From 7dbffa5d05e056950014a87a65267ba98989764e Mon Sep 17 00:00:00 2001 From: Claudiu Belu Date: Sun, 6 Oct 2024 19:00:03 +0300 Subject: [PATCH] Adds falco and falco-driver-loader 0.39.0 and falcoctl 0.10.0 rocks (#14) Note that the Dockerfiles are identical to the previous versions. Thus, the rockfiles are also the same. Falco 0.39.0 comes with falcoctl 0.10.0, which is why we're building that version as well. Added the new versions into the sanity and integration tests. --- .../0.39.0/pebble-entrypoint.patch | 13 ++ falco-driver-loader/0.39.0/rockcraft.yaml | 143 ++++++++++++++++++ falco/0.39.0/rockcraft.yaml | 136 +++++++++++++++++ falcoctl/0.10.0/falcoctl-entrypoint.sh | 9 ++ falcoctl/0.10.0/rockcraft.yaml | 67 ++++++++ tests/integration/test_falco.py | 24 ++- tests/sanity/test_falco.py | 2 +- tests/sanity/test_falcoctl.py | 2 +- 8 files changed, 389 insertions(+), 7 deletions(-) create mode 100644 falco-driver-loader/0.39.0/pebble-entrypoint.patch create mode 100644 falco-driver-loader/0.39.0/rockcraft.yaml create mode 100644 falco/0.39.0/rockcraft.yaml create mode 100755 falcoctl/0.10.0/falcoctl-entrypoint.sh create mode 100644 falcoctl/0.10.0/rockcraft.yaml diff --git a/falco-driver-loader/0.39.0/pebble-entrypoint.patch b/falco-driver-loader/0.39.0/pebble-entrypoint.patch new file mode 100644 index 0000000..43385fe --- /dev/null +++ b/falco-driver-loader/0.39.0/pebble-entrypoint.patch @@ -0,0 +1,13 @@ +diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh +index 52df15f3..1eea148c 100755 +--- a/docker/driver-loader/docker-entrypoint.sh ++++ b/docker/driver-loader/docker-entrypoint.sh +@@ -17,6 +17,8 @@ + # limitations under the License. + # + ++# Pebble doesn't like it when the process ends too suddenly. ++trap "sleep 1.1" EXIT + + print_usage() { + echo "" diff --git a/falco-driver-loader/0.39.0/rockcraft.yaml b/falco-driver-loader/0.39.0/rockcraft.yaml new file mode 100644 index 0000000..60d8cbe --- /dev/null +++ b/falco-driver-loader/0.39.0/rockcraft.yaml @@ -0,0 +1,143 @@ +# Copyright 2024 Canonical, Ltd. +# See LICENSE file for licensing details + +# Based on the Falco 0.39.0 rockcraft.yaml file. +name: falco-driver-loader +summary: falco-driver-loader rock +description: | + A rock containing the Falco driver loader. + + Falco is a cloud native runtime security tool for Linux operating systems. It is designed + to detect and alert on abnormal behavior and potential security threats in real-time. + + This rock closely resembles the Falco rock of the same version, the only difference being + the entrypoint and entrypoint script. +license: Apache-2.0 +version: 0.39.0 + +base: ubuntu@24.04 +build-base: ubuntu@24.04 + +platforms: + amd64: + arm64: + +environment: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L12-L16 + VERSION_BUCKET: deb + FALCO_VERSION: 0.39.0 + HOST_ROOT: /host + HOME: /root + +# Services to be loaded by the Pebble entrypoint. +services: + entrypoint: + summary: "entrypoint service" + override: replace + startup: enabled + command: "/docker-entrypoint.sh [ --help ]" + on-success: shutdown + on-failure: shutdown + +entrypoint-service: entrypoint + +parts: + build-falco: + plugin: nil + source: https://github.com/falcosecurity/falco + source-type: git + source-tag: $CRAFT_PROJECT_VERSION + source-depth: 1 + build-packages: + # https://falco.org/docs/developer-guide/source/ + - git + - cmake + - clang + - build-essential + - linux-tools-common + - linux-tools-generic + - libelf-dev + - llvm + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + - gcc-12 + - g++-12 + stage-packages: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L20-L42 + - bc + - bison + - ca-certificates + - clang + - curl + - dkms + - dwarves + - flex + - gcc + - gcc-11 + - gnupg2 + - jq + - libc6-dev + - libelf-dev + - libssl-dev + - llvm + - make + - netcat-openbsd + - patchelf + - xz-utils + - zstd + build-environment: + - GOOS: linux + - GOARCH: $CRAFT_ARCH_BUILD_FOR + - HOST_ROOT: /host + override-build: | + # Installing additional packages here because of the $(uname -r) part. We need that for + # build idempotency, so we can build locally *and* in the CI. + # linux-tools and linux-cloud-tools are required for building BPF (for x86_64). + if [ "$(uname -m)" == "x86_64" ]; then + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools-$(uname -r) + else + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools + fi + + # https://falco.org/docs/developer-guide/source/ + mkdir -p build + pushd build + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 12 --slave /usr/bin/g++ g++ /usr/bin/g++-12 + + # Based on: https://github.com/falcosecurity/falco/blob/0.39.0/.github/workflows/reusable_build_packages.yaml#L105 + cmake -S .. \ + -DUSE_BUNDLED_DEPS=On \ + -DBUILD_BPF=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_DRIVER=Off \ + -DCREATE_TEST_TARGETS=Off + make falco -j6 + + # Generate the .deb file. + # make package will also generate the .tar.gz amd .rpm files, which we do not need, + # so we call cpack ourselves. + # make package depends on the preinstall target. + make preinstall + cpack --config ./CPackConfig.cmake -G DEB + popd + + # Unpack the .deb into the install directory. + dpkg-deb --extract build/falco-*.deb ${CRAFT_PART_INSTALL}/ + + # Change the falco config within the container to enable ISO 8601 output. + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L52 + sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' ${CRAFT_PART_INSTALL}/etc/falco/falco.yaml + + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L61 + mkdir -p ${CRAFT_PART_INSTALL}/lib + ln -s $HOST_ROOT/lib/modules ${CRAFT_PART_INSTALL}/lib/modules + + # The entrypoint script is different from the falco image. + # We do however need to apply a patch for Pebble's sake (it doesn't like it when + # processes end too suddenly).. + git apply -v $CRAFT_PROJECT_DIR/pebble-entrypoint.patch + cp docker/driver-loader/docker-entrypoint.sh ${CRAFT_PART_INSTALL}/ diff --git a/falco/0.39.0/rockcraft.yaml b/falco/0.39.0/rockcraft.yaml new file mode 100644 index 0000000..3fc839d --- /dev/null +++ b/falco/0.39.0/rockcraft.yaml @@ -0,0 +1,136 @@ +# Copyright 2024 Canonical, Ltd. +# See LICENSE file for licensing details + +# Based on: https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile +name: falco +summary: Falco rock +description: | + A rock containing Falco. + + Falco is a cloud native runtime security tool for Linux operating systems. It is designed + to detect and alert on abnormal behavior and potential security threats in real-time. +license: Apache-2.0 +version: 0.39.0 + +base: ubuntu@24.04 +build-base: ubuntu@24.04 + +platforms: + amd64: + arm64: + +environment: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L12-L16 + VERSION_BUCKET: deb + FALCO_VERSION: 0.39.0 + HOST_ROOT: /host + HOME: /root + +# Services to be loaded by the Pebble entrypoint. +services: + falco: + summary: "falco service" + override: replace + startup: enabled + command: "/docker-entrypoint.sh /usr/bin/falco [ --help ]" + on-success: shutdown + on-failure: shutdown + +entrypoint-service: falco + +parts: + build-falco: + plugin: nil + source: https://github.com/falcosecurity/falco + source-type: git + source-tag: $CRAFT_PROJECT_VERSION + source-depth: 1 + build-packages: + # https://falco.org/docs/developer-guide/source/ + - git + - cmake + - clang + - build-essential + - linux-tools-common + - linux-tools-generic + - libelf-dev + - llvm + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + - gcc-12 + - g++-12 + stage-packages: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L20-L42 + - bc + - bison + - ca-certificates + - clang + - curl + - dkms + - dwarves + - flex + - gcc + - gcc-11 + - gnupg2 + - jq + - libc6-dev + - libelf-dev + - libssl-dev + - llvm + - make + - netcat-openbsd + - patchelf + - xz-utils + - zstd + build-environment: + - GOOS: linux + - GOARCH: $CRAFT_ARCH_BUILD_FOR + - HOST_ROOT: /host + override-build: | + # Installing additional packages here because of the $(uname -r) part. We need that for + # build idempotency, so we can build locally *and* in the CI. + # linux-tools and linux-cloud-tools are required for building BPF (for x86_64). + if [ "$(uname -m)" == "x86_64" ]; then + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools-$(uname -r) + else + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools + fi + + # https://falco.org/docs/developer-guide/source/ + mkdir -p build + pushd build + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 12 --slave /usr/bin/g++ g++ /usr/bin/g++-12 + + # Based on: https://github.com/falcosecurity/falco/blob/0.39.0/.github/workflows/reusable_build_packages.yaml#L105 + cmake -S .. \ + -DUSE_BUNDLED_DEPS=On \ + -DBUILD_BPF=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_DRIVER=Off \ + -DCREATE_TEST_TARGETS=Off + make falco -j6 + + # Generate the .deb file. + # make package will also generate the .tar.gz amd .rpm files, which we do not need, + # so we call cpack ourselves. + # make package depends on the preinstall target. + make preinstall + cpack --config ./CPackConfig.cmake -G DEB + popd + + # Unpack the .deb into the install directory. + dpkg-deb --extract build/falco-*.deb ${CRAFT_PART_INSTALL}/ + + # Change the falco config within the container to enable ISO 8601 output. + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L52 + sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' ${CRAFT_PART_INSTALL}/etc/falco/falco.yaml + + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L61 + mkdir -p ${CRAFT_PART_INSTALL}/lib + ln -s $HOST_ROOT/lib/modules ${CRAFT_PART_INSTALL}/lib/modules + + cp docker/falco/docker-entrypoint.sh ${CRAFT_PART_INSTALL}/ diff --git a/falcoctl/0.10.0/falcoctl-entrypoint.sh b/falcoctl/0.10.0/falcoctl-entrypoint.sh new file mode 100755 index 0000000..bce99fe --- /dev/null +++ b/falcoctl/0.10.0/falcoctl-entrypoint.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Required to prevent Pebble from considering the service to have +# exited too quickly to be worth restarting or respecting the +# "on-failure: shutdown" directive and thus hanging indefinitely: +# https://github.com/canonical/pebble/issues/240#issuecomment-1599722443 +sleep 1.1 + +/usr/bin/falcoctl $@ diff --git a/falcoctl/0.10.0/rockcraft.yaml b/falcoctl/0.10.0/rockcraft.yaml new file mode 100644 index 0000000..d624900 --- /dev/null +++ b/falcoctl/0.10.0/rockcraft.yaml @@ -0,0 +1,67 @@ +# Copyright 2024 Canonical, Ltd. +# See LICENSE file for licensing details + +# Based on: https://github.com/falcosecurity/falcoctl/blob/v0.10.0/build/Dockerfile +name: falcoctl +summary: falcoctl rock +description: | + A rock containing falcoctl. + + falcoctl is the official CLI tool for working with Falco and its ecosystem components. +license: Apache-2.0 +version: 0.10.0 + +base: ubuntu@24.04 +build-base: ubuntu@24.04 +run-user: _daemon_ + +platforms: + amd64: + arm64: + +environment: + APP_VERSION: 0.10.0 + +# Services to be loaded by the Pebble entrypoint. +services: + falcoctl: + summary: "falcoctl service" + override: replace + startup: enabled + command: "/falcoctl-entrypoint.sh [ --help ]" + on-success: shutdown + on-failure: shutdown + +entrypoint-service: falcoctl + +parts: + build-falcoctl: + plugin: go + source: https://github.com/falcosecurity/falcoctl + source-type: git + source-tag: v${CRAFT_PROJECT_VERSION} + source-depth: 1 + stage-packages: + # Required by falcoctl in order to verify