 x86_64 Intel(R) Xe
    on(R) CPU @ 2.30GHz GenuineIntel GNU/Linux
  • Install tools (e.g. in kubernetes, rpm, deb, from source):
  • Others:
@Kaizhe Kaizhe added the kind/bug label Nov 6, 2019
@chattarajoy
Copy link

facing the same issue. Can someone look into this?

@Kaizhe
Copy link
Contributor Author

Kaizhe commented Nov 18, 2019
edited
Loading

cc @mstemm , might be related to the kernel module ?

@stale
Copy link

stale bot commented Jan 17, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jan 17, 2020
@stale stale bot closed this as completed Jan 24, 2020
@kbojjireddy
Copy link

I'm facing the same issue

@chattarajoy
Copy link

I changed the instance types to ubuntu based instead of containerd ones and it worked

@fntlnz
Copy link
Contributor

fntlnz commented Jun 22, 2020

It should work now with COS, if anyone else is wondering.

@tdickman
Copy link

@fntlnz I'm still running into this with COS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Kaizhe @tdickman @fntlnz @chattarajoy @kbojjireddy