From f9028d49f9e03b7da0eb404a5fdcc11a5b3d67c4 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 14 Feb 2024 13:00:29 +0100 Subject: [PATCH 1/5] cleanup(falco.yaml)!: remove deprecated configs Signed-off-by: Andrea Terzolo --- falco.yaml | 162 ----------------------------------------------------- 1 file changed, 162 deletions(-) diff --git a/falco.yaml b/falco.yaml index 61ee59f2399..4f79be4e2b6 100644 --- a/falco.yaml +++ b/falco.yaml @@ -64,11 +64,7 @@ # syscall_event_drops -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead # metrics # Falco performance tuning (advanced) -# syscall_buf_size_preset [DEPRECATED] -> Replaced by `engine..buf_size_preset` starting Falco 0.38! -# syscall_drop_failed_exit [DEPRECATED] -> Replaced by `engine..drop_failed_exit` starting Falco 0.38! # base_syscalls -# modern_bpf.cpus_for_each_syscall_buffer [DEPRECATED] -> Replaced by `engine.modern_ebpf.cpus_for_each_buffer` starting Falco 0.38! - ################################ # Falco command-line arguments # @@ -96,10 +92,6 @@ # when deploying Falco over a container with read-only host mounts instead of # directly on the host. Defaults to "/host". # -# - !!! [DEPRECATED] FALCO_BPF_PROBE: Specify a custom path to the BPF object code file (`bpf` -# driver). This is not needed for the modern_bpf driver. -# -> Replaced by `engine.kind: ebpf` and `engine.ebpf` starting Falco 0.38! -# # - FALCO_HOSTNAME: Customize the hostname output field logged by Falco by # setting the "FALCO_HOSTNAME" environment variable. # @@ -993,76 +985,6 @@ metrics: # Falco performance tuning (advanced) # ####################################### -# [DEPRECATED] `syscall_buf_size_preset` -> Replaced by `engine..buf_size_preset` starting Falco 0.38! -# -# Deprecated in favor of engine.{kmod,ebpf,modern_ebpf}.buf_size_preset. -# This config is evaluated only if the default `engine` config block is not changed, -# otherwise it is ignored. -# -# --- [Description] -# -# The syscall buffer index determines the size of the shared space between Falco -# and its drivers. This shared space serves as a temporary storage for syscall -# events, allowing them to be transferred from the kernel to the userspace -# efficiently. The buffer size for each online CPU is determined by the buffer -# index, and each CPU has its own dedicated buffer. Adjusting this index allows -# you to control the overall size of the syscall buffers. -# -# --- [Usage] -# -# The index 0 is reserved, and each subsequent index corresponds to an -# increasing size in bytes. For example, index 1 corresponds to a size of 1 MB, -# index 2 corresponds to 2 MB, and so on: -# -# [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB] -# ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ -# | | | | | | | | | | | -# 0 1 2 3 4 5 6 7 8 9 10 -# -# -# The buffer dimensions in bytes are determined by the following requirements: -# (1) a power of 2. -# (2) a multiple of your system_page_dimension. -# (3) greater than `2 * (system_page_dimension). -# -# The buffer size constraints may limit the usability of certain indexes. Let's -# consider an example to illustrate this: -# -# If your system has a page size of 1 MB, the first available buffer size would -# be 4 MB because 2 MB is exactly equal to 2 * (system_page_size), which is not -# sufficient as we require more than 2 * (system_page_size). In this example, it -# is evident that if the page size is 1 MB, the first index that can be used is 3. -# -# However, in most cases, these constraints do not pose a limitation, and all -# indexes from 1 to 10 can be used. You can check your system's page size using -# the Falco `--page-size` command-line option. -# -# --- [Suggestions] -# -# The buffer size was previously fixed at 8 MB (index 4). You now have the -# option to adjust the size based on your needs. Increasing the size, such as to -# 16 MB (index 5), can reduce syscall drops in heavy production systems, but may -# impact performance. Decreasing the size can speed up the system but may -# increase syscall drops. It's important to note that the buffer size is mapped -# twice in the process' virtual memory, so a buffer of 8 MB will result in a 16 -# MB area in virtual memory. Use this parameter with caution and only modify it -# if the default size is not suitable for your use case. -syscall_buf_size_preset: 4 - -# [DEPRECATED] `syscall_drop_failed_exit` -> Replaced by `engine..drop_failed_exit` starting Falco 0.38! -# -# Deprecated in favor of engine.