ERROR: Error: Initialization issues during scap_init

[OneideLuizSchneider]

Describe the bug

After the POD restarted 8 times it worked.
ERROR: Error: Initialization issues during scap_init

Just Install it, details are below.

Expected behaviour
it should not need to restart to able to work

Screenshots

Environment

• Falco version:
  Falco version: 0.38.2 (x86_64)
• System info:
  Linux version 5.10.223-212.873.amzn2.x86_64 (mockbuild@ip-10-0-60-177) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) Digwatch compiler #1 SMP Wed Aug 7 16:53:32 UTC 2024
• Cloud provider or hardware configuration:
• OS:
  AWS Linux 2
• Kernel:
  5.10
• Installation method:

EKS 1.29

helm upgrade --install falco falcosecurity/falco \
    -f values.yml \
    --create-namespace \
    --namespace falco

values.yaml->

tty: true

driver:
  enabled: true
  kind: modern_ebpf

falco:

  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco-incubating_rules.yaml
    - /etc/falco/falco-sandbox_rules.yaml
    - /etc/falco/rules.d
  rules:
    - disable:
        tag: T1552.005
    - disable:
        tag: T1565

  json_output: true

extra:
  env:
    - name: FALCO_HOSTNAME
      valueFrom:
        fieldRef:
          fieldPath: spec.nodeName

falcoctl:

  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      allowedTypes:
        - rulesfile
      install:
        resolveDeps: false
        refs: [falco-rules:latest, falco-incubating-rules:latest, falco-sandbox-rules:latest]
      follow:
        refs: [falco-rules:latest, falco-incubating-rules:latest, falco-sandbox-rules:latest]

falcosidekick:
  enabled: false

Additional context

I saw many other folks reporting this here, but it's not clear why this happened and how to fix it if there is a fix.

[FedeDP]

Hi! Thanks for reporting this issue; i don't have an answer, this seems really weird; since at every restart Falco is using the same driver (ie: modern ebpf one in this case), perhaps it is a timing issue with something else on the system?
cc @Andreagit97 perhaps got more ideas, as i don't really know what to look for in this specific case.

/milestone 0.40.0

[OneideLuizSchneider]

@FedeDP FYI I removed the incubating_rules, sandbox_rules and I had the same issue.

 - /etc/falco/falco-incubating_rules.yaml
 - /etc/falco/falco-sandbox_rules.yaml`

[Andreagit97]

IMO we should enable a more verbose log Error: Initialization issues during scap_init is too generic to understand what is going on

[kirylbelavus]

I encountered the same issue in a similar environment, and switching to eBPF mode instead of modern_eBPF was the only solution that helped. I tried enabling debug logs, but they didn’t provide any insight. Additionally, it’s worth noting that in an EKS cluster with 4 nodes, only 1 node failed to start Falco in modern_eBPF mode (although the kernel version is the same on all nodes)

[roobre]

Seeing a very similar behavior here:

