falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

falco driver 0.32 fails to compile on sles15sp2 and sles15sp3 after falco installation

Open mehulgogri opened this issue 2 years ago • 9 comments

Describe the bug Falco driver 0.32 fails to compile on sles15sp2 and sles15sp3 after falco installation

How to reproduce it

  • rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc
  • curl -s -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
  • zypper -n install kernel-default-devel
  • zypper -n install falco

Expected behaviour Falco installation successful and falco module build successfully

Logs

# zypper -n install falco
Refreshing service 'Basesystem_Module_x86_64'.
Refreshing service 'Containers_Module_x86_64'.
Refreshing service 'Desktop_Applications_Module_x86_64'.
Refreshing service 'Development_Tools_Module_x86_64'.
Refreshing service 'Legacy_Module_x86_64'.
Refreshing service 'Public_Cloud_Module_x86_64'.
Refreshing service 'Python_2_Module_x86_64'.
Refreshing service 'SUSE_CaaS_Platform_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_High_Availability_Extension_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'.
Refreshing service 'SUSE_Package_Hub_x86_64'.
Refreshing service 'Server_Applications_Module_x86_64'.
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  falco

The following package has no support information from its vendor:
  falco

1 new package to install.
Overall download size: 15.6 MiB. Already cached: 0 B. After the operation, additional 42.3 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving package falco-0.32.0-1.x86_64                                                                                                                                                                                                   (1/1),  15.6 MiB ( 42.3 MiB unpacked)
Retrieving: falco-0.32.0-x86_64.rpm ..........................................................................................................................................................................................................................[done (3.2 MiB/s)]

Checking for file conflicts: .............................................................................................................................................................................................................................................[done]
(1/1) Installing: falco-0.32.0-1.x86_64 ..................................................................................................................................................................................................................................[done]
Additional rpm output:

Creating symlink /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/source ->
                 /usr/src/falco-39ae7d40496793cf3d3e7890c9bbdc202263836b

DKMS: add completed.

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area....
make -j8 KERNELRELEASE=5.3.18-24.96-default -C /lib/modules/5.3.18-24.96-default/build M=/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build....(bad exit status: 2)
Error! Bad return status for module build on kernel: 5.3.18-24.96-default (x86_64)
Consult /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/make.log for more information.

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area....
make -j8 KERNELRELEASE=5.3.18-24.96-default -C /lib/modules/5.3.18-24.96-default/build M=/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build....(bad exit status: 2)
Error! Bad return status for module build on kernel: 5.3.18-24.96-default (x86_64)
Consult /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/make.log for more information.
warning: %post(falco-0.32.0-1.x86_64) scriptlet failed, exit status 10

Environment

  • Falco version:
Falco version: 0.32.0
Driver version: 39ae7d40496793cf3d3e7890c9bbdc202263836b
  • System info:
Fri Jun 10 08:06:58 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b)
Fri Jun 10 08:06:58 2022: Falco initialized with configuration file /etc/falco/falco.yaml
Fri Jun 10 08:06:58 2022: Loading rules from file /etc/falco/falco_rules.yaml:
Fri Jun 10 08:06:59 2022: Loading rules from file /etc/falco/falco_rules.local.yaml:
{
  "machine": "x86_64",
  "nodename": "mip-bd-vm724",
  "release": "5.3.18-24.96-default",
  "sysname": "Linux",
  "version": "#1 SMP Mon Nov 22 08:33:36 UTC 2021 (9a413cc)"
}

  • Cloud provider or hardware configuration: Hardware

  • OS:

NAME="SLES"
VERSION="15-SP2"
VERSION_ID="15.2"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP2"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp2"
  • Kernel:
Linux mip-bd-vm724 5.3.18-24.96-default #1 SMP Mon Nov 22 08:33:36 UTC 2021 (9a413cc) x86_64 x86_64 x86_64 GNU/Linux

Information for package kernel-default-devel:
---------------------------------------------
Repository     : SLE-Module-Basesystem15-SP2-Updates
Name           : kernel-default-devel
Version        : 5.3.18-24.96.1
Arch           : x86_64
Vendor         : SUSE LLC <https://www.suse.com/>
Support Level  : Level 3
Installed Size : 4.1 MiB
Installed      : Yes
Status         : up-to-date
Source package : kernel-default-5.3.18-24.96.1.nosrc
Summary        : Development files necessary for building kernel modules
Description    :
    This package contains files necessary for building kernel modules (and
    kernel module packages) against the default flavor of the kernel.