{kmod,ebpf,modern_ebpf}.drop_failed_exit. -# This config is evaluated only if the default `engine` config block is not changed, -# otherwise it is ignored. -# -# Enabling this option in Falco allows it to drop failed system call exit events -# in the kernel drivers before pushing them onto the ring buffer. This -# optimization can result in lower CPU usage and more efficient utilization of -# the ring buffer, potentially reducing the number of event losses. However, it -# is important to note that enabling this option also means sacrificing some -# visibility into the system. -syscall_drop_failed_exit: false - # [Stable] `base_syscalls`, use with caution, read carefully # # --- [Description] @@ -1178,90 +1100,6 @@ base_syscalls: custom_set: [] repair: false -# [DEPRECATED] `modern_bpf.cpus_for_each_syscall_buffer`, modern_bpf only -> Replaced by `engine.modern_ebpf.cpus_for_each_buffer` starting Falco 0.38! -# -# Deprecated in favor of engine.modern_ebpf.cpus_for_each_buffer. -# This config is evaluated only if the default `engine` config block is not changed, -# otherwise it is ignored. -# -# --- [Description] -# -# The modern_bpf driver in Falco utilizes the new BPF ring buffer, which has a -# different memory footprint compared to the current BPF driver that uses the -# perf buffer. The Falco core maintainers have discussed the differences and -# their implications, particularly in Kubernetes environments where limits need -# to be carefully set to avoid interference with the Falco daemonset deployment -# from the OOM killer. Based on guidance received from the kernel mailing list, -# it is recommended to assign multiple CPUs to one buffer instead of allocating -# a buffer for each CPU individually. This helps optimize resource allocation -# and prevent potential issues related to memory usage. -# -# This is an index that controls how many CPUs you want to assign to a single -# syscall buffer (ring buffer). By default, for modern_bpf every syscall buffer -# is associated to 2 CPUs, so the mapping is 1:2. The modern BPF probe allows -# you to choose different mappings, for example, changing the value to `1` -# results in a 1:1 mapping and would mean one syscall buffer for each CPU (this -# is the default for the `bpf` driver). -# -# --- [Usage] -# -# You can choose an index from 0 to MAX_NUMBER_ONLINE_CPUs to set the dimension -# of the syscall buffers. The value 0 represents a single buffer shared among -# all online CPUs. It serves as a flexible option when the exact number of -# online CPUs is unknown. Here's an example to illustrate this: -# -# Consider a system with 7 online CPUs: -# -# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) -# -# - `1` means a syscall buffer for each CPU so 7 buffers -# -# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) -# | | | | | | | -# BUFFERs 0 1 2 3 4 5 6 -# -# - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers -# -# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) -# | | | | | | | -# BUFFERs 0 0 1 1 2 2 3 -# -# Please note that in this example, there are 4 buffers in total. Three of the -# buffers are associated with pairs of CPUs, while the last buffer is mapped to -# a single CPU. This arrangement is necessary because we have an odd number of -# CPUs. -# -# - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all -# CPUs, so 1 buffer -# -# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) -# | | | | | | | -# BUFFERs 0 0 0 0 0 0 0 -# -# Moreover, you have the option to combine this parameter with -# `syscall_buf_size_preset` index. For instance, you can create a large shared -# syscall buffer of 512 MB (using syscall_buf_size_preset=10) that is -# allocated among all the online CPUs. -# -# --- [Suggestions] -# -# The default choice of index 2 (one syscall buffer for each CPU pair) was made -# because the modern bpf probe utilizes a different memory allocation strategy -# compared to the other two drivers (bpf and kernel module). However, you have -# the flexibility to experiment and find the optimal configuration for your -# system. -# -# When considering a fixed syscall_buf_size_preset and a fixed buffer dimension: -# - Increasing this configs value results in lower number of buffers and you can -# speed up your system and reduce memory usage -# - However, using too few buffers may increase contention in the kernel, -# leading to a slowdown. -# -# If you have low event throughputs and minimal drops, reducing the number of -# buffers (higher `cpus_for_each_syscall_buffer`) can lower the memory footprint. -modern_bpf: - cpus_for_each_syscall_buffer: 2 - # [Stable] Guidance for Kubernetes container engine command-line args settings # # Modern cloud environments, particularly Kubernetes, heavily rely on From 0e67ca18b14d3336c68e422595f7f28bc8308682 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 14 Feb 2024 13:01:09 +0100 Subject: [PATCH 2/5] cleanup(configuration): cleanup deprecated code Signed-off-by: Andrea Terzolo --- userspace/falco/app/actions/load_config.cpp | 110 -------------------- userspace/falco/app/options.cpp | 7 -- userspace/falco/app/options.h | 8 -- userspace/falco/configuration.cpp | 25 +---- userspace/falco/configuration.h | 14 --- 5 files changed, 4 insertions(+), 160 deletions(-) diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp index 58ea19a43f9..c510ce7e1ea 100644 --- a/userspace/falco/app/actions/load_config.cpp +++ b/userspace/falco/app/actions/load_config.cpp @@ -17,11 +17,6 @@ limitations under the License. #include "actions.h" #include "falco_utils.h" -// USED just to include some shared macros, remove this include in Falco 0.38.0 -#include "configuration.h" - -/* DEPRECATED: we will remove it in Falco 0.38. */ -#define FALCO_BPF_ENV_VARIABLE "FALCO_BPF_PROBE" using namespace falco::app; using namespace falco::app::actions; @@ -29,111 +24,6 @@ using namespace falco::app::actions; // applies legacy/in-deprecation options to the current state static falco::app::run_result apply_deprecated_options(const falco::app::state& s) { - // Check that at most one command line option is provided - int open_modes = 0; - open_modes += !s.options.capture_file.empty(); - open_modes += !s.options.gvisor_config.empty(); - open_modes += s.options.modern_bpf; - open_modes += getenv(FALCO_BPF_ENV_VARIABLE) != NULL; - open_modes += s.options.nodriver; - if(open_modes > 1) - { - return run_result::fatal("You can not specify more than one of -e, -g (--gvisor-config), --modern-bpf, --nodriver, and the FALCO_BPF_PROBE env var"); - } - - // Please note: is not possible to mix command line options and configs to obtain a configuration - // we need to use only one method. For example, is not possible to set the gvisor-config through - // the command line and the gvisor-root through the config file. For this reason, if we detect - // at least one change in the default config we don't allow to use the command line options. - if(s.config->m_changes_in_engine_config) - { - // If a command line option is specified, print a warning because it will be ignored - if(open_modes == 1) - { - falco_logger::log(falco_logger::level::WARNING, - "Since the new 'engine' config key is being used, deprecated CLI options " - "[-e,-g,--gvisor-config,--nodriver,--modern-bpf] and 'FALCO_BPF_PROBE' environment variable will be ignored.\n"); - } - - // If these configs are specified, print a warning because they will be ignored - if(s.config->m_syscall_drop_failed_exit != DEFAULT_DROP_FAILED_EXIT) - { - falco_logger::log(falco_logger::level::WARNING, - "Since the new 'engine' config key is being used, deprecated config 'syscall_drop_failed_exit' will be ignored.\n"); - } - if(s.config->m_syscall_buf_size_preset != DEFAULT_BUF_SIZE_PRESET) - { - falco_logger::log(falco_logger::level::WARNING, - "Since the new 'engine' config key is being used, deprecated config 'syscall_buf_size_preset' will be ignored.\n"); - } - if(s.config->m_cpus_for_each_syscall_buffer != DEFAULT_CPUS_FOR_EACH_SYSCALL_BUFFER) - { - falco_logger::log(falco_logger::level::WARNING, - "Since the new 'engine' config key is being used, deprecated config 'modern_bpf.cpus_for_each_syscall_buffer' will be ignored.\n"); - } - return run_result::ok(); - } - - // These warnings are similar to the ones above, but in this case, the configs are not ignored - // they are just deprecated - if(s.config->m_syscall_drop_failed_exit != DEFAULT_DROP_FAILED_EXIT) - { - falco_logger::log(falco_logger::level::WARNING, - "DEPRECATION NOTICE: 'syscall_drop_failed_exit' config is deprecated and will be removed in Falco 0.38! Use 'engine..drop_failed_exit' config instead\n"); - } - if(s.config->m_syscall_buf_size_preset != DEFAULT_BUF_SIZE_PRESET) - { - falco_logger::log(falco_logger::level::WARNING, - "DEPRECATION NOTICE: 'syscall_buf_size_preset' config is deprecated and will be removed in Falco 0.38! Use 'engine..buf_size_preset' config instead\n"); - } - if(s.config->m_cpus_for_each_syscall_buffer != DEFAULT_CPUS_FOR_EACH_SYSCALL_BUFFER) - { - falco_logger::log(falco_logger::level::WARNING, - "DEPRECATION NOTICE: 'modern_bpf.cpus_for_each_syscall_buffer' config is deprecated and will be removed in Falco 0.38! Use 'engine.modern_ebpf.cpus_for_each_buffer' config instead\n"); - } - - // Replace the kmod default values in case the engine was open with the kmod. - // We don't have a command line option to open the kmod so we have to always enforce the - // default values. - s.config->m_kmod.m_drop_failed_exit = s.config->m_syscall_drop_failed_exit; - s.config->m_kmod.m_buf_size_preset = s.config->m_syscall_buf_size_preset; - - // If overridden from CLI options (soon to be removed), - // use the requested driver. - if (getenv(FALCO_BPF_ENV_VARIABLE)) - { - falco_logger::log(falco_logger::level::WARNING, "DEPRECATION NOTICE: the 'FALCO_BPF_PROBE' environment variable is deprecated and will be removed in Falco 0.38! Set 'engine.kind: ebpf' and use 'engine.ebpf' config instead in falco.yaml\n"); - s.config->m_engine_mode = engine_kind_t::EBPF; - s.config->m_ebpf.m_probe_path = getenv(FALCO_BPF_ENV_VARIABLE); - s.config->m_ebpf.m_drop_failed_exit = s.config->m_syscall_drop_failed_exit; - s.config->m_ebpf.m_buf_size_preset = s.config->m_syscall_buf_size_preset; - } - else if (s.options.modern_bpf) - { - falco_logger::log(falco_logger::level::WARNING, "DEPRECATION NOTICE: the '--modern-bpf' command line option is deprecated and will be removed