diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 13ee2b041..000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "nuxt.isNuxtApp": false -} \ No newline at end of file diff --git a/content/en/docs/getting-started/images/systemd_dialog_1.png b/content/en/docs/getting-started/images/systemd_dialog_1.png new file mode 100644 index 000000000..d84b7bdba Binary files /dev/null and b/content/en/docs/getting-started/images/systemd_dialog_1.png differ diff --git a/content/en/docs/getting-started/images/systemd_dialog_2.png b/content/en/docs/getting-started/images/systemd_dialog_2.png new file mode 100644 index 000000000..44a5fcc27 Binary files /dev/null and b/content/en/docs/getting-started/images/systemd_dialog_2.png differ diff --git a/content/en/docs/getting-started/installation.md b/content/en/docs/getting-started/installation.md index b918c7ab3..ad50d1cb6 100644 --- a/content/en/docs/getting-started/installation.md +++ b/content/en/docs/getting-started/installation.md @@ -11,19 +11,32 @@ Falco can be used for Kubernetes runtime security. The most secure way to run Falco is to install Falco directly on the host system so that Falco is isolated from Kubernetes in the case of compromise. Then the Falco alerts can be consumed through read-only agents running in Kubernetes. -You can also run Falco directly in Kubernetes as a daemonset using Helm, see the [third party integrations](../third-party) +You can also run Falco directly in Kubernetes as a Daemonset using Helm, see the [third-party integrations](../third-party) {{% /pageinfo %}} +There are 2 main ways to install Falco on your host: -If Falco is installed using the package manager artifacts below, you will have the following in place: +1. Falco packages (`.deb`, `.rpm`) +2. Falco binary (`.tar.gz`) - - Falco userspace program scheduled and watched via `systemd` - - Falco driver installed via the package manager (either kernel module or eBPF depending on the host) - - Sane and default configuration file installed in `/etc/falco` +## Falco packages -Alternatively, it is also possible to use a binary package as [explained below](#linux-binary). +{{% pageinfo color="secondary" %}} -## Installing +The Falco packages shipped with `Falco 0.34` support for the first time other drivers besides the kernel module. The new systemd units' names are: + +* `falco-bpf.service` +* `falco-kmod-inject.service` +* `falco-kmod.service` +* `falco-modern-bpf.service` +* `falco-custom.service` +* `falcoctl-artifact-follow.service` (related to [Falcoctl](https://github.com/falcosecurity/falcoctl) tool, see next sections) + +This is still an experimental solution so our suggestion is to avoid relying on Falco systemd unit names since they could change between releases. The final idea would be to have a single `falco.service` configurable through usual systemd logic, but due to how Falco works today this solution is not viable. + +Even if different units are available, you shouldn't run multiple Falco in parallel! Our units are not meant to be run in parallel! + +{{% /pageinfo %}} {{% pageinfo color="warning" %}} @@ -31,170 +44,267 @@ On January 18th, 2023 the GPG key used to sign Falco packages has been rotated. {{% /pageinfo %}} -### Debian/Ubuntu {#debian} +### Installation details -1. Trust the falcosecurity GPG key, configure the apt repository, and update the package list: +Before looking at the installation on different distros, let's focus on what we should expect when we install the package. +The Falco package will look into your system for the `dialog` binary, if the binary is there, the package will prompt a simple configuration dialog, otherwise, it will install the unit files without starting any `systemd` service. - ```shell +> _Note_: If you don't have the `dialog` binary installed on your system a manual configuration is always required to start Falco services. + +Even if you have the `dialog` binary installed, you can disable the interactive prompt by using the `FALCO_FRONTEND` env variable, you should simply set its value to `noninteractive` when installing the package. + +```bash +FALCO_FRONTEND=noninteractive apt-get install -y falco +``` + +Let's see an example of how to install the package in a Debian-like system, for example, `Ubuntu`. + +1. Trust the `falcosecurity` GPG key + + ```bash curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - + ``` + +2. Configure the apt repository + + ```bash echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list + ``` + +3. Update the package list + + ```bash apt-get update -y ``` -2. Install kernel headers: +4. Install some required dependencies that are needed to build the kernel module and the BPF probe - ```shell - apt-get -y install linux-headers-$(uname -r) + ```bash + apt install -y dkms make linux-headers-$(uname -r) + # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain + apt install -y clang llvm + # You can install also the dialog package if you want it + apt install -y dialog ``` -3. Install Falco: + > _Note_: You don't need to install these deps if you want to the modern BPF probe - ```shell +5. Install the Falco package + + ```bash apt-get install -y falco ``` - Falco, the kernel module driver, and a default configuration are now installed. - Falco is being ran as a systemd unit. +#### Installation with dialog - See [running](../running) for information on how to manage, run, and debug with Falco. +If you have the `dialog` binary installed on your system, you will be prompted with this: -4. Uninstall Falco: +![](/docs/getting-started/images/systemd_dialog_1.png) - ```shell - apt-get remove falco - ``` +From here you can choose one of our 3 drivers `Kmod`, `eBPF`, `Modern eBPF` or a [`Manual configuration`](#installation-without-dialog-manual-configuration). -### CentOS/RHEL/Fedora/Amazon Linux {#centos-rhel} +Here we select the `Kmod` case as an example. After the first dialog, you should see a second one: -1. Trust the falcosecurity GPG key and configure the yum repository: +![](/docs/getting-started/images/systemd_dialog_2.png) - ```shell +[Falcoctl](https://github.com/falcosecurity/falcoctl) is a tool revamped with `Falco 0.34` that offers shiny new features! One of the most important is the [automatic rulesets update](https://github.com/falcosecurity/falcoctl#falcoctl-artifact-follow), +our suggestion is to enable it by default, in this way you will always have your Falco instance running with the most updated rules. + +##### Rule update + +If you set the rule update as default, typing `systemctl list-units | grep falco` you should see something similar to this: + +```text +falco-kmod-inject.service loaded active exited Falco: Container Native Runtime Security with kmod, inject. +falco-kmod.service loaded active running Falco: Container Native Runtime Security with kmod +falcoctl-artifact-follow.service loaded active running Falcoctl Artifact Follow: automatic artifacts update service +``` + +* `falco-kmod-inject.service` injects the kernel module and exits. This unit remains after exit to detach the kernel module when the `falco-kmod.service` will be stopped. +* `falco-kmod.service` instance of Falco running the kernel module. Since the kernel module is the default Falco driver, you can also use the `falco` alias to start/stop it once enabled. +* `falcoctl-artifact-follow.service` instance of Falcoctl that searches for new rulesets. This unit will be stopped when `falco-kmod.service` terminates. + +The Falcoctl service is strictly related to the Falco one: + +* when the Falco service starts it searches for a unit called `falcoctl-artifact-follow.service` and if present it starts it. Please note that following this pattern, if you enable the Falco service and you reboot your system, Falcoctl will start again with Falco even if you don't enable it through `systemd enable`! You can disable this behavior by stopping the Falcoctl service and masking it `systemctl mask falcoctl-artifact-follow.service`. +* when the Falco service stops also the Falcoctl service is stopped. + +##### No Rule update + +In this case, the Falco package will only start the `falco-kmod.service`. Typing `systemctl list-units | grep falco` you should see something similar to this: + +```text +falco-kmod-inject.service loaded active exited Falco: Container Native Runtime Security with kmod, inject. +falco-kmod.service loaded active running Falco: Container Native Runtime Security with kmod +``` + +In this mode, the Falcoctl service is masked by default so if you want to enable it in a second step you need to type `systemctl unmask falcoctl-artifact-follow.service`. + +##### Final remarks on the dialog + +When you choose a driver from the dialog (in our case `Kmod`), the `systemd` service is always enabled by default so it will start at every system reboot. If you want to disable this behavior type `systemctl disable falco-kmod.service` (if you are using the kernel module like in this example). If enabled, the Falcoctl service will follow the same behavior as Falco so it is enough to disable the Falco service. + +#### Installation without dialog (Manual configuration) + +If you remember well, in the dialog we also