Description
Description
Falco uses a docker container to bind mount kernel module paths from the host and then builds a kernel module.
This build runs inside a debian 10 container, with access to kernel modules dirs.
Impact
Flatcar doesn't work with an upstream project, needs downstream changes to workflows.
Environment and steps to reproduce
- Action:
docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name build falcosecurity/falco:latest
- Error: on beta this fails with:
scripts/basic/fixdep: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by scripts/basic/fixdep)
Expected behavior
Expected build to work.
Additional information
The supported way to build kernel modules on Flatcar is through the developer container, but that is a custom solution that doesn't integrate with other projects. The docker container used by falco is a fragile approach, and we're hitting two issues with it. The build system tries to be compatible with old kernels so builds with gcc-5 first, but has a fallback to gcc-8. This is not quite the same gcc that current Flatcar kernels are built with (gcc-9) but could work. The second issue is that it depends on the kernel build directory being prepared for kernel module builds, ours is partially compatible (since it worked before, but i believe this is more of an accident than intentional). Beta channel binaries are built with glibc-2.33 which is newer than what the container provides so they can't be executed.
We also have a flaw in that arm64 images contain kernel module binaries from the build system (amd64). We could improve the situation:
- build statically linked kernel module build system binaries into images
- provide enough kernel build system files so that
make modules_prepareworks (but this requires ongoing maintenance) - find another way to improve falco build support (bind mount /lib64?)
Activity