in Falco 0.38! Set 'engine.kind: modern_ebpf' and use 'engine.modern_ebpf' config instead in falco.yaml\n"); - s.config->m_engine_mode = engine_kind_t::MODERN_EBPF; - s.config->m_modern_ebpf.m_drop_failed_exit = s.config->m_syscall_drop_failed_exit; - s.config->m_modern_ebpf.m_buf_size_preset = s.config->m_syscall_buf_size_preset; - s.config->m_modern_ebpf.m_cpus_for_each_buffer = s.config->m_cpus_for_each_syscall_buffer; - } - if (!s.options.gvisor_config.empty()) - { - falco_logger::log(falco_logger::level::WARNING, "DEPRECATION NOTICE: the '-g,--gvisor-config' command line option is deprecated and will be removed in Falco 0.38! Set 'engine.kind: gvisor' and use 'engine.gvisor' config instead in falco.yaml\n"); - s.config->m_engine_mode = engine_kind_t::GVISOR; - s.config->m_gvisor.m_config = s.options.gvisor_config; - s.config->m_gvisor.m_root = s.options.gvisor_root; - } - if (s.options.nodriver) - { - falco_logger::log(falco_logger::level::WARNING, "DEPRECATION NOTICE: the '--nodriver' command line option is deprecated and will be removed in Falco 0.38! Set 'engine.kind: nodriver' instead in falco.yaml\n"); - s.config->m_engine_mode = engine_kind_t::NODRIVER; - } - if (!s.options.capture_file.empty()) - { - falco_logger::log(falco_logger::level::WARNING, "DEPRECATION NOTICE: the '-e' command line option is deprecated and will be removed in Falco 0.38! Set 'engine.kind: replay' and use 'engine.replay' config instead in falco.yaml\n"); - s.config->m_engine_mode = engine_kind_t::REPLAY; - s.config->m_replay.m_capture_file = s.options.capture_file; - } return run_result::ok(); } diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index 9c0f3857316..3285a4012be 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -169,15 +169,9 @@ void options::define(cxxopts::Options& opts) ("disable-source", "Turn off a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "") ("dry-run", "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false")) ("D", "Turn off any rules with names having the substring . This option can be passed multiple times. It cannot be mixed with -t.", cxxopts::value(disabled_rule_substrings), "") - ("e", "DEPRECATED. Reproduce the events by reading from the given instead of opening a live session. Only capture files in .scap format are supported.", cxxopts::value(capture_file), "") ("enable-source", "Enable a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "") #ifdef HAS_GVISOR - ("g,gvisor-config", "DEPRECATED. Collect 'syscall' events from gVisor using the specified file. A Falco-compatible configuration file can be generated with --gvisor-generate-config and utilized for both runsc and Falco.", cxxopts::value(gvisor_config), "") ("gvisor-generate-config", "Generate a configuration file that can be used for gVisor and exit. See --gvisor-config for more details.", cxxopts::value(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "") - ("gvisor-root", "DEPRECATED. Set gVisor root directory for storage of container state when used in conjunction with --gvisor-config. The to be passed is the one usually passed to runsc --root flag.", cxxopts::value(gvisor_root), "") -#endif -#ifdef HAS_MODERN_BPF - ("modern-bpf", "DEPRECATED. Use the BPF modern probe driver to instrument the kernel and observe 'syscall' events.", cxxopts::value(modern_bpf)->default_value("false")) #endif ("i", "Print those events that are ignored by default for performance reasons and exit. See -A for more details.", cxxopts::value(print_ignored_events)->default_value("false")) ("L", "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false")) @@ -188,7 +182,6 @@ void options::define(cxxopts::Options& opts) ("M", "Stop Falco execution after are passed.", cxxopts::value(duration_to_tot)->default_value("0"), "") ("markdown", "Print output in Markdown format when used in conjunction with --list or --list-events options. It has no effect when used with other options.", cxxopts::value(markdown)) ("N", "Only print field names when used in conjunction with the --list option. It has no effect when used with other options.", cxxopts::value(names_only)->default_value("false")) - ("nodriver", "DEPRECATED. Do not use a driver to instrument the kernel. If a loaded plugin has event-sourcing capability and can produce system events, it will be used for event collection. Otherwise, no event will be collected.", cxxopts::value(nodriver)->default_value("false")) ("o,option", "Set the value of option to . Overrides values in the configuration file. can be identified using its location in the configuration file using dot notation. Elements of list entries can be accessed via square brackets [].\n E.g. base.id = val\n base.subvalue.subvalue2 = val\n base.list[1]=val", cxxopts::value(cmdline_config_options), "=") ("plugin-info", "Print info for the plugin specified by and exit.\nThis includes all descriptive information like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n can be the plugin's name or its configured 'library_path'.", cxxopts::value(print_plugin_info), "") ("p,print", "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details.