From 345452836bfb302991d4ebb7fc0042374c8ac48a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 2 May 2016 22:44:41 -0700 Subject: [PATCH 1/2] Changes related to use of kernel module. While building falco from source, I found a couple of problems related to use of kernel modules: 1. The falco build needs driver_config.h from the sysdig repo, but it isn't created by default. [ 50%] Building C object userspace/libscap/CMakeFiles/scap.dir/scap.c.o /mnt/sf_stemm/work/src/sysdig/userspace/libscap/scap.c:34:40: fatal error: ../../driver/driver_config.h: No such file or directory compilation terminated.c Fixed by adding ${SYSDIG_DIR}/driver to CMakeLists.txt. I did notice that after doing this the object files were in the sysdig/driver directory, but I don't think this is related to the Makefiles/CMakeFiles in the sysdig/driver directory? 2. Falco needs the sysdig kernel module, but it may not be loaded if no other sysdig is installed. Added notes to the README that discuss loading the kernel module by hand if no binary sysdig is installed. --- CMakeLists.txt | 1 + README.md | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index e373966f..31cf9ca2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -155,6 +155,7 @@ ExternalProject_Add(lpeg install(FILES falco.yaml DESTINATION "${DIR_ETC}") +add_subdirectory(${SYSDIG_DIR}/driver ${PROJECT_BINARY_DIR}/driver) add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap) add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp) diff --git a/README.md b/README.md index 1d8761d5..2b4a451e 100644 --- a/README.md +++ b/README.md @@ -69,11 +69,11 @@ Instructions for Centos and Ubuntu. -## Building Falco +## Building and running Falco locally from source Building Falco requires having `cmake` and `g++` installed. -### Building +### Building Falco Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: ``` @@ -98,8 +98,13 @@ $ make as a result, you should have a falco executable in `build/userspace/falco/falco`. +### (Optional) Install sysdig kernel driver -### Running locally-built Falco +If you have a binary version of sysdig installed, the sysdig kernel module is already loaded and can be used by falco. Otherwise, you should load the kernel module from the sysdig source directory. Assuming you are in the `build` dir, you can install the kernel module via: + +`$ insmod driver/sysdig-probe.ko` + +### Running Falco Assuming you are in the `build` dir, you can run Falco as: From dfa6da47a313f56c2d31a25e2a51d7593fe774a9 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 3 May 2016 15:45:28 -0700 Subject: [PATCH 2/2] Update README to always use local kernel module. Instead of suggesting using a kernel module from an installed version of sysdig, always recommend unloading any existing module and using the locally built one. --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2b4a451e..28295727 100644 --- a/README.md +++ b/README.md @@ -98,9 +98,15 @@ $ make as a result, you should have a falco executable in `build/userspace/falco/falco`. -### (Optional) Install sysdig kernel driver +### Load latest sysdig kernel module -If you have a binary version of sysdig installed, the sysdig kernel module is already loaded and can be used by falco. Otherwise, you should load the kernel module from the sysdig source directory. Assuming you are in the `build` dir, you can install the kernel module via: +If you have a binary version of sysdig installed, an older sysdig kernel module may already be loaded. To ensure you are using the latest version, you should unload any existing sysdig kernel module and load the locally built version. + +Unload any existing kernel module via: + +`$ rmmod sysdig_probe` + +To load the locally built version, assuming you are in the `build` dir, use: `$ insmod driver/sysdig-probe.ko`