Falco doesn’t work in any driver mode on Oracle Linux

[kirylbelavus]

Describe the bug
I’m trying to deploy Falco into a K8S cluster hosted in a private data center. The K8S nodes are running Linux kernel version 5.4 (based on Oracle Linux), which is compatible with both kmod and eBPF Falco drivers. The container runtime on the nodes is Docker. I tried running Falco in both privileged and least-privileged modes, but the result is the same - Falco can’t find a compatible driver and can’t build one.

The kernel headers are present on the nodes, and the /sys/kernel/debug directory has the correct permissions.
Do you support Oracle Linux? Could you help deploy Falco on K8S nodes running Oracle Linux?

Logs for eBPF driver:

* Setting up /usr/src links from host
2024-10-23 12:45:04 INFO  Running falcoctl driver config
                      ├ name: falco
                      ├ version: 7.3.0+driver
                      ├ type: ebpf
                      ├ host-root: /host
                      └ repos: https://download.falco.org/driver
2024-10-23 12:45:04 INFO  Storing falcoctl driver config
2024-10-23 12:45:04 INFO  Running falcoctl driver install
                      ├ driver version: 7.3.0+driver
                      ├ driver type: ebpf
                      ├ driver name: falco
                      ├ compile: true
                      ├ download: true
                      ├ target: ol
                      ├ arch: x86_64
                      ├ kernel release: 5.4.17-2136.336.5.1.el7uek.x86_64
                      └ kernel version: #3 SMP Sat Oct 5 11:30:26 PDT 2024
2024-10-23 12:45:04 INFO  Removing eBPF probe symlink
                      └ path: /root/.falco/falco-bpf.o
2024-10-23 12:45:04 INFO  Trying to download a driver.
                      └ url: https://download.falco.org/driver/7.3.0%2Bdriver/x86_64/falco_ol_5.4.17-2136.336.5.1.el7uek.x86_64_3.o
2024-10-23 12:45:04 WARN  Non-200 response from url. code: 404
2024-10-23 12:45:04 WARN  unable to find a prebuilt driver
2024-10-23 12:45:04 INFO  Trying to compile the requested driver
2024-10-23 12:45:04 INFO  Trying automatic kernel headers download.
2024-10-23 12:45:08 WARN  Failed to download headers. err: exit status 127
2024-10-23 12:45:08 INFO  Trying to build eBPF probe.
+ cd /usr/src/falco-7.3.0+driver
+ echo '* Building eBPF probe'
* Building eBPF probe
+ '[' '!' -d /sys/kernel/debug/tracing ']'
+ echo '* Mounting debugfs'
* Mounting debugfs
+ mount -t debugfs nodev /sys/kernel/debug
mount: /sys/kernel/debug: permission denied.
       dmesg(1) may have more information after failed mount system call.
+ :
+ cd bpf
+ make
make -C /lib/modules/5.4.17-2136.336.5.1.el7uek.x86_64/build M=$PWD
make[1]: *** /lib/modules/5.4.17-2136.336.5.1.el7uek.x86_64/build: No such file or directory.  Stop.
make: *** [Makefile:23: all] Error 2
2024-10-23 12:45:09 ERROR failed: failed to build all requested drivers

Logs for kmod driver :

* Setting up /usr/src links from host
2024-10-23 12:42:58 ERROR no supported driver found for distro: ol, kernelrelease 5.4.17-2136.336.5.1.el7uek.x86_64, kernelversion #3 SMP Sat Oct 5 11:30:26 PDT 2024, arch x86_64
2024-10-23 12:42:58 ERROR no supported driver found for distro: ol, kernelrelease 5.4.17-2136.336.5.1.el7uek.x86_64, kernelversion #3 SMP Sat Oct 5 11:30:26 PDT 2024, arch x86_64

Thank you in advance!

How to reproduce it
Deploy cluster where K8S nodes running Oracle Linux and try to deploy Falco in compatible mode into it.

Deploy it using 4.10.0 Helm chart.

Expected behaviour
Falco is deployed and running fine on compatible kernel version.

Screenshots
not required, logs are attached above

Environment

• Falco version: 0.39.1

• System info: { "machine": "x86_64", "nodename": "falco", "release": "5.4.17-2136.336.5.1.el7uek.x86_64", "sysname": "Linux", "version": "#3 SMP Sat Oct 5 11:30:26 PDT 2024" }

• Cloud provider or hardware configuration: VMware
• OS: Oracle Linux

• Kernel: 5.4.17-2136.336.5.1.el7uek.x86_64

• Installation method: Helm chart https://github.com/falcosecurity/charts/tree/master/charts/falco

Additional context