\nUse -pk or -pkubernetes to add both container and Kubernetes details.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p for a custom format. In this case, the given will be appended to the rule's output without any replacement.", cxxopts::value(print_additional), "") diff --git a/userspace/falco/app/options.h b/userspace/falco/app/options.h index ad2a09a824a..ab4e782cef0 100644 --- a/userspace/falco/app/options.h +++ b/userspace/falco/app/options.h @@ -76,14 +76,6 @@ class options { bool print_page_size; bool dry_run; - // todo!: remove them in Falco 0.38.0 since they are deprecated - std::string capture_file = ""; - std::string gvisor_config = ""; - std::string gvisor_root = ""; - bool modern_bpf = false; - bool nodriver = false; - - bool parse(int argc, char **argv, std::string &errstr); const std::string& usage(); diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index f1bcf749781..fede8022030 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -40,6 +40,10 @@ namespace fs = std::filesystem; // Reference: https://digitalfortress.tech/tips/top-15-commonly-used-regex/ static re2::RE2 ip_address_re("((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))"); +#define DEFAULT_BUF_SIZE_PRESET 4 +#define DEFAULT_CPUS_FOR_EACH_SYSCALL_BUFFER 2 +#define DEFAULT_DROP_FAILED_EXIT false + falco_configuration::falco_configuration(): m_json_output(false), m_json_include_output_property(true), @@ -122,27 +126,11 @@ void falco_configuration::load_engine_config(const std::string& config_name, con throw std::logic_error("Error reading config file (" + config_name + "): engine.kind '"+ driver_mode_str + "' is not a valid kind."); } - // Catch deprecated values from the config, to use them with the command line if needed - m_syscall_buf_size_preset = config.get_scalar("syscall_buf_size_preset", DEFAULT_BUF_SIZE_PRESET); - m_cpus_for_each_syscall_buffer = config.get_scalar("modern_bpf.cpus_for_each_syscall_buffer", DEFAULT_CPUS_FOR_EACH_SYSCALL_BUFFER); - m_syscall_drop_failed_exit = config.get_scalar("syscall_drop_failed_exit", DEFAULT_DROP_FAILED_EXIT); - switch (m_engine_mode) { case engine_kind_t::KMOD: m_kmod.m_buf_size_preset = config.get_scalar("engine.kmod.buf_size_preset", DEFAULT_BUF_SIZE_PRESET); m_kmod.m_drop_failed_exit = config.get_scalar("engine.kmod.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT); - - if(m_kmod.m_buf_size_preset == DEFAULT_BUF_SIZE_PRESET && m_kmod.m_drop_failed_exit==DEFAULT_DROP_FAILED_EXIT) - { - // This could happen in 2 cases: - // 1. The user doesn't use the new config (it could also have commented it) - // 2. The user uses the new config unchanged. - // In these 2 cases the users are allowed to use the command line arguments to open an engine - m_changes_in_engine_config = false; - return; - } - break; case engine_kind_t::EBPF: // TODO: default value for `probe` should be $HOME/FALCO_PROBE_BPF_FILEPATH, @@ -176,11 +164,6 @@ void falco_configuration::load_engine_config(const std::string& config_name, con default: break; } - - // If we arrive here it means we have at least one change in the `engine` config. - // Please note that `load_config` could be called more than one time during initialization - // so the last time wins, the load config phase should be idempotent - m_changes_in_engine_config = true; } void falco_configuration::load_yaml(const std::string& config_name, const yaml_helper& config) diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index d463d2ae166..d8603731bda 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -37,11 +37,6 @@ limitations under the License. #include "event_drops.h" #include "falco_outputs.h" -// todo!: remove them in Falco 0.38.0 -#define DEFAULT_BUF_SIZE_PRESET 4 -#define DEFAULT_CPUS_FOR_EACH_SYSCALL_BUFFER 2 -#define DEFAULT_DROP_FAILED_EXIT false - enum class engine_kind_t : uint8_t { KMOD, @@ -164,15 +159,6 @@ class falco_configuration replay_config m_replay = {}; gvisor_config m_gvisor = {}; - // todo!: to remove in Falco 0.38.0 - // used to keep track if the `engine` config is used. - bool m_changes_in_engine_config = false; - // Index corresponding to the syscall buffer dimension. - uint16_t m_syscall_buf_size_preset = DEFAULT_BUF_SIZE_PRESET; - // Number of CPUs associated with a single ring buffer. - uint16_t m_cpus_for_each_syscall_buffer = DEFAULT_CPUS_FOR_EACH_SYSCALL_BUFFER; - bool m_syscall_drop_failed_exit = DEFAULT_DROP_FAILED_EXIT; - private: void load_yaml(const std::string& config_name, const yaml_helper& config); From 5e3e8811a772c6a70236c2cd9917c43623c8a5f7 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 14 Feb 2024 13:01:34 +0100 Subject: [PATCH 3/5] tests: remove deprecated assertions Signed-off-by: Andrea Terzolo --- .../falco/app/actions/test_load_config.cpp | 144 ++---------------- ...unchanged.yaml => engine_kmod_config.yaml} | 19 +-- ...changed.yaml => engine_modern_config.yaml} | 24 +-- unit_tests/falco_test_var.h.in | 4 +- 4 files changed, 24 insertions(+), 167 deletions(-) rename unit_tests/falco/test_configs/{new_engine_config_unchanged.yaml => engine_kmod_config.yaml} (72%) rename unit_tests/falco/test_configs/{new_engine_config_changed.yaml => engine_modern_config.yaml} (65%) diff --git a/unit_tests/falco/app/actions/test_load_config.cpp b/unit_tests/falco/app/actions/test_load_config.cpp index 78b55022abd..70a1f2a122b 100644 --- a/unit_tests/falco/app/actions/test_load_config.cpp +++ b/unit_tests/falco/app/actions/test_load_config.cpp @@ -19,10 +19,10 @@ limitations under the License. #include "falco_test_var.h" #ifndef __EMSCRIPTEN__ -TEST(ActionLoadConfig, check_engine_config_is_correctly_parsed) +TEST(ActionLoadConfig, check_kmod_engine_config) { falco::app::state s = {}; - s.options.conf_filename = NEW_ENGINE_CONFIG_CHANGED; + s.options.conf_filename = TEST_ENGINE_KMOD_CONFIG; EXPECT_ACTION_OK(falco::app::actions::load_config(s)); // Check that the engine is the kmod @@ -45,105 +45,26 @@ TEST(ActionLoadConfig, check_engine_config_is_correctly_parsed) EXPECT_TRUE(s.config->m_gvisor.m_config.empty()); EXPECT_TRUE(s.config->m_gvisor.m_root.empty()); - - // Check that deprecated configs are always set since - EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6); - EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 7); - EXPECT_TRUE(s.config->m_syscall_drop_failed_exit); -} - -// Equal to the one above but checks that the command line options are not parsed -TEST(ActionLoadConfig, check_command_line_options_are_not_used) -{ - falco::app::state s; - s.options.modern_bpf = true; - s.options.conf_filename = NEW_ENGINE_CONFIG_CHANGED; - EXPECT_ACTION_OK(falco::app::actions::load_config(s)); - - // Check that the engine is the kmod - EXPECT_TRUE(s.config->m_engine_mode == engine_kind_t::KMOD); - - // Check that kmod params are the ones specified in the config - EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 2); - EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit); - - // Check that all other engine params are empty - EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty()); - EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit); - - EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0); - EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit); - - EXPECT_TRUE(s.config->m_replay.m_capture_file.empty()); - - EXPECT_TRUE(s.config->m_gvisor.m_config.empty()); - EXPECT_TRUE(s.config->m_gvisor.m_root.empty()); - - // Check that deprecated configs are always set since - EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6); - EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 7); - EXPECT_TRUE(s.config->m_syscall_drop_failed_exit); } -TEST(ActionLoadConfig, check_kmod_with_syscall_configs) +TEST(ActionLoadConfig, check_modern_engine_config) { - falco::app::state s; - s.options.conf_filename = NEW_ENGINE_CONFIG_UNCHANGED; - EXPECT_ACTION_OK(falco::app::actions::load_config(s)); - - // Check that the engine is the kmod - EXPECT_TRUE(s.config->m_engine_mode == engine_kind_t::KMOD); - - // Kmod params should be populated with the syscall configs - // since the `engine` block is untouched. - EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 6); - EXPECT_TRUE(s.config->m_kmod.m_drop_failed_exit); - - // Check that all other engine params are empty - EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty()); - EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit); - - EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0); - EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit); - - EXPECT_TRUE(s.config->m_replay.m_capture_file.empty()); - - EXPECT_TRUE(s.config->m_gvisor.m_config.empty()); - EXPECT_TRUE(s.config->m_gvisor.m_root.empty()); - - // Check that deprecated configs are populated - EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6); - EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 3); - EXPECT_TRUE(s.config->m_syscall_drop_failed_exit); -} - -TEST(ActionLoadConfig, check_override_command_line_modern) -{ - falco::app::state s; - // The command line options should be correctly applied since the - // config is unchanged - s.options.modern_bpf = true; - s.options.conf_filename = NEW_ENGINE_CONFIG_UNCHANGED; + falco::app::state s = {}; + s.options.conf_filename = TEST_ENGINE_MODERN_CONFIG; EXPECT_ACTION_OK(falco::app::actions::load_config(s)); - // Check that the engine is the kmod - EXPECT_TRUE(s.is_modern_ebpf()); + // Check that the engine is the modern ebpf + EXPECT_TRUE(s.config->m_engine_mode == engine_kind_t::MODERN_EBPF); - // Check that the modern ebpf engine uses the default syscall configs - // and not the ones in the `engine` block - EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 3); - EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 6); + // Check that modern ebpf params are the ones specified in the config + EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 1); + EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 4); EXPECT_TRUE(s.config->m_modern_ebpf.m_drop_failed_exit); - // Kmod params should be always populated since the kmod is the default - EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 6); - EXPECT_TRUE(s.config->m_kmod.m_drop_failed_exit); - // Check that all other engine params are empty + EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 0); + EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit); + EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty()); EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0); EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit); @@ -152,45 +73,6 @@ TEST(ActionLoadConfig, check_override_command_line_modern) EXPECT_TRUE(s.config->m_gvisor.m_config.empty()); EXPECT_TRUE(s.config->m_gvisor.m_root.empty()); - - // Check that deprecated configs are populated - EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6); - EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 3); - EXPECT_TRUE(s.config->m_syscall_drop_failed_exit); } -TEST(ActionLoadConfig, check_override_command_line_gvisor) -{ - falco::app::state s; - // The command line options should be correctly applied since the - // config is unchanged - s.options.gvisor_config = "config"; - s.options.conf_filename = NEW_ENGINE_CONFIG_UNCHANGED; - EXPECT_ACTION_OK(falco::app::actions::load_config(s)); - - // Check that the engine is the kmod - EXPECT_TRUE(s.is_gvisor()); - EXPECT_EQ(s.config->m_gvisor.m_config, "config"); - EXPECT_TRUE(s.config->m_gvisor.m_root.empty()); - - // Kmod params should be always populated since the kmod is the default - EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 6); - EXPECT_TRUE(s.config->m_kmod.m_drop_failed_exit); - - // Check that all other engine params are empty - EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty()); - EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit); - - EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0); - EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit); - - EXPECT_TRUE(s.config->m_replay.m_capture_file.empty()); - - // Check that deprecated configs are populated - EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6); - EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 3); - EXPECT_TRUE(s.config->m_syscall_drop_failed_exit); -} #endif diff --git a/unit_tests/falco/test_configs/new_engine_config_unchanged.yaml b/unit_tests/falco/test_configs/engine_kmod_config.yaml similarity index 72% rename from unit_tests/falco/test_configs/new_engine_config_unchanged.yaml rename to unit_tests/falco/test_configs/engine_kmod_config.yaml index 7d0fb870540..aa0e1f9d618 100644 --- a/unit_tests/falco/test_configs/new_engine_config_unchanged.yaml +++ b/unit_tests/falco/test_configs/engine_kmod_config.yaml @@ -20,16 +20,15 @@ # Falco engine # ################ -# Unchanged engine: kind: kmod kmod: - buf_size_preset: 4 + buf_size_preset: 2 drop_failed_exit: false ebpf: probe: /path/to/probe.o - buf_size_preset: 4 - drop_failed_exit: false + buf_size_preset: 7 + drop_failed_exit: true modern_ebpf: cpus_for_each_buffer: 2 buf_size_preset: 4 @@ -39,15 +38,3 @@ engine: gvisor: config: /path/to/gvisor_config.yaml root: "" - -####################################### -# Falco performance tuning (advanced) # -####################################### - -# The `engine` config is unchanged so these configs are used -syscall_buf_size_preset: 6 - -syscall_drop_failed_exit: true - -modern_bpf: - cpus_for_each_syscall_buffer: 3 diff --git a/unit_tests/falco/test_configs/new_engine_config_changed.yaml b/unit_tests/falco/test_configs/engine_modern_config.yaml similarity index 65% rename from unit_tests/falco/test_configs/new_engine_config_changed.yaml rename to unit_tests/falco/test_configs/engine_modern_config.yaml index 99962545a60..0b8a8f04adc 100644 --- a/unit_tests/falco/test_configs/new_engine_config_changed.yaml +++ b/unit_tests/falco/test_configs/engine_modern_config.yaml @@ -21,32 +21,20 @@ ################ engine: - kind: kmod + kind: modern_ebpf kmod: - buf_size_preset: 2 # changed default value - drop_failed_exit: false + buf_size_preset: 1 + drop_failed_exit: true ebpf: probe: /path/to/probe.o buf_size_preset: 4 drop_failed_exit: false modern_ebpf: - cpus_for_each_buffer: 2 - buf_size_preset: 4 - drop_failed_exit: false + cpus_for_each_buffer: 1 + # missing `buf_size_preset` should be defaulted + drop_failed_exit: true replay: capture_file: /path/to/file.scap gvisor: config: /path/to/gvisor_config.yaml root: "" - -####################################### -# Falco performance tuning (advanced) # -####################################### - -# These configs should be ignored since we have changed the `engine` config -syscall_buf_size_preset: 6 - -syscall_drop_failed_exit: true - -modern_bpf: - cpus_for_each_syscall_buffer: 7 diff --git a/unit_tests/falco_test_var.h.in b/unit_tests/falco_test_var.h.in