    Source Timestamp: 2021-11-22 08:33:36 +0000
    GIT Revision: 9a413cc7eb56e5ea20e0fd96d1b3e5c89ac35b0e
    GIT Branch: SLE15-SP2
  • Installation method: Using zypper -n install falco command

Additional context Tried compiling it manually and getting below errors

# /usr/bin/falco-driver-loader --compile
* Running falco-driver-loader for: falco version=0.32.0, driver version=39ae7d40496793cf3d3e7890c9bbdc202263836b
* Running falco-driver-loader with: driver=module, compile=yes, download=no

================ Cleaning phase ================

* 1. Check if kernel module 'falco' is still loaded:
- OK! There is no 'falco' module loaded.

* 2. Check all versions of kernel module 'falco' in dkms:
- There are some versions of 'falco' module in dkms.

* 3. Removing all the following versions from dkms:
39ae7d40496793cf3d3e7890c9bbdc202263836b

- Removing 39ae7d40496793cf3d3e7890c9bbdc202263836b...

------------------------------
Deleting module version: 39ae7d40496793cf3d3e7890c9bbdc202263836b
completely from the DKMS tree.
------------------------------
Done.

- OK! Removing '39ae7d40496793cf3d3e7890c9bbdc202263836b' succeeded.


[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

* Looking for a falco module locally (kernel 5.3.18-24.96-default)
* Trying to dkms install falco module with GCC /usr/bin/gcc
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"

Creating symlink /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/source ->
                 /usr/src/falco-39ae7d40496793cf3d3e7890c9bbdc202263836b

DKMS: add completed.

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
'/tmp/falco-dkms-make'....(bad exit status: 2)
* Running dkms build failed, dumping /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/make.log (with GCC /usr/bin/gcc)
DKMS make.log for falco-39ae7d40496793cf3d3e7890c9bbdc202263836b for kernel 5.3.18-24.96-default (x86_64)
Fri Jun 10 08:12:39 PDT 2022
'/tmp/falco-dkms-make' -C /lib/modules/5.3.18-24.96-default/build M=/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build modules
make[1]: Entering directory '/usr/src/linux-5.3.18-24.96-obj/x86_64/default'
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/main.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/dynamic_params_table.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/fillers_table.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/flags_table.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_events.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.o
/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.c: In function ‘f_sys_io_uring_setup_x’:
/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.c:4996:48: error: ‘struct io_uring_params’ has no member named ‘features’
  features = io_uring_setup_feats_to_scap(params.features);
                                                ^
make[3]: *** [/usr/src/linux-5.3.18-24.96/scripts/Makefile.build:282: /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.o] Error 1
make[2]: *** [/usr/src/linux-5.3.18-24.96/Makefile:1655: _module_/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build] Error 2
make[1]: *** [../../../linux-5.3.18-24.96/Makefile:179: sub-make] Error 2
make[1]: Leaving directory '/usr/src/linux-5.3.18-24.96-obj/x86_64/default'
make: *** [Makefile:16: all] Error 2
* Trying to dkms install falco module with GCC /usr/bin/gcc-7
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
'/tmp/falco-dkms-make'....(bad exit status: 2)
* Running dkms build failed, dumping /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/make.log (with GCC /usr/bin/gcc-7)
DKMS make.log for falco-39ae7d40496793cf3d3e7890c9bbdc202263836b for kernel 5.3.18-24.96-default (x86_64)
Fri Jun 10 08:12:44 PDT 2022
'/tmp/falco-dkms-make' -C /lib/modules/5.3.18-24.96-default/build M=/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build modules
make[1]: Entering directory '/usr/src/linux-5.3.18-24.96-obj/x86_64/default'
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/main.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/dynamic_params_table.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/fillers_table.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/flags_table.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_events.o
  CC [M]  /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.o
/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.c: In function ‘f_sys_io_uring_setup_x’:
/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.c:4996:48: error: ‘struct io_uring_params’ has no member named ‘features’
  features = io_uring_setup_feats_to_scap(params.features);
                                                ^
make[3]: *** [/usr/src/linux-5.3.18-24.96/scripts/Makefile.build:282: /var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build/ppm_fillers.o] Error 1
make[2]: *** [/usr/src/linux-5.3.18-24.96/Makefile:1655: _module_/var/lib/dkms/falco/39ae7d40496793cf3d3e7890c9bbdc202263836b/build] Error 2
make[1]: *** [../../../linux-5.3.18-24.96/Makefile:179: sub-make] Error 2
make[1]: Leaving directory '/usr/src/linux-5.3.18-24.96-obj/x86_64/default'
make: *** [Makefile:16: all] Error 2
* Trying to load a system falco module, if present
Consider compiling your own falco driver and loading it or getting in touch with the Falco community

mehulgogri avatar Jun 10 '22 15:06 mehulgogri

Hi @mehulgogri, falcosecurity/libs#379 fixed the issue. Thanks for reporting this.

