Error opening device /host/dev/falco0

[alterEgo123]

Describe the bug

Hello,
I've been using Falco for a while now as daemonset, and I sometimes get the same issue which is down below. I should also note that it is recurrent for me that I use the same script for installing falco in different K8S clusters, and this issue sometimes arises. I always found that changing the Falco version to be a solution, but I consider this to be an issue because I'm using a fixed version (currently using 0.23.0), and I need to change into newer versions for it to be fixed.

* Setting up /usr/src links from host
* Running falco-driver-loader with: driver=module, compile=yes, download=yes
* Unloading falco module, if present
* Trying to dkms install falco module
* Running dkms build failed, couldn't find /var/lib/dkms/falco/96bd9bc560f67742738eb7255aeb4d03046b8045/build/make.log
* Trying to load a system falco driver, if present
* Trying to find locally a prebuilt falco module for kernel 3.10.0-957.27.2.el7.x86_64, if present
* Trying to download prebuilt module from https://dl.bintray.com/falcosecurity/driver/96bd9bc560f67742738eb7255aeb4d03046b8045/falco_centos_3.10.0-957.27.2.el7.x86_64_1.ko
curl: (22) The requested URL returned error: 404 Not Found
Download failed, consider compiling your own falco module and loading it or getting in touch with the Falco community
Thu Sep 10 08:05:11 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Sep 10 08:05:11 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Thu Sep 10 08:05:11 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu Sep 10 08:05:12 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Thu Sep 10 08:05:12 2020: Unable to load the driver. Exiting.
Thu Sep 10 08:05:12 2020: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded.. Exiting.

How to reproduce it

kubectl apply -f k8s-with-rbac/falco-daemonset-configmap.yaml (I specify the version 0.23.0)

Expected behaviour

Run falco as daemonset.

Environment

• Falco version: 0.20.0+d77080a

 System info: Thu Sep 10 08:22:34 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Sep 10 08:22:34 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Thu Sep 10 08:22:35 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu Sep 10 08:22:35 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
{
  "machine": "x86_64",
  "nodename": "ssl3.sarra.k8shost2",
  "release": "3.10.0-1127.13.1.el7.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Tue Jun 23 15:46:38 UTC 2020"
}

• Cloud provider or hardware configuration:

- OS: NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

• Kernel: 3.10.0-1127.13.1.el7.x86_64 Digwatch compiler #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

• Installation method: Kubernetes

Additional context

[leodido]

Hello @alterEgo123,

the issue here is that the prebuilt Falco driver (version 96bd9bc560f67742738eb7255aeb4d03046b8045 ) for kernel 3.10.0-957.27.2.el7.x86_64 is not available (as you can verify yourself here).

As stated in the relative proposal we provide prebuilt Falco drivers in a best-effort way.

So, we usually ship the prebuilt drivers for the last 2 stable versions of Falco.

Turns out you have two options here:

• let Falco try to compile on-the-fly the kernel module (you need kernel headers and kernel-devel installed on the host machine)
• compile the driver you need and install them on the host machine (you can use https://github.com/falcosecurity/driverkit).

More docs available at:

• https://falco.org/docs/installation/#install-driver
• https://falco.org/docs/running/

[alterEgo123]

@leodido Why only keep the prebuilt drivers for the last 2 stable versions?

[balpreet-telnyx]

Hi! I am having this similar issue on newer Ubuntu GCP kernels and CentOS 8 kernels - 5.4.0-1025-gcp, 4.18.0-193.6.3.el8 and the drivers are not available here

I am installing Falco in a container, so ideally, I'd like Falco to build the kernel module on the fly so my automation does not break(i confirmed that I have kernel-headers installed).

Another question - whats the purpose of [falco-driver-loader](https://newreleases.io/project/github/falcosecurity/falco/release/0.26.1). Can this be used to build newer drivers and if yes, how?