had the `Manual configuration`. This option installs only the Falco units into the system without starting any service, this is the equivalent of not having the `dialog` binary installed on the system. + +Since no service is started, you have to manually configure services after the installation phase. You can see an example of how to configure the `falco-bpf` service in the [Running section](../running#falco-packages) + +### Installation on different Distros + +We have already seen [the installation steps](#installation-details) on a Debian-like system, let's see some other Distros. + +#### CentOS/RHEL/Fedora/Amazon Linux {#centos-rhel} + +1. Trust the `falcosecurity` GPG key + + ```bash rpm --import https://falco.org/repo/falcosecurity-packages.asc - curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo ``` - > **Note** — The following command is required only if DKMS and `make` are not available in the distribution. You can verify if DKMS is available using `yum list make dkms`. If necessary install it using: `yum install epel-release` (or `amazon-linux-extras install epel` in case of amzn2), then `yum install make dkms`. +2. Configure the yum repository -2. Install kernel headers: - - ```shell - yum -y install kernel-devel-$(uname -r) + ```bash + curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo ``` - > **Note** — If the package was not found by the above command, you might need to run `yum distro-sync` in order to fix it. Rebooting the system may be required. +3. Update the package list -3. Install Falco: + ```bash + yum update -y + ``` - ```shell - yum -y install falco +4. Install some required dependencies that are needed to build the kernel module and the BPF probe + + ```bash + # If necessary install it using: `yum install epel-release` (or `amazon-linux-extras install epel` in case of amzn2), then `yum install make dkms`. + yum install -y dkms make + # If the package was not found by the below command, you might need to run `yum distro-sync` in order to fix it. Rebooting the system may be required. + yum install -y kernel-devel-$(uname -r) + # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain + yum install -y clang llvm + # You can install also the dialog package if you want it + yum install -y dialog ``` - Falco, the kernel module driver, and a default configuration are now installed. - Falco is being ran as a systemd unit. - See [running](../running) for information on how to manage, run, and debug with Falco. + > _Note_: You don't need to install these deps if you want to use the modern BPF probe +5. Install the Falco package -4. Uninstall Falco: + ```bash + yum install -y falco + ``` - ```shell - yum erase falco +6. Uninstall Falco: + + ```bash + yum erase -y falco ``` -### openSUSE {#suse} +#### openSUSE {#suse} -1. Trust the falcosecurity GPG key and configure the zypper repository: +1. Trust the `falcosecurity` GPG key - ```shell + ```bash rpm --import https://falco.org/repo/falcosecurity-packages.asc + ``` + +2. Configure the zypper repository + + ```bash curl -s -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo ``` -2. Install kernel headers: +3. Update the package list - ```shell + ```bash + zypper -n update + ``` + +4. Install some required dependencies that are needed to build the kernel module and the BPF probe + + ```bash + zypper -n install dkms make + # If the package was not found by the below command, you might need to run `zypper -n dist-upgrade` in order to fix it. Rebooting the system may be required. zypper -n install kernel-default-devel-$(uname -r | sed s/\-default//g) + # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain + zypper -n install clang llvm + # You can install also the dialog package if you want it + zypper -n install dialog ``` - > **Note** — If the package was not found by the above command, you might need to run `zypper -n dist-upgrade` in order to fix it. Rebooting the system may be required. + > _Note_: You don't need to install these deps if you want to use the modern BPF probe -3. Install Falco: +5. Install Falco: ```shell zypper -n install falco ``` - Falco, the kernel module driver, and a default configuration are now installed. - Falco is being ran as a systemd unit. - - See [running](../running) for information on how to manage, run, and debug with Falco. - -4. Uninstall Falco: +6. Uninstall Falco: ```shell zypper rm falco ``` -### Linux generic (binary package) {#linux-binary} +## Falco binary + +In these steps, we are targeting a Debian-like system on `x86_64` architecture. You can easily extrapolate similar steps for