diff --git a/cmake/modules/falcoctl.cmake b/cmake/modules/falcoctl.cmake index 529a5c4c805..64d17e073f4 100644 --- a/cmake/modules/falcoctl.cmake +++ b/cmake/modules/falcoctl.cmake @@ -16,14 +16,14 @@ include(ExternalProject) string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME) -set(FALCOCTL_VERSION "0.7.2") +set(FALCOCTL_VERSION "0.8.0-rc1") if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") set(FALCOCTL_SYSTEM_PROC_GO "amd64") - set(FALCOCTL_HASH "abbbef2beefceb3d518a638fbad220ca6002840d33a20a7f1de9b358c4dbef45") + set(FALCOCTL_HASH "120a45be26be26ed9795926e3d382440ce010b8ec31fda8a0118ec3d42fc7bc7") else() # aarch64 set(FALCOCTL_SYSTEM_PROC_GO "arm64") - set(FALCOCTL_HASH "8dafef99948355febfa311bb940f8c714af631a249f4ae05ffd7d4c5f181e2c4") + set(FALCOCTL_HASH "f2c15e7a4c210ee9e3a521f4b6f6ed3096db6bf52426d369a9fe2a1cd3a4a4c2") endif() ExternalProject_Add( diff --git a/docker/driver-loader-legacy/docker-entrypoint.sh b/docker/driver-loader-legacy/docker-entrypoint.sh index 1d3b836dd32..a01cd278727 100755 --- a/docker/driver-loader-legacy/docker-entrypoint.sh +++ b/docker/driver-loader-legacy/docker-entrypoint.sh @@ -24,8 +24,10 @@ print_usage() { echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]" echo "" echo "Available drivers:" - echo " kmod kernel module (default)" + echo " auto leverage automatic driver selection logic (default)" + echo " modern_ebpf modern eBPF CORE probe" echo " ebpf eBPF probe" + echo " kmod kernel module" echo "" echo "Options:" echo " --help show this help message" @@ -63,7 +65,9 @@ while test $# -gt 0; do print_usage exit 1 else - /usr/bin/falcoctl driver config --type $1 + if [ "$1" != "auto" ]; then + /usr/bin/falcoctl driver config --type $1 + fi has_driver="true" fi ;; diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh index b04866e0d5a..7f51d543070 100755 --- a/docker/driver-loader/docker-entrypoint.sh +++ b/docker/driver-loader/docker-entrypoint.sh @@ -24,8 +24,10 @@ print_usage() { echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]" echo "" echo "Available drivers:" - echo " kmod kernel module (default)" + echo " auto leverage automatic driver selection logic (default)" + echo " modern_ebpf modern eBPF CORE probe" echo " ebpf eBPF probe" + echo " kmod kernel module" echo "" echo "Options:" echo " --help show this help message" @@ -61,13 +63,15 @@ extra_args= while test $# -gt 0; do case "$1" in - kmod|ebpf) + auto|kmod|ebpf|modern_ebpf) if [ -n "$has_driver" ]; then >&2 echo "Only one driver per invocation" print_usage exit 1 else - /usr/bin/falcoctl driver config --type $1 + if [ "$1" != "auto" ]; then + /usr/bin/falcoctl driver config --type $1 + fi has_driver="true" fi ;; diff --git a/docker/falco/docker-entrypoint.sh b/docker/falco/docker-entrypoint.sh index e7bb664b060..448e117c4e3 100755 --- a/docker/falco/docker-entrypoint.sh +++ b/docker/falco/docker-entrypoint.sh @@ -23,9 +23,11 @@ print_usage() { echo "Usage:" echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest" echo "" - echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:" - echo " kmod kernel module (default)" + echo "Available drivers:" + echo " auto leverage automatic driver selection logic (default)" + echo " modern_ebpf modern eBPF CORE probe" echo " ebpf eBPF probe" + echo " kmod kernel module" echo "" echo "FALCO_DRIVER_LOADER_OPTIONS options:" echo " --help show this help message" @@ -71,7 +73,9 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then print_usage exit 1 else - /usr/bin/falcoctl driver config --type $opt + if [ "$opt" != "auto" ]; then + /usr/bin/falcoctl driver config --type $opt + fi has_driver="true" fi ;; diff --git a/falco.yaml b/falco.yaml index 451e71d03d3..fe1ff58c127 100644 --- a/falco.yaml +++ b/falco.yaml @@ -322,7 +322,7 @@ rules_file: # buffers (higher `cpus_for_each_buffer`) can lower the memory footprint. # engine: - kind: kmod + kind: modern_ebpf kmod: buf_size_preset: 4 drop_failed_exit: false diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 9aa72a8a536..6fddd418c42 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -47,7 +47,18 @@ endif() if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD) if(NOT DEFINED FALCOCTL_ETC_DIR) set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl") + endif() + set(FALCOCTL_DRIVER_TYPES_LIST "") + if (BUILD_FALCO_MODERN_BPF) + list(APPEND FALCOCTL_DRIVER_TYPES_LIST "modern_ebpf") endif() + if (BUILD_BPF) + list(APPEND FALCOCTL_DRIVER_TYPES_LIST "ebpf") + endif() + if (BUILD_DRIVER) + list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod") + endif() + string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}") configure_file(${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml) install(FILES ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}") endif() diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index a0669fc14af..cce12bd9198 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -17,7 +17,8 @@ # limitations under the License. # -chosen_driver= +# By default, we use