Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco does not properly start after upgrade #400

Closed
carestad opened this issue Aug 1, 2018 · 13 comments
Closed

Falco does not properly start after upgrade #400

carestad opened this issue Aug 1, 2018 · 13 comments
Labels
wontfix

Comments

@carestad
Copy link

carestad commented Aug 1, 2018
edited
Loading

Using apt, when upgrading Falco, the last few versions does not start up again after a completed upgrade. The service remains stopped.

The following packages will be upgraded:
  falco
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/2 876 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] 
Reading changelogs... Done
(Reading database ... 120936 files and directories currently installed.)
Preparing to unpack .../falco_0.11.1_amd64.deb ...

-------- Uninstall Beginning --------
Module:  falco
Version: 0.11.0
Kernel:  4.9.0-5-amd64 (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this kernel.

falco-probe.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.9.0-5-amd64/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.

depmod...

DKMS: uninstall completed.

-------- Uninstall Beginning --------
Module:  falco
Version: 0.11.0
Kernel:  4.9.0-7-amd64 (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this kernel.

falco-probe.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.9.0-7-amd64/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.

depmod...

DKMS: uninstall completed.

------------------------------
Deleting module version: 0.11.0
completely from the DKMS tree.
------------------------------
Done.
Unpacking falco (0.11.1) over (0.11.0) ...
Setting up falco (0.11.1) ...
Loading new falco-0.11.1 DKMS files...
Building for 4.9.0-5-amd64 4.9.0-7-amd64
Building initial module for 4.9.0-5-amd64
Done.

falco-probe:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.9.0-5-amd64/updates/dkms/

depmod...

DKMS: install completed.
Building initial module for 4.9.0-7-amd64
Done.

falco-probe:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.9.0-7-amd64/updates/dkms/

depmod...

DKMS: install completed.
Processing triggers for systemd (232-25+deb9u4) ...
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

I get a Slack notification when the service is stopped and started (sudo service falco start/stop), but when upgrading, I am only notified of it being stopped. When logging on the server later to check, it is indeed still stopped.

12:49 [root@server ~]# service falco status
● falco.service - LSB: Falco syscall activity monitoring agent
   Loaded: loaded (/etc/init.d/falco; generated; vendor preset: enabled)
   Active: inactive (dead) since Wed 2018-08-01 12:45:55 CEST; 4min 43s ago
     Docs: man:systemd-sysv-generator(8)

aug. 01 12:45:55 server systemd[1]: Stopping LSB: Falco syscall activity monitoring agent...
aug. 01 12:45:55 server systemd[1]: Stopped LSB: Falco syscall activity monitoring agent.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Manually running sudo service falco start starts the service back up without issues.

To be fair I thought maybe this was handled automatically by systemd, but I only have this problem with Falco at the moment.

Servers are running Debian 9.5.
@carestad
Copy link
Author

Had the same thing happen now with the 0.12.1 version of Falco

@mstemm
Copy link
Contributor

mstemm commented Nov 6, 2018

I wonder if this is the same cause as #418. The transition from 0.11.1 to 0.12 included an incompatible kernel module change, so it's possible that falco crashed after the new install because it was trying to use the already-loaded old kernel module.

I know this was a while back, but are you still experiencing this problem and if so could you check /var/log/messages to see if falco had a segfault?

@carestad
Copy link
Author

carestad commented Nov 6, 2018

A bit too far for the log archives I'm afraid as the messages.log have been rotated and I can't find anything older than early October.

I guess I will see with version 0.12.2 or 0.13.0 (whichever is first) 🙂

@egrang
Copy link

egrang commented Nov 9, 2018

/usr/lib/dkms/dkms_autoinstaller start

@carestad
Copy link
Author

Still happening now with the upgrade to 0.13.0. Tried running the dkms_autoinstaller command first on one server as well, but this had no effect. Falco remains stopped after kernel modules have been installed.

@mfdii
Copy link
Member

mfdii commented Nov 12, 2018

did you confirm the old kernel module is indeed removed and the new version loaded?

@carestad
Copy link
Author

@mfdii The un-upgraded servers do appear to be running the 0.12.1 version, if I am not entirely mistaken. The contents of /var/lib/dkms/falco is:

drwxr-xr-x 4 root root 4096 sep.  17 12:59 0.12.1
lrwxrwxrwx 1 root root   27 sep.  17 12:59 kernel-4.9.0-7-amd64-x86_64 -> 0.12.1/4.9.0-7-amd64/x86_64
lrwxrwxrwx 1 root root   27 sep.  17 13:00 kernel-4.9.0-8-amd64-x86_64 -> 0.12.1/4.9.0-8-amd64/x86_64

While on one of the upgraded servers it is:

drwxr-xr-x 3 root root 4096 nov.  12 10:34 0.13.0
lrwxrwxrwx 1 root root   27 nov.  12 10:34 kernel-4.9.0-8-amd64-x86_64 -> 0.13.0/4.9.0-8-amd64/x86_64

I might also add that no sefaults were spotted in /var/log/messages during the upgrade.

@carestad
Copy link
Author

Output from terminal when upgrading one of the servers to 0.13.0 tonight:

21:33 [root@server /tmp]# apt install falco
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  falco
1 upgraded, 0 newly installed, 0 to remove and 43 not upgraded.
Need to get 0 B/3 125 kB of archives.
After this operation, 503 kB of additional disk space will be used.
Reading changelogs... Done
(Reading database ... 115797 files and directories currently installed.)
Preparing to unpack .../falco_0.13.0_amd64.deb ...

