Falco 0.22.1 and Kubernetes 1.18 on armv7 using NOVIX

Sup nerds.

So if you want to see me live demo this check out my live stream at 11am Pacific at twitch.tv/setns on Friday. I will post the recording here after it’s done.

So if you have been following along on Twitter you have probably seen my talking about my new server cabinet I have been working on, as well as a few tweets about running Falco on ARM.

So recently I joined Sysdig, Inc as chief OSS and I have been hacking on the kernel and our open source security tools for the past few months.

If you have ever used wireshark or sysdig or falco then yeah – we are THOSE folks. Falco is written in C++ and uses either a kernel module or a BPF probe to trace system call events in the Linux kernel. It’s fairly complicated to get all the pieces installed and working well on a Linux system, let alone a Kubernetes system.

So I figured everyone could use a fun project during the apocalypse including myself. So today I made a few branches of Linux, Falco, and Kubernetes and got everything dialed in nicely and compiling on ARMv7

So if you are interested in Kubernetes and Linux security, if you enjoy free and open source software, and if you have a raspberry pi or another arm board laying around please follow along and try out my distro I slapped together today.

So let’s understand what we have going on here.

NOVIX

Star

github.com/kris-nova/novix

So I put together an image that should make this is easy as pi (pun intended) to set up. It’s my operating system so if you don’t like I don’t care. Get off my lawn.

What is inside NOVIX?

Where do I get NOVIX?

See the latest RELEASE on GitHub

Included in the image:

• Kernel headers
• Falco objects
• Kubernetes binaries
• Docker
• CRI
• Emacs
• grpc
• jq

Setting up NOVIX on a Raspberry Pi 3/4

I am assuming you are running Linux, if you aren’t you should probably start. Otherwise you can duck duck go how to do this on Windows or a Mac – I am sure there are a lot of resources out there.

Download NOVIX and flash to your SD card

mkdir ~/novix && cd ~/novix
fdisk -l # Use this command to find your SD card (mine is usually /dev/sdc)
fdisk /dev/sdc # (Use the device that matches your SD card from above)

Thanks Arch Linux Arm Community.

At the fdisk prompt, delete old partitions and create a new one:

Type o. This will clear out any partitions on the drive.

Type p to list partitions. There should be no partitions left.

Type n, then p for primary, 1 for the first partition on the drive, press ENTER to accept the default first sector, then type +110M for the last sector.

Type t, then c to set the first partition to type W95 FAT32 (LBA).

Type n, then p for primary, 2 for the second partition on the drive, and then press ENTER twice to accept the default first and last sector.

Write the partition table and exit by typing w.

Now format the boot partition

mkfs.vfat /dev/sdc1
mkdir boot
mount /dev/sdc1 boot

And now the root partition

mkfs.ext4 /dev/sdc2
mkdir root
mount /dev/sdc2 root

And now let’s set up our sd card

wget https://nivenly.com/novix/novix-1.0.1-armv7.img.gz
gunzip --stdout novix-1.0.1-armv7.img.gz | sudo dd bs=4M of=/dev/sdc2
sync
mv root/boot/* boot
unmount boot root

If you get stuck check out the official installation guide and just use my image instead of the one they suggest.

A better example can be found at the official arm for arch linux installation guide

Throw the SD card into the back of your raspberry pi, hook it up to your network, and give it some power. You should see a solid light and a blinky light on the card (not the network) indicating that your pi is online.

SSH into your NOVIX instance

Now we are assuming you have a lovely DHCP server online somewhere and your pi should now be on your network. Find it’s IP address by pulling client lists from your networking gear, arping, guessing, nmap, whatever. I just went into my unifi dashboard and there it was!

ssh novix@10.0.0.36
cat README

Notice if you type novix and hit tab to complete there are a handful of handy commands.

Running Falco

Falco should come precompiled. The kernel module should be loaded and the daemon should already be running.

novix.falco-logs

Running Kubernetes

Kubernetes 1.18 should also be baked into the image and all dependencies should already be installed and configured.

The Kubernetes Master

Start by setting up a master. Pick a hostname you want to use for your master (NOTE: you should also probably put this in /etc/hosts on all the machines in your cluster)

In this example we will use novix-master for our hostname. Set it using the following command

novix.hostname novix-master

Now start your master server

novix.k8s-master

You should see the output of kubeadm giving you a “join command” that should look something like

kubeadm join 10.0.0.44:443 --token uvjdta.h41bhz0aw5scnvka \

--discovery-token-ca-cert-hash sha256:0d0c32d30ab1dd2a5f3ca6f1d83b61aba9204bf6f8aa8f76e6c50ee37becb6ba 

Note the following:

Now install Calico CNI on your cluster.

kubectl apply -f https://docs.projectcalico.org/v3.11/manifests/calico.yaml

The Kubernetes Node(s)

Set up a new novix machine as one of your nodes. Set a new hostname.

novix.hostname novix-001

Now either run the pasted kubeadm join command above, or you can try

novix.k8s-join 10.0.0.43 uvjdta.h41bhz0aw5scnvka sha256:0d0c32d30ab1dd2a5f3ca6f1d83b61aba9204bf6f8aa8f76e6c50ee37becb6ba

As long as everything can route you should now have a working kubernetes cluster with Falco.

Post Views: 772