the automatic selection for drivers +chosen_driver="auto" chosen_unit= CHOICE= @@ -38,43 +39,56 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true systemctl --system unmask falcoctl-artifact-follow.service || true if [ "$1" = "configure" ]; then + # "auto" case is not managed here since it is already the default, so no CHOICE=2 case $FALCO_DRIVER_CHOICE in + none) + CHOICE=1 + ;; kmod) - CHOICE=2 + CHOICE=3 ;; ebpf) - CHOICE=3 + CHOICE=4 ;; modern_ebpf) - CHOICE=4 + CHOICE=5 ;; esac if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then # If dialog is installed, create a dialog to let users choose the correct driver for them CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \ 1 "Manual configuration (no unit is started)" \ - 2 "Kmod" \ - 3 "eBPF" \ - 4 "Modern eBPF" \ + 2 "Automatic selection" \ + 3 "Kmod" \ + 4 "eBPF" \ + 5 "Modern eBPF" \ 2>&1 >/dev/tty) - fi + fi + # "auto" case is not managed here since it is already the default, so no CHOICE=2 case $CHOICE in - 2) - chosen_driver="kmod" - chosen_unit="kmod" + 1) + chosen_driver="" ;; 3) - chosen_driver="ebpf" - chosen_unit="bpf" + chosen_driver="kmod" ;; 4) + chosen_driver="ebpf" + ;; + 5) chosen_driver="modern_ebpf" - chosen_unit="modern-bpf" ;; esac - if [ -n "$CHOICE" ]; then + if [ -n "$chosen_driver" ]; then echo "[POST-INSTALL] Configure falcoctl driver type:" - falcoctl driver config --type $chosen_driver + if [ "$chosen_driver" = "auto" ]; then + # Configure falcoctl to enable all drivers + falcoctl driver config --type "modern_ebpf" --type "ebpf" --type "kmod" + # Load the actually automatic chosen driver + chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2) + else + falcoctl driver config --type "$chosen_driver" + fi CHOICE= case $FALCOCTL_ENABLED in no) @@ -108,10 +122,15 @@ case "$chosen_driver" in # Only compile for kmod, in this way we use dkms echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:" falcoctl driver install --download=false + chosen_unit="kmod" ;; "ebpf") echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':" falcoctl driver install + chosen_unit="bpf" + ;; + "modern_ebpf") + chosen_unit="modern-bpf" ;; esac diff --git a/scripts/falcoctl/falcoctl.yaml.in b/scripts/falcoctl/falcoctl.yaml.in index e48e34f5f27..36ed202337d 100644 --- a/scripts/falcoctl/falcoctl.yaml.in +++ b/scripts/falcoctl/falcoctl.yaml.in @@ -1,5 +1,5 @@ driver: - type: "kmod" + type: [@FALCOCTL_DRIVER_TYPES@] name: "@DRIVER_NAME@" repos: - "@DRIVERS_REPO@" diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index ae509e573e5..489f90831b5 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -16,7 +16,8 @@ # limitations under the License. # -chosen_driver= +# By default, we use the automatic selection for drivers +chosen_driver="auto" chosen_unit= CHOICE= @@ -37,43 +38,55 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true systemctl --system unmask falcoctl-artifact-follow.service || true if [ $1 -ge 1 ]; then + # "auto" case is not managed here since it is already the default, so no CHOICE=2 case $FALCO_DRIVER_CHOICE in + none) + CHOICE=1 + ;; kmod) - CHOICE=2 + CHOICE=3 ;; ebpf) - CHOICE=3 + CHOICE=4 ;; modern_ebpf) - CHOICE=4 + CHOICE=5 ;; esac if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then # If dialog is installed, create a dialog to let users choose the correct driver for them CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \ 1 "Manual configuration (no unit is started)" \ - 2 "Kmod" \ - 3 "eBPF" \ - 4 "Modern eBPF" \ + 2 "Automatic selection" \ + 3 "Kmod" \ + 4 "eBPF" \ + 5 "Modern eBPF" \ 2>&1 >/dev/tty) - fi + fi + # "auto" case is not managed here since it is already the default, so no CHOICE=2 case $CHOICE in - 2) - chosen_driver="kmod" - chosen_unit="kmod" + 1) + chosen_driver="" ;; 3) - chosen_driver="ebpf" - chosen_unit="bpf" + chosen_driver="kmod" ;; 4) + chosen_driver="ebpf" + ;; + 5) chosen_driver="modern_ebpf" - chosen_unit="modern-bpf" ;; esac - if [ -n "$CHOICE" ]; then - echo "[POST-INSTALL] Configure falcoctl driver type:" - falcoctl driver config --type $chosen_driver + if [ -n "$chosen_driver" ]; then + if [ "$chosen_driver" = "auto" ]; then + # Configure falcoctl to enable all drivers + falcoctl driver config --type "modern_ebpf" --type "ebpf" --type "kmod" + # Load the actually automatic chosen driver + chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2) + else + falcoctl driver config --type "$chosen_driver" + fi CHOICE= case $FALCOCTL_ENABLED in no) @@ -105,12 +118,17 @@ systemctl --system daemon-reload || true case "$chosen_driver" in "kmod") # Only compile for kmod, in this way we use dkms - echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:" - falcoctl driver install --download=false + echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:" + falcoctl driver install --download=false + chosen_unit="kmod" ;; "ebpf") echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':" falcoctl driver install + chosen_unit="bpf" + ;; + "modern_ebpf") + chosen_unit="modern-bpf" ;; esac