Skip to content

new(build,userspace): switch to use container plugin #3482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Feb 26, 2025
Merged

new(build,userspace): switch to use container plugin #3482

merged 9 commits into from
Feb 26, 2025

Conversation

FedeDP
Copy link
Contributor

@FedeDP FedeDP commented Feb 4, 2025
edited
Loading

What type of PR is this?

/kind cleanup
/kind feature

Any specific area of the project related to this PR?

/area build
/area engine

What this PR does / why we need it:

This PR bumps Falco to HEAD of falcosecurity/libs#2207, enforcing the usage of the container plugin.
Keeping it wip until all issues are resolved.

TODO:

  • fix CI issues -> test_falco_engine.extra_format_do_not_replace_container_info
  • the config now loads the container plugin by default. But the container plugin itself is not supported on windows and osx (and musl of course) therefore we either use a new falco_others.yaml config (that we install on windows,osx and musl in place of falco.yaml), or we use something like load_plugins: [@FALCO_DEFAULT_PLUGINS@] and customize FALCO_DEFAULT_PLUGINS from within cmake -> we decided to add the plugin configuration in the main falco.yaml file but then install an override config file that loads it only on non-musl linux installations
  • what to do with musl? We won't have any way to runtime load the plugin... So the musl build won't support containers anymore -> not a big deal for now; eventually if user demand is high, we might want to statically link the plugin somehow
  • fixup Falco yaml container_engines: key: drop in favor of plugin config -> implement TODOs or drop? It is not sandbox level unfortunately, but Incubating thus theoretically we'd need a deprecation period. -> before 1.0.0 incubating features can be dropped without deprecation period: https://github.com/falcosecurity/falco/blob/master/proposals/20231220-features-adoption-and-deprecation.md#before-falco-10
  • Update rules? They will need to require container plugin

While it should be up to falcoctl to install the container plugin, since it was previously a core feature of libraries, we decided to keep it installed by the Falco package so that host installations through packages won't lose such a feature by default (ie: without playing with falcoctl to install the plugin).
Another solution could be to let rpm/deb install scripts leverage falcoctl to install the plugin, BUT the tar.gz tarball would still be hit by the feature loss.

Which issue(s) this PR fixes:

Refs #3403

Special notes for your reviewer:

The cares,grpc,openssl and curl cmake files were copy pasted from libs repo.

Does this PR introduce a user-facing change?:

new(build,userspace): switch to use container plugin

@poiana
Copy link
Contributor

poiana commented Feb 4, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana requested review from Kaizhe and LucaGuerra February 4, 2025 16:46
@poiana poiana added the size/XXL label Feb 4, 2025
@FedeDP FedeDP mentioned this pull request Feb 4, 2025
Closed
@FedeDP FedeDP force-pushed the new/container_plugin branch 2 times, most recently from 1575590 to a52405c Compare February 10, 2025 09:28
@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 10, 2025

/milestone 0.41.0

@poiana poiana added this to the 0.41.0 milestone Feb 10, 2025
@github-actions GitHub Actions
Copy link

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

@FedeDP FedeDP force-pushed the new/container_plugin branch 6 times, most recently from 11663e9 to 03e2350 Compare February 13, 2025 12:28
@FedeDP FedeDP mentioned this pull request Feb 13, 2025
Merged
@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 13, 2025
edited
Loading

Going to remove the wip commit once falcosecurity/testing#69 gets merged.

EDIT: removed

@FedeDP FedeDP force-pushed the new/container_plugin branch from 624544b to 03e2350 Compare February 13, 2025 15:28
@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 13, 2025
edited
Loading

Now the arm64 test-dev-packages is down to 4 errors, 2 of them are related to the usage of the full branch name for libs and driver deps; they will be fixed once we properly use a commit hash.

The remaining 2 are actually linked to the container plugin: it seems replaying a capture file we are seeing 2 container events instead of 3:

  TestFalco_Legacy_ContainerPrivileged

{"deadline":180000000000,"level":"info","msg":"running falco with runner","time":"2025-02-13T16:41:57Z"}
{"cmd":"/usr/bin/falco -c /etc/falco/falco.yaml -o append_output.suggested_output=false -o json_output=true -r falco_rules.yaml -o engine.kind=replay -o engine.replay.capture_file=container-privileged.scap -A -o json_include_output_property=false -o json_include_tags_property=false -o log_level=debug -o log_stderr=true -o log_syslog=false -o stdout_output.enabled=true","level":"debug","msg":"executing command","time":"2025-02-13T16:41:57Z"}
    legacy_test.go:2498: 
        	Error Trace:	/home/runner/work/_actions/falcosecurity/testing/main/legacy_test.go:2498
        	Error:      	Not equal: 
        	            	expected: 3
        	            	actual  : 2
        	Test:       	TestFalco_Legacy_ContainerPrivileged

  TestFalco_Legacy_ContainerSensitiveMount

{"deadline":180000000000,"level":"info","msg":"running falco with runner","time":"2025-02-13T16:41:56Z"}
{"cmd":"/usr/bin/falco -c /etc/falco/falco.yaml -o append_output.suggested_output=false -o json_output=true -r falco_rules.yaml -o engine.kind=replay -o engine.replay.capture_file=container-sensitive-mount.scap -A -o json_include_output_property=false -o json_include_tags_property=false -o log_level=debug -o log_stderr=true -o log_syslog=false -o stdout_output.enabled=true","level":"debug","msg":"executing command","time":"2025-02-13T16:41:56Z"}
    legacy_test.go:2517: 
        	Error Trace:	/home/runner/work/_actions/falcosecurity/testing/main/legacy_test.go:2517
        	Error:      	Not equal: 
        	            	expected: 3
        	            	actual  : 2
        	Test:       	TestFalco_Legacy_ContainerSensitiveMount

EDIT: on x86 we also have a couple of ASSERT triggering in libs code:

falco: /home/runner/work/falco/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/userspace/libsinsp/threadinfo.cpp:782: sinsp_fdinfo* sinsp_threadinfo::add_fd(int64_t, std::unique_ptr): Assertion `false' failed.

