Federico Di Pierro
Federico Di Pierro
For now, we switched to use `vault.centos.org` mirrors to keep centos7 CI running. We need to figure out either a glibc bump or something else.
A Better solution is being developed in #3307 . /milestone 0.40.0
Hi! Thanks for opening this issue! Can you share the logs from the `falco` container, if any?
> Opening 'syscall' source with BPF probe. BPF probe path: /root/.falco/falco-probe-bpf.o The weird thing is that `falco` container is using `bpf` driver, while `falco-driver-loader` is (correctly) using `modern_ebpf` driver. You...
The problem is that, as it can be seen from your outputs, `kernelrelease` is being discovered empty. Fact is, falcoctl uses standard syscall `uname` to fetch the kernelrelease (https://github.com/falcosecurity/falcoctl/blob/main/pkg/driver/kernel/kernel_linux.go#L30) ,...
Uh i think i found out the bug; is your kernelrelease similar to `6.1.85+`? In this case, our aforementioned helper function is not able to properly decode it, thus `kernelrelease`...
https://github.com/falcosecurity/driverkit/pull/355 fixes our kernelrelease matching regex to support COS kernels ;) I also added a test to avoid future failures. Once that is merged i will port it to falcoctl...
/milestone 0.39.0
Falcoctl PR with the driverkit update: https://github.com/falcosecurity/falcoctl/pull/632
Me and @alacuku just tested on cos version ` 1.30.3-gke.1639000 ` with kernel `6.1.90+` and the new falcoctl worked fine, we were able to build the ebpf probe. Therefore this...