other distros or architectures 1. Download the latest binary: - ```shell + ```bash curl -L -O https://download.falco.org/packages/bin/x86_64/falco-{{< latest >}}-x86_64.tar.gz ``` 2. Install Falco: - ```shell + ```bash tar -xvf falco-{{< latest >}}-x86_64.tar.gz cp -R falco-{{< latest >}}-x86_64/* / ``` -3. Install the following dependencies: - - kernel headers for your distribution - -4. Install the driver as explained [below](#install-driver). - -Once the driver has been installed, you can manually run `falco`. - -### Installing the driver {#install-driver} - -The easiest way to install the driver is using the `falco-driver-loader` script. +3. Install some required dependencies that are needed to build the kernel module and the BPF probe. If you want to use other sources like the modern BPF probe or plugins you can skip this step. -By default, it first tries to locally build the kernel module with `dkms`. If not possible, then it tries to download a prebuilt one into `~/.falco/`. If a kernel module is found, then it gets inserted. - -In case you want to install the eBPF probe driver, run `falco-driver-loader bpf`. -It first tries to build the eBPF probe locally, otherwise to download a prebuilt into `~/.falco/`. - -{{% pageinfo color="warning" %}} + ```bash + apt update -y + apt install -y dkms make linux-headers-$(uname -r) + # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain + apt install -y clang llvm + ``` -If you are using the eBPF probe, in order to ensure that performance is not degraded, make sure that -* Your kernel has `CONFIG_BPF_JIT` enabled -* `net.core.bpf_jit_enable` is set to 1 (enable the BPF JIT Compiler) -* This can be verified via `sysctl -n net.core.bpf_jit_enable` - -{{% /pageinfo %}} +4. Run `falco-driver-loader` binary to install the kernel module or the BPF probe. If you want to use other sources like the modern BPF probe or plugins you can skip this step. + ```bash + # If you want to install the kernel module + falco-driver-loader module + # If you want to install the eBPF probe + falco-driver-loader bpf + ``` -Configurable options: + By default, the `falco-driver-loader` script tries to download a prebuilt driver from [the official Falco download s3 bucket](https://download.falco.org/?prefix=driver/). If a driver is found then it is inserted into `${HOME}/.falco/`. Otherwise, the script tries to compile the driver locally, for this reason, you need the dependencies at step [3]. -- `DRIVERS_REPO` - Set this environment variable to override the default repository URL for prebuilt kernel modules and eBPF probes, without the trailing slash. + You can use the env variable `DRIVERS_REPO` to override the default repository URL for prebuilt drivers. The URL must not have the trailing slash, i.e. `https://myhost.mydomain.com` or if the server has a subdirectories structure `https://myhost.mydomain.com/drivers`. The drivers must be hosted with the following structure: - Ie., `https://myhost.mydomain.com` or if the server has a subdirectories structure `https://myhost.mydomain.com/drivers`. + ```bash + /${driver_version}/falco_${target}_${kernelrelease}_${kernelversion}.[ko|o] + ``` - The drivers will need to be hosted with the following structure: - `/${driver_version}/falco_${target}_${kernelrelease}_${kernelversion}.[ko|o]` where `ko` and `o` stands for Kernel module and `eBPF` probe respectively. + where `ko` and `o` stand for Kernel module and `eBPF` probe respectively. This is an example: - Eg., `/a259b4bf49c3330d9ad6c3eed9eb1a31954259a6/falco_amazonlinux2_4.14.128-112.105.amzn2.x86_64_1.ko`. + ```text + /a259b4bf49c3330d9ad6c3eed9eb1a31954259a6/falco_amazonlinux2_4.14.128-112.105.amzn2.x86_64_1.ko + ``` - The `falco-driver-loader` script fetches the drivers using the above format. +You are finally ready to [run the Falco binary](../running#falco-binary)! ## Package signing -Most Falco packages available at [download.falco.org](https://download.falco.org/?prefix=packages/) are provided with a detatched signature that can be used to verify that the package information downloaded from the remote repository can be trusted. +Most Falco packages available at [download.falco.org](https://download.falco.org/?prefix=packages/) are provided with a detached signature that can be used to verify that the package information downloaded from the remote repository can be trusted. -The **latest trusted public GPG key** used for packages signing can be downloaded from [falco.org/repo/falcosecurity-packages.asc](https://falco.org/repo/falcosecurity-packages.asc). The following table lists