@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 14, 2025
edited
Loading

The failing tests come from the fact that we are not able to extract container fields from the container events. Will look into it.

Indeed, we were previously setting tinfo on the generated container json event: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/container.cpp#L287; i am trying to understand whether this is reproducible with a plugin ASYNCEVENT.

EDIT: fixed; now only the x86 ASSERT fails remain:

falco: /home/runner/work/falco/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/userspace/libsinsp/threadinfo.cpp:782: sinsp_fdinfo* sinsp_threadinfo::add_fd(int64_t, std::unique_ptr): Assertion `false' failed.

This was referenced Feb 18, 2025
Merged
Closed
@FedeDP FedeDP mentioned this pull request Feb 26, 2025
Closed
@FedeDP
new(cmake,userspace): port Falco to use new container plugin.
af4e1f4 
It will be shipped by default hence it is present in default config.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
chore(build): install container plugin as part of Falco install target.
6617abb 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
fix(userspace/falco): fixed bundled deps build.
05a31ac 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
chore(userspace,unit_tests): include thread.h where needed.
eeebe97 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
chore(userspace/falco): drop container_engines config key.
866d7cc 
Also, default falco.yaml will only host container plugin configuration but won't enable the plugin.
Instead, a configuration override file will be installed only on linux non-musl deployments, enabled the plugin.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
fix(userspace/engine): expand %container.info extra format to empty…
a0a3e62 
… string.

Also, remove `container_id container_name` fields from `-pc` output.
These fields are now automatically appended since the `container` plugin
marks them as suggested.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
chore(ci): cleanup unused fields.
72e68aa 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
chore(userspace/engine): update engine checksum and version minor.
366233b 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
cleanup(ci): drop test-packages static jobs.
f16530b 
Container plugin cannot be dynamically loaded on musl build, therefore
some falcosecurity/testing tests are failing on it.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP FedeDP force-pushed the new/container_plugin branch from fd1ddd3 to f16530b Compare February 26, 2025 09:29
@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 26, 2025

falcosecurity/libs#2207 was finally MERGED! Rebased this PR to use libs master.

@FedeDP FedeDP changed the title wip: new(build,userspace): switch to use container plugin new(build,userspace): switch to use container plugin Feb 26, 2025
@Andreagit97
Copy link
Member

Amazing work @FedeDP! 👏

leogr
leogr reviewed Feb 26, 2025
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

Just nits 😅

cmake/modules/cares.cmake
@@ -0,0 +1,76 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright (C) 2023 The Falco Authors.
# Copyright (C) 2025 The Falco Authors.

cmake/modules/curl.cmake
@@ -0,0 +1,100 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright (C) 2023 The Falco Authors.
# Copyright (C) 2025 The Falco Authors.

cmake/modules/grpc.cmake
@@ -0,0 +1,274 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright (C) 2023 The Falco Authors.
# Copyright (C) 2025 The Falco Authors.

cmake/modules/openssl.cmake
@@ -0,0 +1,81 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright (C) 2023 The Falco Authors.
# Copyright (C) 2025 The Falco Authors.

userspace/falco/app/actions/init_falco_engine.cpp
Comment on lines 96 to +99
// See https://falco.org/docs/rules/style-guide/
const std::string container_info =
"container_id=%container.id container_image=%container.image.repository "
"container_image_tag=%container.image.tag container_name=%container.name";
"container_image=%container.image.repository "
"container_image_tag=%container.image.tag";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for ourselves: we need to update the documentation https://falco.org/docs/rules/style-guide/
cc @LucaGuerra

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once this is merged let's open an issue

@poiana poiana added the lgtm label Feb 26, 2025
@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 26, 2025

I'd avoid re-pushing just to fix some licenses year (since it means to wait ~50minutes for the CI).

@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 26, 2025

/unhold no need to bump major.

@FedeDP
Copy link
Contributor Author

FedeDP commented Feb 26, 2025

/unhold

@poiana poiana merged commit 79bed43 into master Feb 26, 2025
34 checks passed
@poiana poiana deleted the new/container_plugin branch February 26, 2025 12:08
@yukinakanaka yukinakanaka mentioned this pull request Jul 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LucaGuerra LucaGuerra LucaGuerra approved these changes

@leogr leogr leogr approved these changes

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

Assignees

@leogr leogr

@LucaGuerra LucaGuerra

Labels
approved area/build area/engine dco-signoff: yes kind/cleanup kind/feature lgtm release-note size/XXL
Projects
Falco Roadmap
Archived in project
Milestone
0.41.0
Development

Successfully merging this pull request may close these issues.
5 participants
@FedeDP @poiana @Andreagit97 @leogr @LucaGuerra