index f8cfcab8321..43633e609fa 100644 --- a/unit_tests/falco_test_var.h.in +++ b/unit_tests/falco_test_var.h.in @@ -1,4 +1,4 @@ #pragma once -#define NEW_ENGINE_CONFIG_CHANGED "${CMAKE_SOURCE_DIR}/unit_tests/falco/test_configs/new_engine_config_changed.yaml" -#define NEW_ENGINE_CONFIG_UNCHANGED "${CMAKE_SOURCE_DIR}/unit_tests/falco/test_configs/new_engine_config_unchanged.yaml" +#define TEST_ENGINE_KMOD_CONFIG "${CMAKE_SOURCE_DIR}/unit_tests/falco/test_configs/engine_kmod_config.yaml" +#define TEST_ENGINE_MODERN_CONFIG "${CMAKE_SOURCE_DIR}/unit_tests/falco/test_configs/engine_modern_config.yaml" From 5a8bee5b0f0d45396c663028e0f8b64eff2c170e Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 14 Feb 2024 13:11:25 +0100 Subject: [PATCH 4/5] cleanup: move ebpf default value logic Signed-off-by: Andrea Terzolo --- .../falco/app/actions/helpers_inspector.cpp | 17 ++--------------- userspace/falco/configuration.cpp | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 21 deletions(-) diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp index 1cc029fafcc..f4638daae90 100644 --- a/userspace/falco/app/actions/helpers_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -106,21 +106,8 @@ falco::app::run_result falco::app::actions::open_live_inspector( } else if(s.is_ebpf()) /* BPF engine. */ { - const char *bpf_probe_path = s.config->m_ebpf.m_probe_path.c_str(); - char full_path[PATH_MAX]; - /* If the path is empty try to load the probe from the default path. */ - if(strncmp(bpf_probe_path, "", 1) == 0) - { - const char *home = std::getenv("HOME"); - if(!home) - { - return run_result::fatal("Cannot get the env variable 'HOME'"); - } - snprintf(full_path, PATH_MAX, "%s/%s", home, FALCO_PROBE_BPF_FILEPATH); - bpf_probe_path = full_path; - } - falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with BPF probe. BPF probe path: " + std::string(bpf_probe_path)); - inspector->open_bpf(bpf_probe_path, s.syscall_buffer_bytes_size, s.selected_sc_set); + falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with BPF probe. BPF probe path: " + s.config->m_ebpf.m_probe_path); + inspector->open_bpf(s.config->m_ebpf.m_probe_path.c_str(), s.syscall_buffer_bytes_size, s.selected_sc_set); } else /* Kernel module (default). */ { diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index fede8022030..9d7a635f4dc 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -133,12 +133,19 @@ void falco_configuration::load_engine_config(const std::string& config_name, con m_kmod.m_drop_failed_exit = config.get_scalar("engine.kmod.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT); break; case engine_kind_t::EBPF: - // TODO: default value for `probe` should be $HOME/FALCO_PROBE_BPF_FILEPATH, - // to be done once we drop the CLI option otherwise we would need to make the check twice, - // once here, and once when we merge the CLI options in the config file. - m_ebpf.m_probe_path = config.get_scalar("engine.ebpf.probe", ""); - m_ebpf.m_buf_size_preset = config.get_scalar("engine.ebpf.buf_size_preset", DEFAULT_BUF_SIZE_PRESET); - m_ebpf.m_drop_failed_exit = config.get_scalar("engine.ebpf.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT); + { + // default value for `m_probe_path` should be `$HOME/FALCO_PROBE_BPF_FILEPATH` + char full_path[PATH_MAX]; + const char *home = std::getenv("HOME"); + if(!home) + { + throw std::logic_error("Cannot get the env variable 'HOME'"); + } + snprintf(full_path, PATH_MAX, "%s/%s", home, FALCO_PROBE_BPF_FILEPATH); + m_ebpf.m_probe_path = config.get_scalar("engine.ebpf.probe", std::string(full_path)); + m_ebpf.m_buf_size_preset = config.get_scalar("engine.ebpf.buf_size_preset", DEFAULT_BUF_SIZE_PRESET); + m_ebpf.m_drop_failed_exit = config.get_scalar("engine.ebpf.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT); + } break; case engine_kind_t::MODERN_EBPF: m_modern_ebpf.m_cpus_for_each_buffer = config.get_scalar("engine.modern_ebpf.cpus_for_each_buffer", DEFAULT_CPUS_FOR_EACH_SYSCALL_BUFFER); From f70c4b8b0a8d479d3a750fdc41735e4a3c848bcc Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 14 Feb 2024 14:25:41 +0100 Subject: [PATCH 5/5] fix(CI): fix windows CI Signed-off-by: Andrea Terzolo --- userspace/falco/app/actions/helpers_inspector.cpp | 4 ---- userspace/falco/configuration.cpp | 3 +++ 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp index f4638daae90..5e34786f6c8 100644 --- a/userspace/falco/app/actions/helpers_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -24,10 +24,6 @@ limitations under the License. #include "helpers.h" -#ifdef _WIN32 -#define PATH_MAX 260 -#endif - using namespace falco::app; using namespace falco::app::actions; diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 9d7a635f4dc..35bcc6cf093 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -27,6 +27,9 @@ limitations under the License. #include #ifndef _WIN32 #include +#else +// Used in the ebpf probe path. +#define PATH_MAX 260 #endif #include "falco_utils.h"