Failed to install falco rpm

[yummypeng]

Describe the bug

Falco installation on FCOS failed using the instructions provided at https://falco.org/docs/install-operate/installation/#centos-rhel.

Reproduction steps

1. Add falco repo: curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
2. rpm-ostree install falco

Expected behavior

Falco installation complete.

Actual behavior

Updating metadata for 'fedora-cisco-openh264'... done
Updating metadata for 'updates'... done
Updating metadata for 'fedora'... done
Updating metadata for 'falcosecurity-rpm'... done
Updating metadata for 'updates-archive'... done
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264'; generated: 2024-03-12T11:45:42Z solvables: 3
rpm-md repo 'updates'; generated: 2024-09-19T02:22:52Z solvables: 26877
rpm-md repo 'fedora'; generated: 2024-04-14T18:51:11Z solvables: 74881
rpm-md repo 'falcosecurity-rpm'; generated: 2024-08-19T13:23:11Z solvables: 53
rpm-md repo 'updates-archive'; generated: 2024-09-19T03:05:49Z solvables: 40749
Resolving dependencies... done
Will download: 85 packages (131.6 MB)
Downloading from 'fedora'... done
Downloading from 'updates-archive'... done
Downloading from 'falcosecurity-rpm'... done
Downloading from 'updates'... done
⠐ Importing packages   0% [░░░░░░░░░░░░░░░░░░░░] (0s)
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
error: Running %post for falco: bwrap(/bin/sh): Child process killed by signal 1; run `journalctl -t 'rpm-ostree(falco.post)'` for more information

And the journal log is:

Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2535]: [POST-INSTALL] Disable all possible enabled 'falco' service:
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2537]: rpm-ostree-systemctl: Ignored non-preset command: --system stop falco-kmod.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2540]: rpm-ostree-systemctl: Ignored non-preset command: --system stop falco-bpf.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2541]: rpm-ostree-systemctl: Ignored non-preset command: --system stop falco-modern-bpf.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2542]: rpm-ostree-systemctl: Ignored non-preset command: --system stop falco-custom.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2544]: rpm-ostree-systemctl: Ignored non-preset command: --system stop falcoctl-artifact-follow.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2545]: rpm-ostree-systemctl: Ignored non-preset command: --system disable falco-kmod.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2546]: rpm-ostree-systemctl: Ignored non-preset command: --system disable falco-bpf.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2547]: rpm-ostree-systemctl: Ignored non-preset command: --system disable falco-modern-bpf.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2548]: rpm-ostree-systemctl: Ignored non-preset command: --system disable falco-custom.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2549]: rpm-ostree-systemctl: Ignored non-preset command: --system disable falcoctl-artifact-follow.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2550]: rpm-ostree-systemctl: Ignored non-preset command: --system unmask falcoctl-artifact-follow.service
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2535]: [POST-INSTALL] Configure falcoctl 'auto' driver type:
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]: 2024-09-19 07:04:00 INFO  Running falcoctl driver config
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]:                       ├ name: falco
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]:                       ├ version: 7.2.1+driver
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]:                       ├ type: kmod
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]:                       ├ host-root: /
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]:                       └ repos: https://download.falco.org/driver
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]: 2024-09-19 07:04:00 INFO  Committing driver config to local Falco config
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2551]: 2024-09-19 07:04:00 INFO  Storing falcoctl driver config
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2565]: TERM environment variable not set.
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2535]: [POST-INSTALL] Trigger deamon-reload:
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2566]: rpm-ostree-systemctl: Ignored non-preset command: --system daemon-reload
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2535]: [POST-INSTALL] Call 'falcoctl driver install for kmod:
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 INFO  Running falcoctl driver install
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ driver version: 7.2.1+driver
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ driver type: kmod
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ driver name: falco
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ compile: true
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ download: false
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ target: fedora
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ arch: x86_64
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       ├ kernel release: 6.10.6-200.fc40.x86_64
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]:                       └ kernel version: #1 SMP PREEMPT_DYNAMIC Mon Aug 19 14:09:30 UTC 2024
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 INFO  Check if kernel module is still loaded.
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 INFO  OK! There is no module loaded.
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 INFO  Check all versions of kernel module in dkms.
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 INFO  OK! There are no module versions in dkms.
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 INFO  Trying to compile the requested driver
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 INFO  Trying to load a pre existent system module, if present.
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 WARN  Consider compiling your own driver and loading it or getting in touch with the Falco community.
Sep 19 07:04:00 localhost.localdomain rpm-ostree(falco.post)[2567]: 2024-09-19 07:04:00 ERROR failed: user: Current requires cgo or $USER, $HOME set in environment

System details

• QEMU
• 40.20240825.3.0 (CoreOS)

Butane or Ignition config

No response

Additional information

I manually downloaded the RPM, unlocked the root filesystem, and successfully installed it using rpm -i falco.rpm.

It appears falcoctl may be unable to retrieve the user's $USER and $HOME variables due to a missing configuration in /etc/passwd for rpm-ostree daemon ?

[yummypeng]

The root cause is that /usr/lib/passwd file lacks root user configuration.

[yummypeng]

Then the error updates: 😢

Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: + echo '* Building kmod with DKMS'
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: * Building kmod with DKMS
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: + echo '#!/usr/bin/env bash'
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: + echo 'make CC=/usr/bin/gcc $@'
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: + chmod +x /tmp/falco-dkms-make
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: + [[ -n '' ]]
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: + dkms install '--directive=MAKE='\''/tmp/falco-dkms-make'\''' -m falco -v 7.2.1+driver -k 6.10.7-200.fc40.x86_64
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Sign command: /lib/modules/6.10.7-200.fc40.x86_64/build/scripts/sign-file
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Signing key: /var/lib/dkms/mok.key
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Public certificate (MOK): /var/lib/dkms/mok.pub
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Certificate or key are missing, generating self signed certificate for MOK...
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Key file /var/lib/dkms/mok.key not found and can't be generated, modules won't be signed
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Creating symlink /var/lib/dkms/falco/7.2.1+driver/source -> /usr/src/falco-7.2.1+driver
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: mkdir: cannot create directory ‘/var/lib/dkms’: Read-only file system
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: ln: failed to create symbolic link '/var/lib/dkms/falco/7.2.1+driver/source': No such file or directory
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: ls: cannot access '/var/lib/dkms/falco/7.2.1+driver/source': No such file or directory
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Error! The directory /var/lib/dkms/falco/7.2.1+driver/source does not appear to have module source located within it.
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: Build halted.
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: 2024-09-26 11:25:18 WARN  Running dkms build failed, couldn't find dkms log.
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]:                       └ file: /var/lib/dkms/falco/7.2.1+driver/build/make.log
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: 2024-09-26 11:25:18 INFO  Trying to load a pre existent system module, if present.
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: 2024-09-26 11:25:18 WARN  Consider compiling your own driver and loading it or getting in touch with the Falco community.
Sep 26 11:25:18 localhost.localdomain rpm-ostree(falco.post)[2035]: 2024-09-26 11:25:18 ERROR failed: failed to build all requested drivers

[jbtrystram]

From what i see the falco RPM tries to setup things in /var/lib/dkms in a RPM post-script, which happens in a sandboxed environment in rpm-ostree. Furthermore, /var is read only in this environment.

See https://coreos.github.io/rpm-ostree/architecture-core/#sandboxing-scripts for more explanation.
There is no way around that, post scripts are bad practice, packagers should write systemd units to do that kind of setup. Consider reporting this upstream

Maybe you can set up falcomanually without the RPM ?