unable to find a prebuilt driver

[YAYAXZM]

Describe the bug

When I used helm to deploy in the k8s cluster, I found this error and the falco-driver-loader container kept restarting.

kubectl logs falco-7bgdd -nfalco -c falco-driver-loader

• Setting up /usr/src links from host
  2024-04-18 08:12:36 INFO Running falcoctl driver config
  ├ name: falco
  ├ version: 7.0.0+driver
  ├ type: ebpf
  ├ host-root: /host
  └ repos: https://download.falco.org/driver
  2024-04-18 08:12:36 INFO Running falcoctl driver install
  ├ driver version: 7.0.0+driver
  ├ driver type: ebpf
  ├ driver name: falco
  ├ compile: true
  ├ download: true
  ├ arch: x86_64
  ├ kernel release:
  └ kernel version: Digwatch compiler #1 SMP Thu May 18 10:37:10 CST 2023
  2024-04-18 08:12:36 INFO Found distro target: tencentos
  2024-04-18 08:12:36 INFO Removing eBPF probe symlink
  └ path: /root/.falco/falco-bpf.o
  2024-04-18 08:12:36 INFO Trying to download a driver.
  └ url: https://download.falco.org/driver/7.0.0%2Bdriver/x86_64/falco_tencentos__1.o
  2024-04-18 08:13:06 WARN Error GETting url.
  └ err: Get "https://download.falco.org/driver/7.0.0%2Bdriver/x86_64/falco_tencentos__1.o": dial tcp 52.76.90.69:443: i/o timeout
  2024-04-18 08:13:06 WARN unable to find a prebuilt driver
  2024-04-18 08:13:06 INFO Mounting debugfs for bpf driver.
  2024-04-18 08:13:19 INFO Copying built driver to its destination.
  ├ src: /usr/src/falco-7.0.0+driver/bpf/probe.o
  └ dst: /root/.falco/7.0.0+driver/x86_64/falco_tencentos__1.o
  2024-04-18 08:13:19 INFO Driver built.
  └ path: /root/.falco/7.0.0+driver/x86_64/falco_tencentos__1.o
  2024-04-18 08:13:19 INFO Symlinking eBPF probe
  ├ src: /root/.falco/7.0.0+driver/x86_64/falco_tencentos__1.o
  └ dest: /root/.falco/falco-bpf.o
  2024-04-18 08:13:19 INFO eBPF probe symlinked

[FedeDP]

Hi!
Yes we don't support tencentos prebuilt drivers. What is super weird here is that falcoctl is not able to fetch the kernel release you are running on. I don't know how is tencentos built, but we are just calling unix.Uname(&u) : https://github.com/falcosecurity/falcoctl/blob/main/pkg/driver/kernel/kernel_linux.go#L37C13-L37C27 and it should work just fine.
Can you share an uname -a from the node?

[YAYAXZM]

Hi! Yes we don't support tencentos prebuilt drivers. What is super weird here is that falcoctl is not able to fetch the kernel release you are running on. I don't know how is tencentos built, but we are just calling unix.Uname(&u) : https://github.com/falcosecurity/falcoctl/blob/main/pkg/driver/kernel/kernel_linux.go#L37C13-L37C27 and it should work just fine. Can you share an uname -a from the node?

Linux VM-129-234-tencentos 5.4.119-19.0009.28 #1 SMP Thu May 18 10:37:10 CST 2023 x86_64 x86_64 x86_64 GNU/Linux

[FedeDP]

Thanks!
So it seems like FromString is not correctly parsing the 5.4.119-19.0009.28 (and that is somewhat expected because it does not match our kernelVersionPattern regex.
I will open a PR against driverkit to update the regex to accept these kind of kernelreleases.
In the meantime, care to try using modern-ebpf driver? (see https://github.com/falcosecurity/charts/tree/master/charts/falco#deploying-falco-in-kubernetes modern eBPF probe section)

[YAYAXZM]

Thanks!

HI, I tried the new method you mentioned, but encountered new problems. My installation environment may be offline and I cannot access the external network. Can I download the index.yaml file and mount it in the directory?

{"level":"ERROR","msg":"unable to fetch index "falcosecurity" with URL "https://falcosecurity.github.io/falcoctl/index.yaml\": unable to fetch index: cannot fetch index: Get "https://falcosecurity.github.io/falcoctl/index.yaml\": proxyconnect tcp: net/http: TLS handshake timeout","timestamp":"2024-04-23 09:24:37"}

[FedeDP]

Can I download the index.yaml file and mount it in the directory?

No, that's an internal index used internally by falcoctl.
Invoking @alacuku to answer your question (ie: how to run falco chart without involving any external artifact installation)