Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KinD cluster BPF probe '/root/.falco/falco-bpf.o': Errno 2. Exiting. Error #1766

Closed
robotica72 opened this issue Oct 31, 2021 · 1 comment
Closed

KinD cluster BPF probe '/root/.falco/falco-bpf.o': Errno 2. Exiting. Error #1766

robotica72 opened this issue Oct 31, 2021 · 1 comment
Labels
kind/bug

Comments

@robotica72
Copy link

Describe the bug

Falco pods fail to start on a new KinD cluster using the BPF or kernel. This issue is in regard to using the BPF on KinD running on Ubuntu 20.04

Pod Logs:

  • Setting up /usr/src links from host
  • Running falco-driver-loader for: falco version=0.30.0, driver version=3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4
  • Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
  • Mounting debugfs
  • Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4/falco_ubuntu-generic_5.4.0-88-generic_99.o
    curl: (22) The requested URL returned error: 404
    Unable to find a prebuilt falco eBPF probe
  • Trying to compile the eBPF probe (falco_ubuntu-generic_5.4.0-88-generic_99.o)
    make[1]: *** /lib/modules/5.4.0-88-generic/build: No such file or directory. Stop.
    make: *** [Makefile:20: all] Error 2
    mv: cannot stat '/usr/src/falco-3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4/bpf/probe.o': No such file or directory
    Unable to load the falco eBPF probe
    Sun Oct 31 01:58:45 2021: Falco version 0.30.0 (driver version 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4)
    Sun Oct 31 01:58:45 2021: Falco initialized with configuration file /etc/falco/falco.yaml
    Sun Oct 31 01:58:45 2021: Loading rules from file /etc/falco/falco_rules.yaml:
    Sun Oct 31 01:58:46 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
    Sun Oct 31 01:58:46 2021: Loading rules from file /etc/falco/rules.d/rules-nginx-write.yaml:
    Sun Oct 31 01:58:46 2021: Unable to load the driver.
    Sun Oct 31 01:58:46 2021: Runtime error: can't open BPF probe '/root/.falco/falco-bpf.o': Errno 2. Exiting.

How to reproduce it

Install a KinD cluster using K8s 1.21 on a base Ubuntu 20.04. Use Helm to deploy Falco with BPF enabled, using 0.30.0
KinD Cluster has the extra mounts:

  • hostPath: /dev
    containerPath: /dev
  • hostPath: /var/run/docker.sock
    containerPath: /var/run/docker.sock

Expected behaviour

Pods should run without crashing.

Environment

Ubuntu 20.04, kernel headers installed, KinD cluster running K8s 1.21

Hoping someone has an idea to resolve the issue?
@robotica72
Copy link
Author

Ill close this - same issue I had in the past, to make this work I needed to add the extra mount for /usr/src to the KinD containers to the Host and it works fine after that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robotica72