Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ubuntu 18.04 hwo to install falco #3381

Open
zer0-1s opened this issue Oct 15, 2024 · 1 comment
Open

ubuntu 18.04 hwo to install falco #3381

zer0-1s opened this issue Oct 15, 2024 · 1 comment
Labels
kind/bug

Comments

@zer0-1s
Copy link

zer0-1s commented Oct 15, 2024

Describe the bug
I refer to the link of the following article.

https://v0-32.falco.org/docs/getting-started/installation/

Setting up g++ (4:7.4.0-1ubuntu2.3) ...
update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ (c++) in auto mode
Setting up falco (0.39.1) ...
[POST-INSTALL] Disable all possible 'falco' services:
Failed to stop falco-kmod.service: Unit falco-kmod.service not loaded.
Failed to stop falco-bpf.service: Unit falco-bpf.service not loaded.
Failed to stop falco-modern-bpf.service: Unit falco-modern-bpf.service not loaded.
Failed to stop falco-custom.service: Unit falco-custom.service not loaded.
Failed to stop falcoctl-artifact-follow.service: Unit falcoctl-artifact-follow.service not loaded.
[POST-INSTALL] Configure falcoctl 'auto' driver type:
2024-10-14 18:46:14 INFO  Running falcoctl driver config
                      ├ name: falco
                      ├ version: 7.3.0+driver
                      ├ type: kmod
                      ├ host-root: /
                      └ repos: https://download.falco.org/driver
2024-10-14 18:46:14 INFO  Committing driver config to specialized configuration
                      │   file under
                      └ directory: /etc/falco/config.d
2024-10-14 18:46:14 INFO  Storing falcoctl driver config 

[POST-INSTALL] Trigger deamon-reload:
[POST-INSTALL] Call 'falcoctl driver install for kmod:
2024-10-14 18:46:14 INFO  Running falcoctl driver install
                      ├ driver version: 7.3.0+driver
                      ├ driver type: kmod
                      ├ driver name: falco
                      ├ compile: true
                      ├ download: false
                      ├ target: ubuntu-generic
                      ├ arch: x86_64
                      ├ kernel release: 5.4.0-150-generic
                      └ kernel version: #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023
2024-10-14 18:46:14 INFO  Check if kernel module is still loaded.               
2024-10-14 18:46:14 INFO  OK! There is no module loaded. 
2024-10-14 18:46:14 INFO  Check all versions of kernel module in dkms. 
2024-10-14 18:46:14 INFO  OK! There are no module versions in dkms. 
2024-10-14 18:46:14 INFO  Trying to compile the requested driver                
2024-10-14 18:46:14 INFO  Trying automatic kernel headers download. 
2024-10-14 18:46:23 WARN  Failed to generate script.
                      └ err: kernel headers not found
2024-10-14 18:46:24 INFO  Trying to dkms install module. gcc: /usr/bin/gcc
2024-10-14 18:46:56 INFO  kernel module available.
                      └ path: /root/.falco/7.3.0+driver/x86_64/falco_ubuntu-generic_5.4.0-150-generic_167~18.04.1.ko
2024-10-14 18:46:56 INFO  Success: module found and loaded in dkms.
                      └ driver: /root/.falco/7.3.0+driver/x86_64/falco_ubuntu-generic_5.4.0-150-generic_167~18.04.1.ko
[POST-INSTALL] Enable 'falco-kmod.service':
Created symlink /etc/systemd/system/falco.service → /usr/lib/systemd/system/falco-kmod.service.
Created symlink /etc/systemd/system/multi-user.target.wants/falco-kmod.service → /usr/lib/systemd/system/falco-kmod.service.
[POST-INSTALL] Start 'falco-kmod.service':
Failed to start falco-kmod.service: Unit falco-kmod.service is not loaded properly: Exec format error.
See system logs and 'systemctl status falco-kmod.service' for details.
Setting up build-essential (12.4ubuntu1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1.4) ...
root@ubuntu:/home/falco# uname -r
5.4.0-150-generic
root@ubuntu:/home/falco# systemctl start falco-kmod.service
Failed to start falco-kmod.service: Unit falco-kmod.service is not loaded properly: Exec format error.
See system logs and 'systemctl status falco-kmod.service' for details.
root@ubuntu:/home/falco# systemctl start falco-kmod.service
Failed to start falco-kmod.service: Unit falco-kmod.service is not loaded properly: Exec format error.
See system logs and 'systemctl status falco-kmod.service' for details.
root@ubuntu:/home/falco# systemctl status falco-kmod.service
● falco-kmod.service - Falco: Container Native Runtime Security with kmod
   Loaded: error (Reason: Exec format error)
   Active: inactive (dead)
     Docs: https://falco.org/docs/

Oct 14 18:46:13 ubuntu systemd[1]: /usr/lib/systemd/system/falco-kmod.service:13: Executable path is not absolute: kill -1 $MAINPID
Oct 14 18:46:56 ubuntu systemd[1]: /usr/lib/systemd/system/falco-kmod.service:13: Executable path is not absolute: kill -1 $MAINPID

How to reproduce it

ubuntu 18.04

root@ubuntu:/home/falco# uname -r
5.4.0-150-generic

Expected behaviour

Screenshots

Successfully installed falco.

image

Environment
image

  • Falco version:
  • System info:
root@ubuntu:/home/falco# falco --support | jq .system_info
Mon Oct 14 19:19:34 2024: Falco version: 0.39.1 (x86_64)
Mon Oct 14 19:19:34 2024: Falco initialized with configuration files:
Mon Oct 14 19:19:34 2024:    /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok
Mon Oct 14 19:19:34 2024:    /etc/falco/falco.yaml | schema validation: ok
Mon Oct 14 19:19:34 2024: System info: Linux version 5.4.0-150-generic (buildd@bos03-amd64-012) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023
Mon Oct 14 19:19:34 2024: Loading rules from:
Mon Oct 14 19:19:34 2024:    /etc/falco/falco_rules.yaml | schema validation: ok
Mon Oct 14 19:19:34 2024:    /etc/falco/falco_rules.local.yaml | schema validation: none
{
  "machine": "x86_64",
  "nodename": "ubuntu",
  "release": "5.4.0-150-generic",
  "sysname": "Linux",
  "version": "#167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023"
}
root@ubuntu:/home/falco#
  • Cloud provider or hardware configuration:
  • OS:
root@ubuntu:/home/falco# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
  • Kernel:
5.4.0-150-generic
  • Installation method:

https://v0-32.falco.org/docs/getting-started/installation/

from

curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y

apt-get -y install linux-headers-$(uname -r)

apt-get install -y falco

Additional context
@zer0-1s
Copy link
Author

zer0-1s commented Oct 16, 2024
edited
Loading

My idea is to test whether falco can detect container escape vulnerabilities. To quickly reproduce vulnerabilities, metarget is used. And metarget has the best support for Ubuntu 18.04.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zer0-1s