alacuku avatar Jun 17 '22 11:06 alacuku

@mehulgogri, let us know once you're able to re-test this and see if you're ok with closing this issue. Thanks!

jasondellaluce avatar Jun 17 '22 12:06 jasondellaluce

@alacuku @jasondellaluce is the issue fixed in Falco version 0.32?

mehulgogri avatar Jun 17 '22 15:06 mehulgogri

It is still failing for me. I ran following steps

rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc
curl -s -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
zypper -n install kernel-default-devel
zypper -n install falco

then also tried to compile using falco-driver-reload /usr/bin/falco-driver-loader --compile

mehulgogri avatar Jun 17 '22 15:06 mehulgogri

Hi @mehulgogri! Unfortunately the bug affects Falco 0.32.0 release. In order to test the fix you can follow the docs here: https://falco.org/docs/getting-started/source/. By default the docs uses the master branch which includes the fix.

It would be great if you can test it and let us know if it works in your env. Thank you very much!

alacuku avatar Jun 17 '22 16:06 alacuku

Hi @alacuku, I tried to build falco from source but it is failing for me on SLES15SP3 operating system while installing the dependencies. Zypper repo is unable to find package with name grpc-devel during the install.

# zypper -n install grpc-devel
Refreshing service 'Basesystem_Module_x86_64'.
Refreshing service 'Containers_Module_x86_64'.
Refreshing service 'Desktop_Applications_Module_x86_64'.
Refreshing service 'Development_Tools_Module_x86_64'.
Refreshing service 'Legacy_Module_x86_64'.
Refreshing service 'Public_Cloud_Module_x86_64'.
Refreshing service 'Python_2_Module_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_High_Availability_Extension_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'.
Refreshing service 'SUSE_Package_Hub_x86_64'.
Refreshing service 'Server_Applications_Module_x86_64'.
Loading repository data...
Reading installed packages...
'grpc-devel' not found in package names. Trying capabilities.

mehulgogri avatar Jul 19 '22 21:07 mehulgogri

Hi @mehulgogri Falco 0.32.1 is finally out and it should fix your original issue with f_sys_io_uring_setup_x :) You can give it a try and see if the original problem is solved! Feel free to ask if you face other problems, thank you!

Andreagit97 avatar Jul 19 '22 21:07 Andreagit97

@Andreagit97 It is still failing for me

zypper install -y falco This command completed fine but falco module did not compile in the end. I am getting following logs

Additional rpm output:

Creating symlink /var/lib/dkms/falco/2.0.0+driver/source ->
                 /usr/src/falco-2.0.0+driver

DKMS: add completed.

Module build for the currently running kernel was skipped since the
kernel source for this kernel does not seem to be installed.

I tried to compile it manually

# /usr/bin/falco-driver-loader --compile
* Running falco-driver-loader for: falco version=0.32.1, driver version=2.0.0+driver
* Running falco-driver-loader with: driver=module, compile=yes, download=no

================ Cleaning phase ================

* 1. Check if kernel module 'falco' is still loaded:
- OK! There is no 'falco' module loaded.

* 2. Check all versions of kernel module 'falco' in dkms:
- There are some versions of 'falco' module in dkms.

* 3. Removing all the following versions from dkms:
2.0.0+driver

- Removing 2.0.0+driver...

------------------------------
Deleting module version: 2.0.0+driver
completely from the DKMS tree.
------------------------------
Done.

- OK! Removing '2.0.0+driver' succeeded.


[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

* Looking for a falco module locally (kernel 5.3.18-22-default)
* Trying to dkms install falco module with GCC /usr/bin/gcc
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"

Creating symlink /var/lib/dkms/falco/2.0.0+driver/source ->
                 /usr/src/falco-2.0.0+driver

DKMS: add completed.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/2.0.0+driver/build/make.log (with GCC /usr/bin/gcc)
* Trying to dkms install falco module with GCC /usr/bin/gcc-7
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/2.0.0+driver/build/make.log (with GCC /usr/bin/gcc-7)
* Trying to load a system falco module, if present
Consider compiling your own falco driver and loading it or getting in touch with the Falco community

mehulgogri avatar Jul 19 '22 22:07 mehulgogri

uhm I see... I will take a look ASAP, thank you for reporting this!

Andreagit97 avatar Jul 21 '22 12:07 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Oct 19 '22 15:10 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Nov 18 '22 21:11 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Dec 18 '22 21:12 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Dec 18 '22 21:12 poiana