certificates. + - ca-certificates + build-snaps: + - go/1.23/stable + build-environment: + - CGO_ENABLED: 0 + - GOOS: linux + - GOARCH: $CRAFT_ARCH_BUILD_FOR + - VERSION: $CRAFT_PROJECT_VERSION + - PROJECT: github.com/falcosecurity/falcoctl + - LDFLAGS: -X $PROJECT/cmd/version.semVersion=$VERSION -X $PROJECT/cmd/version.buildDate="\"$(date -u +'%Y-%m-%dT%H:%M:%SZ')\"" -s -w + override-build: | + mkdir -p ${CRAFT_PART_INSTALL}/usr/bin/ + go mod download + go build -o ${CRAFT_PART_INSTALL}/usr/bin/ -ldflags "${LDFLAGS}" . + + add-falcoctl-entrypoint: + plugin: nil + override-build: | + # Running falcoctl directly may finish sooner than 1 second, which means Pebble will just + # hang around and not finish, which is undesirable for an init container. + # We're setting this as the entrypoint, which will just pass the arguments to falcoctl + 1.1s sleep. + cp $CRAFT_PROJECT_DIR/falcoctl-entrypoint.sh ${CRAFT_PART_INSTALL}/ diff --git a/tests/integration/test_falco.py b/tests/integration/test_falco.py index 850f8a6..8c37f28 100644 --- a/tests/integration/test_falco.py +++ b/tests/integration/test_falco.py @@ -6,12 +6,21 @@ import logging import time +import pytest from k8s_test_harness import harness from k8s_test_harness.util import constants, env_util, k8s_util LOG = logging.getLogger(__name__) +_FALCOCTL_VERSIONS = { + # Based on the Falco releases. + # falco_version: falcoctl_version + "0.38.2": "0.9.0", + "0.39.0": "0.10.0", +} + + def _get_event_generator_helm_cmd(): return k8s_util.get_helm_install_command( "event-generator", @@ -25,13 +34,17 @@ def _get_event_generator_helm_cmd(): ) -def _get_falco_helm_cmd(image_version: str): +def _get_falco_helm_cmd(falco_version: str): falco_rock = env_util.get_build_meta_info_for_rock_version( - "falco", image_version, "amd64" + "falco", falco_version, "amd64" ) falcoctl_rock = env_util.get_build_meta_info_for_rock_version( - "falcoctl", "0.9.0", "amd64" + "falcoctl", _FALCOCTL_VERSIONS[falco_version], "amd64" + ) + + driver_loader_rock = env_util.get_build_meta_info_for_rock_version( + "falco-driver-loader", image_version, "amd64" ) driver_loader_rock = env_util.get_build_meta_info_for_rock_version( @@ -105,9 +118,10 @@ def _assert_falco_logs(instance: harness.Instance): assert False, "Expected Falco logs to contain Warnings, based on event-generator" -def test_integration_falco(function_instance: harness.Instance): +@pytest.mark.parametrize("image_version", ["0.38.2", "0.39.0"]) +def test_integration_falco(function_instance: harness.Instance, image_version): # Deploy Falco helm chart and wait for it to become active. - function_instance.exec(_get_falco_helm_cmd("0.38.2")) + function_instance.exec(_get_falco_helm_cmd(image_version)) # Wait for the daemonset to become Active. k8s_util.wait_for_daemonset(function_instance, "falco", "falco", retry_times=10) diff --git a/tests/sanity/test_falco.py b/tests/sanity/test_falco.py index 4e68a2c..1ffe8ff 100644 --- a/tests/sanity/test_falco.py +++ b/tests/sanity/test_falco.py @@ -19,7 +19,7 @@ @pytest.mark.parametrize("rock_name", ["falco", "falco-driver-loader"]) -@pytest.mark.parametrize("image_version", ["0.38.2"]) +@pytest.mark.parametrize("image_version", ["0.38.2", "0.39.0"]) def test_falco_rock(rock_name, image_version): """Test falco rocks.""" rock = env_util.get_build_meta_info_for_rock_version( diff --git a/tests/sanity/test_falcoctl.py b/tests/sanity/test_falcoctl.py index 899feb6..92b1f53 100644 --- a/tests/sanity/test_falcoctl.py +++ b/tests/sanity/test_falcoctl.py @@ -7,7 +7,7 @@ from k8s_test_harness.util import docker_util, env_util -@pytest.mark.parametrize("image_version", ["0.9.0"]) +@pytest.mark.parametrize("image_version", ["0.9.0", "0.10.0"]) def test_falcoctl_rock(image_version): """Test falcoctl rock.""" rock = env_util.get_build_meta_info_for_rock_version(