2024-10-19T09:58:46.595592088Z Sat Oct 19 09:58:46 2024: The --cri option is deprecated and will be removed in Falco 0.40.0. Use -o container_engines.cri.sockets]=<socket_path> instead.
2024-10-19T09:58:46.598439995Z Sat Oct 19 09:58:46 2024: Falco version: 0.39.1 (x86_64)
2024-10-19T09:58:46.598439995Z Sat Oct 19 09:58:46 2024: Falco initialized with configuration files:
2024-10-19T09:58:46.598451935Z Sat Oct 19 09:58:46 2024:    /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok
2024-10-19T09:58:46.598451935Z Sat Oct 19 09:58:46 2024:    /etc/falco/falco.yaml | schema validation: ok
2024-10-19T09:58:46.598496263Z Sat Oct 19 09:58:46 2024: System info: Linux version 6.6.57-1-lts (linux-lts@archlinux) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Thu, 17 Oct 2024 13:57:25 +0000
2024-10-19T09:58:46.598824145Z Sat Oct 19 09:58:46 2024: Loading rules from:
2024-10-19T09:58:46.630720133Z Sat Oct 19 09:58:46 2024:    /etc/falco/falco_rules.yaml | schema validation: ok
2024-10-19T09:58:46.651177935Z Sat Oct 19 09:58:46 2024:    /etc/falco/rules.d/rules-override.yaml | schema validation: ok
2024-10-19T09:58:46.651177935Z Sat Oct 19 09:58:46 2024: /etc/falco/rules.d/rules-override.yaml: Ok, with warnings
2024-10-19T09:58:46.651177935Z 1 Warnings:
2024-10-19T09:58:46.651177935Z In rules content: (/etc/falco/falco_rules.yaml:0:0)
2024-10-19T09:58:46.651177935Z     list 'read_sensitive_file_images': (/etc/falco/falco_rules.yaml:382:2)
2024-10-19T09:58:46.651177935Z ------
2024-10-19T09:58:46.651177935Z - list: read_sensitive_file_images
2024-10-19T09:58:46.651177935Z   ^
2024-10-19T09:58:46.651177935Z ------
2024-10-19T09:58:46.651177935Z LOAD_UNUSED_LIST (Unused list): List not referred to by any other rule/macro
2024-10-19T09:58:46.651239866Z Sat Oct 19 09:58:46 2024: Hostname value has been overridden via environment variable to: moniserver
2024-10-19T09:58:46.651761569Z Sat Oct 19 09:58:46 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
2024-10-19T09:58:46.651776556Z Sat Oct 19 09:58:46 2024: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
2024-10-19T09:58:46.652049599Z Sat Oct 19 09:58:46 2024: Loaded event sources: syscall
2024-10-19T09:58:46.652049599Z Sat Oct 19 09:58:46 2024: Enabled event sources: syscall
2024-10-19T09:58:46.652049599Z Sat Oct 19 09:58:46 2024: Opening 'syscall' source with modern BPF probe.
2024-10-19T09:58:46.652049599Z Sat Oct 19 09:58:46 2024: One ring buffer every '2' CPUs.
2024-10-19T09:58:47.613393945Z Sat Oct 19 09:58:47 2024: An error occurred in an event source, forcing termination...
2024-10-19T09:58:47.766747214Z Error: Initialization issues during scap_init
2024-10-19T09:58:47.767029775Z Events detected: 0
2024-10-19T09:58:47.767029775Z Rule counts by severity:
2024-10-19T09:58:47.767029775Z Triggered rules by rule name:
2024-10-19T09:58:53.682056483Z Stream closed EOF for falco/falco-nz8g7 (falco)

This is a very vanilla helm installation with the following values:

  customRules:
    rules-override.yaml: |-
      - macro: user_known_contact_k8s_api_server_activities
        condition: |-
          container.image.repository = registry.k8s.io/node-problem-detector/node-problem-detector
          or
          proc.name startswith node-problem-de
          or
          container.image.repository = ghcr.io/roobre/ktemplate
          or
          container.image.repository = ghcr.io/k8up-io/k8up
          or
          container.name startswith k8up
        override:
          condition: replace
      - macro: user_known_stand_streams_redirect_activities
        condition: |-
          container.image.repository = ghcr.io/fluxcd/kustomize-controller
          or
          (container.name startswith crocochrome and proc.name = chromium)
        override:
          condition: replace
      - macro: known_drop_and_execute_activities
        condition: |-
          (container.image.repository = ghcr.io/flaresolverr/flaresolverr and proc.name = chromedriver)
        override:
          condition: replace
      - macro: user_read_sensitive_file_containers
        condition: |-
          container.id = host
        override:
          condition: replace
      - list: user_known_packet_socket_binaries
        items:
          - speaker # metallb
          - bfdd # also metallb
        override:
          items: append
  resources:
    requests:
      cpu: 50m
      memory: 128Mi
    limits:
      cpu: null
      memory: 512Mi

  falcosidekick:
    enabled: true
    replicaCount: 1
    resources:
      requests:
        cpu: 10m
        memory: 64Mi
      limits:
        memory: 64Mi
    config:
      existingSecret: creds

Using the default image shipped in the chart

dependencies:
  - name: falco
    repository: https://falcosecurity.github.io/charts
    version: 4.11.1

Linux moniserver 6.6.57-1-lts #1 SMP PREEMPT_DYNAMIC Thu, 17 Oct 2024 13:57:25 +0000 x86_64 GNU/Linux

Also attaching /proc/config.gz in case it helps
config.gz