Status: Under development
A command line tool that can be used to build the Falco kernel module and eBPF probe.
When you meet kernelversion that refers to the version you get executing uname -v:
For example, below, the version is the 59 after the hash
uname -v
#59-Ubuntu SMP Wed Dec 4 10:02:00 UTC 2019When you meet kernelrelease, that refers to the kernel release you get executing uname -r:
uname -r
4.15.0-1057-aws
driverkit kubernetes --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=dev --target=ubuntu-genericdriverkit docker --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=dev --target=ubuntu-genericCreate a file named ubuntu-aws.yaml containing the following content:
kernelrelease: 4.15.0-1057-aws
kernelversion: 59
target: ubuntu-aws
output:
module: /tmp/falco-ubuntu-aws.ko
probe: /tmp/falco-ubuntu-aws.o
driverversion: devNow run driverkit using the configuration file:
driverkit docker -c ubuntu-aws.yamlExample configuration file to build both the Kernel module and eBPF probe for Ubuntu generic.
kernelrelease: 4.15.0-72-generic
kernelversion: 81
target: ubuntu-generic
output:
module: /tmp/falco-ubuntu-generic.ko
probe: /tmp/falco-ubuntu-generic.o
driverversion: devExample configuration file to build both the Kernel module and eBPF probe for Ubuntu AWS.
kernelrelease: 4.15.0-1057-aws
kernelversion: 59
target: ubuntu-aws
output:
module: /tmp/falco-ubuntu-aws.ko
probe: /tmp/falco-ubuntu-aws.o
driverversion: devkernelrelease: 2.6.32-754.14.2.el6.x86_64
kernelversion: 1
target: centos
output:
module: /tmp/falco-centos6.ko
driverversion: devkernelrelease: 3.10.0-957.12.2.el7.x86_64
kernelversion: 1
target: centos
output:
module: /tmp/falco-centos7.ko
driverversion: devkernelrelease: 4.18.0-147.5.1.el8_1.x86_64
kernelversion: 1
target: centos
output:
module: /tmp/falco-centos8.ko
driverversion: devkernelrelease: 4.14.26-46.32.amzn1.x86_64
target: amazonlinux
output:
module: /tmp/falco_amazonlinux_4.14.26-46.32.amzn1.x86_64.ko
driverversion: be1ea2d9482d0e6e2cb14a0fd7e08cbecf517f94kernelrelease: 4.14.171-136.231.amzn2.x86_64
target: amazonlinux2
output:
module: /tmp/falco_amazonlinux2_4.14.171-136.231.amzn2.x86_64.ko
probe: /tmp/falco_amazonlinux2_4.14.171-136.231.amzn2.x86_64.o
driverversion: be1ea2d9482d0e6e2cb14a0fd7e08cbecf517f94Example configuration file to build both the Kernel module and eBPF probe for Debian.
kernelrelease: 4.19.0-6-amd64
kernelversion: 1
output:
module: /tmp/falco-debian.ko
probe: /tmp/falco-debian.o
target: debian
driverversion: devIn case of vanilla, you also need to pass the kernel config data in base64 format.
In most systems you can get kernelconfigdata by reading /proc/config.gz.
kernelrelease: 5.5.2
kernelversion: 1
target: vanilla
output:
module: /tmp/falco-vanilla.ko
probe: /tmp/falco-vanilla.o
driverversion: 0de226085cc4603c45ebb6883ca4cacae0bd25b2Now you can add the kernelconfigdata to the configuration file, to do so:
zcat /proc/config.gz| base64 -w0 | awk '{print "kernelconfigdata: " $1;}' >> /tmp/vanilla.yamlThe command above assumes that you saved the configuration file at /tmp/vanilla.yaml
Usually, building for a vanilla target requires more time.
So, we suggest to increase the driverkit timeout (defaults to 60 seconds):
driverkit docker -c /tmp/vanilla.yaml --timeout=300- Have a package that can build the Falco kernel module in k8s
- Have a package that can build the Falco kernel module in docker
- Have a package that can build the Falco eBPF probe in k8s
- Have a package that can build the Falco eBPF probe in docker
- Support the top distributions in our Survey and the Vanilla Kernel
- Ubuntu (
ubuntu-aws,ubuntu-generic) - CentOS 8
- CentOS 7
- CentOS 6
- AmazonLinux (
amazonlinux,amazonlinux2) - Debian
- Vanilla kernel (
vanilla)
- Ubuntu (
We are conducting a survey to know what is the most interesting set of Operating Systems we must support first in driverkit.
You can find the results of the survey here