-------- Uninstall Beginning --------
Module:  falco
Version: 0.12.1
Kernel:  4.9.0-5-amd64 (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this kernel.

falco-probe.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.9.0-5-amd64/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.

depmod....

DKMS: uninstall completed.

-------- Uninstall Beginning --------
Module:  falco
Version: 0.12.1
Kernel:  4.9.0-8-amd64 (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this kernel.

falco-probe.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.9.0-8-amd64/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.

depmod....

DKMS: uninstall completed.

------------------------------
Deleting module version: 0.12.1
completely from the DKMS tree.
------------------------------
Done.
Unpacking falco (0.13.0) over (0.12.1) ...
Setting up falco (0.13.0) ...
Installing new version of config file /etc/falco/falco_rules.yaml ...
Installing new version of config file /etc/falco/rules.available/application_rules.yaml ...
Installing new version of config file /etc/falco/falco_rules.local.yaml ...
Loading new falco-0.13.0 DKMS files...
Building for 4.9.0-8-amd64
Building initial module for 4.9.0-8-amd64
Done.

falco-probe:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.9.0-8-amd64/updates/dkms/

depmod...

DKMS: install completed.
Processing triggers for systemd (232-25+deb9u4) ...

As you also can see from the beginning there, the module version was 0.12.1 before upgrading.

/var/log/messages after/during the upgrade:

Nov 13 21:33:46 server kernel: [2672998.045889] falco_probe: deallocating consumer ffff96777ff93000
Nov 13 21:33:46 server kernel: [2672998.071596] falco_probe: no more consumers, stopping capture

Then a minut pause until I manually start it with service falco start:

Nov 13 21:34:53 server falco: Falco initialized with configuration file /etc/falco/falco.yaml
Nov 13 21:34:53 server falco: Loading rules from file /etc/falco/falco_rules.yaml:
Nov 13 21:34:53 server falco: Loading rules from file /etc/falco/falco_rules.local.yaml:
Nov 13 21:34:53 server falco: Loading rules from file /etc/falco/rules.d/local.yaml:
Nov 13 21:34:54 server kernel: [2673065.527547] falco_probe: adding new consumer ffff9677889af100
Nov 13 21:34:54 server kernel: [2673065.527598] falco_probe: initializing ring buffer for CPU 0
Nov 13 21:34:54 server kernel: [2673065.535927] falco_probe: CPU buffer initialized, size=8388608
Nov 13 21:34:54 server kernel: [2673065.535928] falco_probe: initializing ring buffer for CPU 1
Nov 13 21:34:54 server kernel: [2673065.544242] falco_probe: CPU buffer initialized, size=8388608
Nov 13 21:34:54 server kernel: [2673065.544243] falco_probe: initializing ring buffer for CPU 2
Nov 13 21:34:54 server kernel: [2673065.552423] falco_probe: CPU buffer initialized, size=8388608
Nov 13 21:34:54 server kernel: [2673065.552425] falco_probe: initializing ring buffer for CPU 3
Nov 13 21:34:54 server kernel: [2673065.560346] falco_probe: CPU buffer initialized, size=8388608
Nov 13 21:34:54 server kernel: [2673065.560348] falco_probe: initializing ring buffer for CPU 4
Nov 13 21:34:54 server kernel: [2673065.568472] falco_probe: CPU buffer initialized, size=8388608
Nov 13 21:34:54 server kernel: [2673065.568473] falco_probe: initializing ring buffer for CPU 5
Nov 13 21:34:54 server kernel: [2673065.575993] falco_probe: CPU buffer initialized, size=8388608

@mfdii
Copy link
Member

mfdii commented Nov 13, 2018 via email

@carestad
Copy link
Author

I can't say there are any specific messages regarding loading/unloading the kernel module in dmesg no:

[ti. nov. 13 21:34:50 2018] falco_probe: deallocating consumer ffff96777ff93000
[ti. nov. 13 21:34:50 2018] falco_probe: no more consumers, stopping capture
[ti. nov. 13 21:35:57 2018] falco_probe: adding new consumer ffff9677889af100
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 0
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 1
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 2
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 3
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 4
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 5
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 6
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: initializing ring buffer for CPU 7
[ti. nov. 13 21:35:57 2018] falco_probe: CPU buffer initialized, size=8388608
[ti. nov. 13 21:35:57 2018] falco_probe: starting capture

Looking back in dmesg to October 14 I do see a driver loading message:

[sø. okt. 14 00:05:05 2018] falco_probe: loading out-of-tree module taints kernel.
[sø. okt. 14 00:05:05 2018] falco_probe: driver loading, falco-probe 0.12.1

rmmod falco_probe && modprobe falco_probe did not work, but stopping falco, then modprobing did. So now i see:

[ti. nov. 13 21:59:29 2018] falco_probe: driver unloading
[ti. nov. 13 21:59:58 2018] falco_probe: driver loading, falco-probe 0.13.0

@carestad
Copy link
Author

For what it's worth, this seems to also happen when upgrading to 0.13.1.

@stale
Copy link

stale bot commented Mar 19, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Mar 19, 2019
@stale stale bot closed this as completed Mar 26, 2019
@carestad
Copy link
Author

carestad commented Aug 1, 2019
edited
Loading

This is still happening though, in Debian. When apt-get upgradeing to 0.17.0 now it stopped Falco but never started it up again. It hasn't managed to start Falco back up again after updating for quite some time.

I have also noticed that sudo service falco restart usually stalls and does not complete, while sudo service falco stop && sudo service falco start works well. Any reason why? Could they be related?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carestad @mfdii @egrang @mstemm