Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco pods failing for Openshift version 4.12 and 4.14 #2989

Closed
Tracked by #2873
ajinkya1986 opened this issue Dec 26, 2023 · 5 comments
Closed
Tracked by #2873

Falco pods failing for Openshift version 4.12 and 4.14 #2989

ajinkya1986 opened this issue Dec 26, 2023 · 5 comments
Assignees
@Andreagit97
Labels
kind/bug lifecycle/rotten
Milestone
TBD

Comments

@ajinkya1986
Copy link

ajinkya1986 commented Dec 26, 2023
edited
Loading

While installing falco through helm chart on Nutanix and Openshift, the falco charts are failing with the below two errors.
We used the following configuration for helm cahrts. The falco chart version used was 3.7.1

falco:
  driver:
    kind: modern_bpf
    loader:
      initContainer:
        image:
          repository: falcosecurity/falco-driver-loader-legacy

collectors:
  docker:
    enabled: false

Below are the two errors

kubectl logs pod/cloudanix-falco-nfljr
Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falcoctl-artifact-install (init)
Fri Dec 15 09:33:25 2023: Falco version: 0.35.1 (x86_64)
Fri Dec 15 09:33:25 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Fri Dec 15 09:33:25 2023: Loading rules from file /etc/falco/falco_rules.yaml
Fri Dec 15 09:33:25 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Fri Dec 15 09:33:25 2023: Starting health webserver with threadiness 24, listening on port 8765
Fri Dec 15 09:33:25 2023: Loaded event sources: syscall
Fri Dec 15 09:33:25 2023: Enabled event sources: syscall
Fri Dec 15 09:33:25 2023: Opening 'syscall' source with modern BPF probe.
Fri Dec 15 09:33:25 2023: One ring buffer every '2' CPUs.
libpman: ring buffer map type is not supported (errno: 13 | message: Permission denied)
Fri Dec 15 09:33:25 2023: An error occurred in an event source, forcing termination...

kubectl logs pod/cloudanix-falco-25mb7
Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falcoctl-artifact-install (init)
Fri Dec 15 12:35:41 2023: Falco version: 0.35.1 (x86_64)
Fri Dec 15 12:35:41 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Fri Dec 15 12:35:41 2023: Loading rules from file /etc/falco/falco_rules.yaml
Error: /etc/falco/falco_rules.yaml: Invalid
1 Errors:
In rules content: (/etc/falco/falco_rules.yaml:0:0)
    required_engine_version: (/etc/falco/falco_rules.yaml:26:2)
------
- required_engine_version: 26
  ^
------
LOAD_ERR_VALIDATE (Error validating rule/macro/list/exception objects): Rules require engine version 26, but engine version is 17
@Andreagit97 Andreagit97 added this to the TBD milestone Jan 3, 2024
@Andreagit97
Copy link
Member

Here there are 2 different issues:

The first one means that the modern-bpf is not supported on this kernel, you need to try the legacy ebpf or the kernel module.

libpman: ring buffer map type is not supported (errno: 13 | message: Permission denied)

The second one means that you are using a ruleset not compatible with your Falco version, try to use Falco 0.36.2. But also here probably the modern probe won't work since the kernel version is too old.

In rules content: (/etc/falco/falco_rules.yaml:0:0)
    required_engine_version: (/etc/falco/falco_rules.yaml:26:2)
------
- required_engine_version: 26
  ^
------

@Andreagit97 Andreagit97 self-assigned this Jan 3, 2024
This was referenced Jan 3, 2024
Closed
Open
@poiana
Copy link
Contributor

poiana commented Apr 2, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link
Contributor

poiana commented May 2, 2024

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@poiana
Copy link
Contributor

poiana commented Jun 1, 2024

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

@poiana poiana closed this as completed Jun 1, 2024
@poiana
Copy link
Contributor

poiana commented Jun 1, 2024

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Andreagit97 Andreagit97

Labels
kind/bug lifecycle/rotten
Projects
None yet
Milestone
TBD
Development

No branches or pull requests
3 participants
@poiana @ajinkya1986 @Andreagit97