Unable to run on Docker for Mac on Apple M1

[hazcod]

Describe the bug

I am unable to run Falco on Docker for Mac, this is an Apple M1 device.

How to reproduce it

% helm upgrade --install falco falcosecurity/falco --set ebpf.enabled=false --set webserver.enabled=false --set programOutput.enabled=true --set programOutput.program="jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/xxx"
# or
% helm upgrade --install falco falcosecurity/falco --set ebpf.enabled=true --set webserver.enabled=false --set programOutput.enabled=true --set programOutput.program="jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/xxx"

Outcome: With eBPF:

* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.29.1, driver version=17f5df52a7d9ed6bb12d3b1768460def8439936d
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/17f5df52a7d9ed6bb12d3b1768460def8439936d/falco__5.10.25-linuxkit_1.o
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt falco eBPF probe
* Trying to compile the eBPF probe (falco__5.10.25-linuxkit_1.o)
make[1]: *** /lib/modules/5.10.25-linuxkit/build: No such file or directory. Stop.
make: *** [Makefile:18: all] Error 2
/bin/mv: cannot stat '/usr/src/falco-17f5df52a7d9ed6bb12d3b1768460def8439936d/bpf/probe.o': No such file or directory
Unable to load the falco eBPF probe
Tue Jul 20 08:53:43 2021: Falco version 0.29.1 (driver version 17f5df52a7d9ed6bb12d3b1768460def8439936d)
Tue Jul 20 08:53:43 2021: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Jul 20 08:53:43 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Jul 20 08:53:44 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Jul 20 08:53:45 2021: Unable to load the driver.
Tue Jul 20 08:53:45 2021: Runtime error: can't open BPF probe '/root/.falco/falco-bpf.o': Errno 2. Exiting.

or without:

qemu-x86_64: /qemu/linux-user/mmap.c:302: mmap_find_vma: Assertion `h2g_valid(ptr)' failed.
* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.29.1, driver version=17f5df52a7d9ed6bb12d3b1768460def8439936d
* Running falco-driver-loader with: driver=module, compile=yes, download=yes
* Unloading falco module, if present
* Trying to load a system falco module, if present
* Looking for a falco module locally (kernel 5.10.25-linuxkit)
* Trying to download a prebuilt falco module from https://download.falco.org/driver/17f5df52a7d9ed6bb12d3b1768460def8439936d/falco__5.10.25-linuxkit_1.ko
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt falco module
* Trying to dkms install falco module with GCC /usr/bin/gcc
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc)
* Trying to dkms install falco module with GCC /usr/bin/gcc-8
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc-8)
* Trying to dkms install falco module with GCC /usr/bin/gcc-6
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc-6)
* Trying to dkms install falco module with GCC /usr/bin/gcc-5
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/17f5df52a7d9ed6bb12d3b1768460def8439936d/build/make.log (with GCC /usr/bin/gcc-5)
Consider compiling your own falco driver and loading it or getting in touch with the Falco community
Tue Jul 20 08:52:50 2021: Falco version 0.29.1 (driver version 17f5df52a7d9ed6bb12d3b1768460def8439936d)
Tue Jul 20 08:52:50 2021: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Jul 20 08:52:50 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Jul 20 08:52:51 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Jul 20 08:52:52 2021: Unable to load the driver.
Tue Jul 20 08:52:52 2021: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded.. Exiting.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[hazcod]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[hazcod]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[hazcod]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[leogr]

cc @alacuku @Andreagit97 @FedeDP /remove-lifecycle rotten

[leogr]

linuxkit is not actually supported (so not technically a bug) /kind feature

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[hazcod]

/remove-lifecycle stale.

[alacuku]

Hi @hazcod, could you please provide the necessary steps on how to reproduce this issue?

[hazcod]

@alacuku Well I did mention the exact commands, no?

[alacuku]

@hazcod, it would be nice to have more info on your environment. Docker for Mac, does not say much to me since I have never used it. More info on the environment, such as the Docker for Mac version, the kernel version, and the kernel flavor could be really helpful. Thanks!

[hazcod]

Docker for Mac 4.14.1 (91661) on Apple Silicon results in kernel: :

root@06fb0e1b31cf:/# uname -a
Linux 06fb0e1b31cf 5.15.49-linuxkit #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux

[alacuku]

Based on my findings, there is no way to install the kernel headers on Docker for Mac. It means that we can not build the kernel module for it. Hence, no support for it from our side is possible until the developers of Docker for Mac provide the kernel headers.

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[oursland]

@alacuku @hazcod

Docker for Desktop's kernels are built via the linuxkit tooling. The artifacts, including the source code and development headers are stored in a Docker image at https://hub.docker.com/r/docker/for-desktop-kernel/tags.

A means of retrieval would be (for the current kernel, 5.15.49):

C=$(docker create docker/for-desktop-kernel:5.15.49-13422a825f833d125942948cf8a8688cef721ead true)
docker cp $C:/ out

With the headers being stored in the file out/kernel-headers.tar.

I think Docker could do a better job of documenting where to find these artifacts for improved integration with tooling that requires the kernel headers.

[FedeDP]

/remove-lifecycle rotten

[leogr]

@alacuku @hazcod

Docker for Desktop's kernels are built via the linuxkit tooling. The artifacts, including the source code and development headers are stored in a Docker image at https://hub.docker.com/r/docker/for-desktop-kernel/tags.

A means of retrieval would be (for the current kernel, 5.15.49):

C=$(docker create docker/for-desktop-kernel:5.15.49-13422a825f833d125942948cf8a8688cef721ead true)
docker cp $C:/ out

With the headers being stored in the file out/kernel-headers.tar.

I think Docker could do a better job of documenting where to find these artifacts for improved integration with tooling that requires the kernel headers.

This is very interesting! Thank you!

cc @falcosecurity/driverkit-maintainers cc @maxgio92

[oursland]

A member of my team has successfully built and installed Falco on Docker for Mac on Apple M1 using the kernel headers in the docker image.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

@oursland @alacuku Is this still an issue? :thinking:

[wenzhang-dev]

@alacuku @hazcod

Docker for Desktop's kernels are built via the linuxkit tooling. The artifacts, including the source code and development headers are stored in a Docker image at https://hub.docker.com/r/docker/for-desktop-kernel/tags.

A means of retrieval would be (for the current kernel, 5.15.49):

C=$(docker create docker/for-desktop-kernel:5.15.49-13422a825f833d125942948cf8a8688cef721ead true)
docker cp $C:/ out

With the headers being stored in the file out/kernel-headers.tar.

I think Docker could do a better job of documenting where to find these artifacts for improved integration with tooling that requires the kernel headers.

thanks

[alacuku]

We do not build kernel modules or probes for Docker for Mac. If anyone wants to contribute to kernel-crawler in order to get the kernel header would be much appreciated!

Anyway, the modern probe should work out of the box!

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

Anyway, the modern probe should work out of the box!

@alacuku @Andreagit97 can you confirm this?

If so, we can just update our documentation to reflect this. cc @vjjmiras @Issif /remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

I try again :)

Anyway, the modern probe should work out of the box! @alacuku @Andreagit97 can you confirm this? :thinking:

if so, I would like some help from @falcosecurity/falco-website-maintainers to document this :pray:

/remove-lifecycle stale