diff --git a/falco-driver-loader/0.39.0/pebble-entrypoint.patch b/falco-driver-loader/0.39.0/pebble-entrypoint.patch new file mode 100644 index 0000000..43385fe --- /dev/null +++ b/falco-driver-loader/0.39.0/pebble-entrypoint.patch @@ -0,0 +1,13 @@ +diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh +index 52df15f3..1eea148c 100755 +--- a/docker/driver-loader/docker-entrypoint.sh ++++ b/docker/driver-loader/docker-entrypoint.sh +@@ -17,6 +17,8 @@ + # limitations under the License. + # + ++# Pebble doesn't like it when the process ends too suddenly. ++trap "sleep 1.1" EXIT + + print_usage() { + echo "" diff --git a/falco-driver-loader/0.39.0/rockcraft.yaml b/falco-driver-loader/0.39.0/rockcraft.yaml new file mode 100644 index 0000000..60d8cbe --- /dev/null +++ b/falco-driver-loader/0.39.0/rockcraft.yaml @@ -0,0 +1,143 @@ +# Copyright 2024 Canonical, Ltd. +# See LICENSE file for licensing details + +# Based on the Falco 0.39.0 rockcraft.yaml file. +name: falco-driver-loader +summary: falco-driver-loader rock +description: | + A rock containing the Falco driver loader. + + Falco is a cloud native runtime security tool for Linux operating systems. It is designed + to detect and alert on abnormal behavior and potential security threats in real-time. + + This rock closely resembles the Falco rock of the same version, the only difference being + the entrypoint and entrypoint script. +license: Apache-2.0 +version: 0.39.0 + +base: ubuntu@24.04 +build-base: ubuntu@24.04 + +platforms: + amd64: + arm64: + +environment: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L12-L16 + VERSION_BUCKET: deb + FALCO_VERSION: 0.39.0 + HOST_ROOT: /host + HOME: /root + +# Services to be loaded by the Pebble entrypoint. +services: + entrypoint: + summary: "entrypoint service" + override: replace + startup: enabled + command: "/docker-entrypoint.sh [ --help ]" + on-success: shutdown + on-failure: shutdown + +entrypoint-service: entrypoint + +parts: + build-falco: + plugin: nil + source: https://github.com/falcosecurity/falco + source-type: git + source-tag: $CRAFT_PROJECT_VERSION + source-depth: 1 + build-packages: + # https://falco.org/docs/developer-guide/source/ + - git + - cmake + - clang + - build-essential + - linux-tools-common + - linux-tools-generic + - libelf-dev + - llvm + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + - gcc-12 + - g++-12 + stage-packages: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L20-L42 + - bc + - bison + - ca-certificates + - clang + - curl + - dkms + - dwarves + - flex + - gcc + - gcc-11 + - gnupg2 + - jq + - libc6-dev + - libelf-dev + - libssl-dev + - llvm + - make + - netcat-openbsd + - patchelf + - xz-utils + - zstd + build-environment: + - GOOS: linux + - GOARCH: $CRAFT_ARCH_BUILD_FOR + - HOST_ROOT: /host + override-build: | + # Installing additional packages here because of the $(uname -r) part. We need that for + # build idempotency, so we can build locally *and* in the CI. + # linux-tools and linux-cloud-tools are required for building BPF (for x86_64). + if [ "$(uname -m)" == "x86_64" ]; then + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools-$(uname -r) + else + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools + fi + + # https://falco.org/docs/developer-guide/source/ + mkdir -p build + pushd build + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 12 --slave /usr/bin/g++ g++ /usr/bin/g++-12 + + # Based on: https://github.com/falcosecurity/falco/blob/0.39.0/.github/workflows/reusable_build_packages.yaml#L105 + cmake -S .. \ + -DUSE_BUNDLED_DEPS=On \ + -DBUILD_BPF=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_DRIVER=Off \ + -DCREATE_TEST_TARGETS=Off + make falco -j6 + + # Generate the .deb file. + # make package will also generate the .tar.gz amd .rpm files, which we do not need, + # so we call cpack ourselves. + # make package depends on the preinstall target. + make preinstall + cpack --config ./CPackConfig.cmake -G DEB + popd + + # Unpack the .deb into the install directory. + dpkg-deb --extract build/falco-*.deb ${CRAFT_PART_INSTALL}/ + + # Change the falco config within the container to enable ISO 8601 output. + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L52 + sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' ${CRAFT_PART_INSTALL}/etc/falco/falco.yaml + + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L61 + mkdir -p ${CRAFT_PART_INSTALL}/lib + ln -s $HOST_ROOT/lib/modules ${CRAFT_PART_INSTALL}/lib/modules + + # The entrypoint script is different from the falco image. + # We do however need to apply a patch for Pebble's sake (it doesn't like it when + # processes end too suddenly).. + git apply -v $CRAFT_PROJECT_DIR/pebble-entrypoint.patch + cp docker/driver-loader/docker-entrypoint.sh ${CRAFT_PART_INSTALL}/ diff --git a/falco/0.39.0/rockcraft.yaml b/falco/0.39.0/rockcraft.yaml new file mode 100644 index 0000000..3fc839d --- /dev/null +++ b/falco/0.39.0/rockcraft.yaml @@ -0,0 +1,136 @@ +# Copyright 2024 Canonical, Ltd. +# See LICENSE file for licensing details + +# Based on: https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile +name: falco +summary: Falco rock +description: | + A rock containing Falco. + + Falco is a cloud native runtime security tool for Linux operating systems. It is designed + to detect and alert on abnormal behavior and potential security threats in real-time. +license: Apache-2.0 +version: 0.39.0 + +base: ubuntu@24.04 +build-base: ubuntu@24.04 + +platforms: + amd64: + arm64: + +environment: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L12-L16 + VERSION_BUCKET: deb + FALCO_VERSION: 0.39.0 + HOST_ROOT: /host + HOME: /root + +# Services to be loaded by the Pebble entrypoint. +services: + falco: + summary: "falco service" + override: replace + startup: enabled + command: "/docker-entrypoint.sh /usr/bin/falco [ --help ]" + on-success: shutdown + on-failure: shutdown + +entrypoint-service: falco + +parts: + build-falco: + plugin: nil + source: https://github.com/falcosecurity/falco + source-type: git + source-tag: $CRAFT_PROJECT_VERSION + source-depth: 1 + build-packages: + # https://falco.org/docs/developer-guide/source/ + - git + - cmake + - clang + - build-essential + - linux-tools-common + - linux-tools-generic + - libelf-dev + - llvm + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + - gcc-12 + - g++-12 + stage-packages: + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L20-L42 + - bc + - bison + - ca-certificates + - clang + - curl + - dkms + - dwarves + - flex + - gcc + - gcc-11 + - gnupg2 + - jq + - libc6-dev + - libelf-dev + - libssl-dev + - llvm + - make + - netcat-openbsd + - patchelf + - xz-utils + - zstd + build-environment: + - GOOS: linux + - GOARCH: $CRAFT_ARCH_BUILD_FOR + - HOST_ROOT: /host + override-build: | + # Installing additional packages here because of the $(uname -r) part. We need that for + # build idempotency, so we can build locally *and* in the CI. + # linux-tools and linux-cloud-tools are required for building BPF (for x86_64). + if [ "$(uname -m)" == "x86_64" ]; then + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools-$(uname -r) + else + apt install -y linux-headers-$(uname -r) linux-tools-$(uname -r) linux-cloud-tools + fi + + # https://falco.org/docs/developer-guide/source/ + mkdir -p build + pushd build + # On ubuntu-24.04, we have gcc 13, and abseil (grpc's dependency) fails to build with + # this version of gcc. Thus, we're building with gcc 12. + # xref: https://github.com/apache/arrow/issues/36969 + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 12 --slave /usr/bin/g++ g++ /usr/bin/g++-12 + + # Based on: https://github.com/falcosecurity/falco/blob/0.39.0/.github/workflows/reusable_build_packages.yaml#L105 + cmake -S .. \ + -DUSE_BUNDLED_DEPS=On \ + -DBUILD_BPF=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_DRIVER=Off \ + -DCREATE_TEST_TARGETS=Off + make falco -j6 + + # Generate the .deb file. + # make package will also generate the .tar.gz amd .rpm files, which we do not need, + # so we call cpack ourselves. + # make package depends on the preinstall target. + make preinstall + cpack --config ./CPackConfig.cmake -G DEB + popd + + # Unpack the .deb into the install directory. + dpkg-deb --extract build/falco-*.deb ${CRAFT_PART_INSTALL}/ + + # Change the falco config within the container to enable ISO 8601 output. + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L52 + sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' ${CRAFT_PART_INSTALL}/etc/falco/falco.yaml + + # https://github.com/falcosecurity/falco/blob/0.39.0/docker/falco/Dockerfile#L61 + mkdir -p ${CRAFT_PART_INSTALL}/lib + ln -s $HOST_ROOT/lib/modules ${CRAFT_PART_INSTALL}/lib/modules + + cp docker/falco/docker-entrypoint.sh ${CRAFT_PART_INSTALL}/ diff --git a/falcoctl/0.10.0/falcoctl-entrypoint.sh b/falcoctl/0.10.0/falcoctl-entrypoint.sh new file mode 100755 index 0000000..bce99fe --- /dev/null +++ b/falcoctl/0.10.0/falcoctl-entrypoint.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Required to prevent Pebble from considering the service to have +# exited too quickly to be worth restarting or respecting the +# "on-failure: shutdown" directive and thus hanging indefinitely: +# https://github.com/canonical/pebble/issues/240#issuecomment-1599722443 +sleep 1.1 + +/usr/bin/falcoctl $@ diff --git a/falcoctl/0.10.0/rockcraft.yaml b/falcoctl/0.10.0/rockcraft.yaml new file mode 100644 index 0000000..d624900 --- /dev/null +++ b/falcoctl/0.10.0/rockcraft.yaml @@ -0,0 +1,67 @@ +# Copyright 2024 Canonical, Ltd. +# See LICENSE file for licensing details + +# Based on: https://github.com/falcosecurity/falcoctl/blob/v0.10.0/build/Dockerfile +name: falcoctl +summary: falcoctl rock +description: | + A rock containing falcoctl. + + falcoctl is the official CLI tool for working with Falco and its ecosystem components. +license: Apache-2.0 +version: 0.10.0 + +base: ubuntu@24.04 +build-base: ubuntu@24.04 +run-user: _daemon_ + +platforms: + amd64: + arm64: + +environment: + APP_VERSION: 0.10.0 + +# Services to be loaded by the Pebble entrypoint. +services: + falcoctl: + summary: "falcoctl service" + override: replace + startup: enabled + command: "/falcoctl-entrypoint.sh [ --help ]" + on-success: shutdown + on-failure: shutdown + +entrypoint-service: falcoctl + +parts: + build-falcoctl: + plugin: go + source: https://github.com/falcosecurity/falcoctl + source-type: git + source-tag: v${CRAFT_PROJECT_VERSION} + source-depth: 1 + stage-packages: + # Required by falcoctl in order to verify certificates. + - ca-certificates + build-snaps: + - go/1.23/stable + build-environment: + - CGO_ENABLED: 0 + - GOOS: linux + - GOARCH: $CRAFT_ARCH_BUILD_FOR + - VERSION: $CRAFT_PROJECT_VERSION + - PROJECT: github.com/falcosecurity/falcoctl + - LDFLAGS: -X $PROJECT/cmd/version.semVersion=$VERSION -X $PROJECT/cmd/version.buildDate="\"$(date -u +'%Y-%m-%dT%H:%M:%SZ')\"" -s -w + override-build: | + mkdir -p ${CRAFT_PART_INSTALL}/usr/bin/ + go mod download + go build -o ${CRAFT_PART_INSTALL}/usr/bin/ -ldflags "${LDFLAGS}" . + + add-falcoctl-entrypoint: + plugin: nil + override-build: | + # Running falcoctl directly may finish sooner than 1 second, which means Pebble will just + # hang around and not finish, which is undesirable for an init container. + # We're setting this as the entrypoint, which will just pass the arguments to falcoctl + 1.1s sleep. + cp $CRAFT_PROJECT_DIR/falcoctl-entrypoint.sh ${CRAFT_PART_INSTALL}/ diff --git a/tests/integration/test_falco.py b/tests/integration/test_falco.py index 850f8a6..22d172f 100644 --- a/tests/integration/test_falco.py +++ b/tests/integration/test_falco.py @@ -6,12 +6,21 @@ import logging import time +import pytest from k8s_test_harness import harness from k8s_test_harness.util import constants, env_util, k8s_util LOG = logging.getLogger(__name__) +_FALCOCTL_VERSIONS = { + # Based on the Falco releases. + # falco_version: falcoctl_version + "0.38.2": "0.9.0", + "0.39.0": "0.10.0", +} + + def _get_event_generator_helm_cmd(): return k8s_util.get_helm_install_command( "event-generator", @@ -25,13 +34,13 @@ def _get_event_generator_helm_cmd(): ) -def _get_falco_helm_cmd(image_version: str): +def _get_falco_helm_cmd(falco_version: str): falco_rock = env_util.get_build_meta_info_for_rock_version( - "falco", image_version, "amd64" + "falco", falco_version, "amd64" ) falcoctl_rock = env_util.get_build_meta_info_for_rock_version( - "falcoctl", "0.9.0", "amd64" + "falcoctl", _FALCOCTL_VERSIONS[falco_version], "amd64" ) driver_loader_rock = env_util.get_build_meta_info_for_rock_version( @@ -105,9 +114,10 @@ def _assert_falco_logs(instance: harness.Instance): assert False, "Expected Falco logs to contain Warnings, based on event-generator" -def test_integration_falco(function_instance: harness.Instance): +@pytest.mark.parametrize("image_version", ["0.38.2", "0.39.0"]) +def test_integration_falco(function_instance: harness.Instance, image_version): # Deploy Falco helm chart and wait for it to become active. - function_instance.exec(_get_falco_helm_cmd("0.38.2")) + function_instance.exec(_get_falco_helm_cmd(image_version)) # Wait for the daemonset to become Active. k8s_util.wait_for_daemonset(function_instance, "falco", "falco", retry_times=10) diff --git a/tests/sanity/test_falco.py b/tests/sanity/test_falco.py index 4e68a2c..1ffe8ff 100644 --- a/tests/sanity/test_falco.py +++ b/tests/sanity/test_falco.py @@ -19,7 +19,7 @@ @pytest.mark.parametrize("rock_name", ["falco", "falco-driver-loader"]) -@pytest.mark.parametrize("image_version", ["0.38.2"]) +@pytest.mark.parametrize("image_version", ["0.38.2", "0.39.0"]) def test_falco_rock(rock_name, image_version): """Test falco rocks.""" rock = env_util.get_build_meta_info_for_rock_version( diff --git a/tests/sanity/test_falcoctl.py b/tests/sanity/test_falcoctl.py index 899feb6..92b1f53 100644 --- a/tests/sanity/test_falcoctl.py +++ b/tests/sanity/test_falcoctl.py @@ -7,7 +7,7 @@ from k8s_test_harness.util import docker_util, env_util -@pytest.mark.parametrize("image_version", ["0.9.0"]) +@pytest.mark.parametrize("image_version", ["0.9.0", "0.10.0"]) def test_falcoctl_rock(image_version): """Test falcoctl rock.""" rock = env_util.get_build_meta_info_for_rock_version(