kernels not supported (similar to #1390)

[balpreet-telnyx]

Hi! I am having this similar issue on newer Ubuntu GCP kernels and CentOS 8 kernels - 5.4.0-1025-gcp, 4.18.0-193.6.3.el8 and the drivers are not available here

I am installing Falco in a container, so ideally, I'd like Falco to build the kernel module on the fly so my automation does not break(i confirmed that I have kernel-headers installed).

Another question - whats the purpose of falco-driver-loader. Can this be used to build newer drivers and if yes, how?

Also used the driverkit project but not working as expected -

go run main.go docker --output-module /tmp/falco-1.ko --kernelversion=25 --kernelrelease=5.4.0-1025-gcp --driverversion=dev --target=ubuntu-generic
INFO driver building, it will take a few seconds   processor=docker
FATA exiting                                       error="specific kernel headers not found"
exit status 1

This worked though -

go run main.go docker --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=dev --target=ubuntu-generic
INFO driver building, it will take a few seconds   processor=docker
INFO kernel module available                       path=/tmp/falco.ko 

[balpreet-telnyx]

/kind bug

[leodido]

Hello @balpreet-telnyx please use the issue template when submitting new issues: it helps us in triaging the issues. It'd very appreciated, thanks!

Anyways, driverkit does not support GCP kernels because it doesn't have a builder for them, and it doesn't know where to look for their kernel headers.

We welcome contributions to support such kernels, as usual 😃

Rather, the falcosecurity/falco-driver-loader image can be used to download (will not work in this case, since there are no prebuilt drivers for GPC kernels) or to build the driver on the fly for the current host kernel.

In the docs you can surely find guidance.

Otherwise, you could directly use the falco-driver-loader script (installed under /usr/bin when using packages, or just download it and use it), but you need to ensure your system already contains all the deps in this case (while the docker image above contains the toolchain).

[balpreet-telnyx]

@leodido Yea I can confirm driverkit does not support GCP kernels.

Another thing which I tested today is, installing Falco natively (using apt) builds the respective GCP module but Falco dockerized does not build module even if kernel-headers are installed.

[rolfberkenbosch]

We can confirm that we also have the same problems with CoreOS with the latest kernel. Because of this issue, the latest working version of RedHat Openshift is 4.5. Openshift 4.6 is using the new kernel wich gives this problem. Is there any progression in debugging/fixing this issue ?

[fntlnz]

@rolfberkenbosch - Thanks for bringing that up! Please open your own issue and fill the template you get when opening so that a maintainer/contributo can have a chance to understand.

I'm closing this since OP completely ignored our bug reporting template.

The prebuilt drivers service is a best-effort service that the project maintainers provide to the community, the best way to help to get it working good for everyone is to fill bug reports that help maintainers

[rolfberkenbosch]

Look for the solution on #1505