falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Make bpf module kernel version independent?

Open petterreinholdtsen opened this issue 2 years ago • 12 comments

We want to run falco on a large set of machines with a lot of different kernel versions. At the moment, when building the bpf module with one kernel version, it refuses to load when using a different kernel version. It would be great if the bpf module could be adjusted to work across several kernel modules. This way we could distribute one bpf module to several or all our computers, alongside a package of the userspace binaries.

The https://github.com/cilium/tetragon project has been able to make a similar bpf module that can be build on one kernel version and used no another, thus proving that it is possible to get a event probe that can work across several kernel versions.

petterreinholdtsen avatar Aug 24 '22 08:08 petterreinholdtsen

Hi! The new modern bpf probe will allow this indeed, leveraging bpf CO-RE :) Here are a couple of links:

  • https://github.com/falcosecurity/libs/blob/master/proposals/20220329-modern-bpf-probe.md
  • https://github.com/falcosecurity/libs/tree/master/driver/modern_bpf

@Andreagit97 is working tirelessly on this!

FedeDP avatar Aug 24 '22 08:08 FedeDP

What great news! Is there any way to estimate or guestimate a release window for this? Thanks for you hard work

atluxity avatar Aug 24 '22 16:08 atluxity

Falco 0.33 (expected to be release end of september) should spot a technical preview of the new ebpf probe with all simpleconsumer-syscalls implemented. This means that the default Falco (ie: without "-A" flag) should work just fine with the new probe. But, there is no plan to actually add an option to enable it from Falco (like a --modern-bpf cmdline option, or whatever) for the moment being.
I guess it will happen in time for Falco 0.33, but there is no guarantee.
At worst, Falco 0.34 (or 0.33.1?) will bring the new bpf again as an experimental feature preview (ie: end of january).

I am optimist, because of: https://github.com/falcosecurity/libs/pulls?q=is%3Apr+is%3Aopen+modern_bpf -> as you can see, the libs repo is flooded by Andrea implementing new syscalls for the new eBPF probe :rofl:

FedeDP avatar Aug 24 '22 16:08 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 22 '22 21:11 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Dec 22 '22 21:12 poiana

Is there any news on the new kernel module?

-- Happy hacking Petter Reinholdtsen

petterreinholdtsen avatar Dec 22 '22 22:12 petterreinholdtsen

/remove-lifecycle rotten

Andreagit97 avatar Dec 23 '22 09:12 Andreagit97

Is there any news on the new kernel module?

Yes, the modern bpf probe will be shipped with Falco 0.34 as an experimental feature since some syscalls are still missing. It will work in all kernel versions greater than 5.8 and it will be shipped by default into Falco, so you don't have to download anything, just running Falco with --modern-bpf

Andreagit97 avatar Dec 23 '22 09:12 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Mar 23 '23 09:03 poiana

/remove-lifecycle stale

FedeDP avatar Mar 23 '23 10:03 FedeDP

Falco 0.35 will be released with final modern bpf support :rocket: /cc @Andreagit97

FedeDP avatar Mar 23 '23 10:03 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jun 21 '23 13:06 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Jul 21 '23 13:07 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Aug 20 '23 13:08 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Aug 20 '23 13:08 poiana