all the keys employed by the organization currently and in the past, including the revoked ones. We recommend to update the revoked keys to download their revocation certificate, and eventually remove them from your package verification system due to signature made with them not being trustable anymore. +The **latest trusted public GPG key** used for packages signing can be downloaded from [falco.org/repo/falcosecurity-packages.asc](https://falco.org/repo/falcosecurity-packages.asc). The following table lists all the keys employed by the organization currently and in the past, including the revoked ones. We recommend updating the revoked keys to download their revocation certificate, and eventually removing them from your package verification system due to the signature made with them not being trustable anymore. -| **Fingerprint** | **Expiration** | **Usage** | **Status** | **Download** | -|-----------------------------------------------------|----------------|------------------------|------------|----------------------------------------------------------------| +| **Fingerprint** | **Expiration** | **Usage** | **Status** | **Download** | +| ------------------------------------------ | -------------- | ---------------------- | ---------- | -------------------------------------------------------------- | | `2005399002D5E8FF59F28CE64021833E14CB7A8D` | 2026-01-17 | Signing Falco Packages | Trusted | [falcosecurity-14CB7A8D.asc](/repo/falcosecurity-14CB7A8D.asc) | -| `15ED05F191E40D74BA47109F9F76B25B3672BA8F` | 2023-02-24 | Signing Falco Packages | Revoked | [falcosecurity-3672BA8F.asc](/repo/falcosecurity-3672BA8F.asc) | \ No newline at end of file +| `15ED05F191E40D74BA47109F9F76B25B3672BA8F` | 2023-02-24 | Signing Falco Packages | Revoked | [falcosecurity-3672BA8F.asc](/repo/falcosecurity-3672BA8F.asc) | diff --git a/content/en/docs/getting-started/running/index.md b/content/en/docs/getting-started/running/index.md index dc9f0947b..f07610ef9 100644 --- a/content/en/docs/getting-started/running/index.md +++ b/content/en/docs/getting-started/running/index.md @@ -4,54 +4,63 @@ description: Operating and Managing Falco weight: 4 --- +## Falco packages -## Run Falco as a service +If you installed the Falco packages using the `dialog` all your services should be already up and running, while if you chose the `Manual configuration` or if you used the `FALCO_FRONTEND=noninteractive` env variable you have to configure services by your hand. Here we show a simple example with the `eBPF probe`. -If you installed Falco by using [the DEB or the RPM](/docs/getting-started/installation) package, then falco systemd service was already started and enabled for you. -In case you wish to stop or disable it, issue: +Let's imagine we want to start the `falco-bpf.service`. +1. Type `systemctl list-units | grep falco` to check that no unit is running. -```console -systemctl disable falco -``` +2. Now you have to decide whether you want the Falcoctl service running together with the Falco one. If yes you don't have to do anything, else you will need to mask the Falcoctl service with `systemctl mask falcoctl-artifact-follow.service`. As pointed out [in this section](/docs/getting-started/installation/#rule-update) the Falcoctl service is strictly related to the Falco one so if you don't mask it, it will be started together with the Falco service. -```console -systemctl stop falco -``` +3. Type `falco-driver-loader bpf` to download/compile the BPF probe. -Then, to enable or start it back, you would need: +4. Now running `systemctl start falco-bpf.service` and typing `systemctl list-units | grep falco` you should see something like that (supposing you didn't mask the Falcoctl service): -```console -systemctl enable falco -``` + ```text + falco-bpf.service loaded active running Falco: Container Native Runtime Security with ebpf + falcoctl-artifact-follow.service loaded active running Falcoctl Artifact Follow: automatic artifacts update service + ``` -```console -systemctl start falco -``` +5. If you want to stop both services in one shot -You can also view the Falco logs using `journalctl`. + ```bash + systemctl stop falco-bpf.service + ``` -```console -journalctl -fu falco -``` +### Custom run -## Run Falco manually +You may have noticed a Falco unit called `falco-custom.service`. You should use it when you want to run Falco with a custom configuration like a plugin or Gvisor. Please note that in this case you have to modify this template according to how you want to run Falco, the unit should not be used as is! -If you'd like to run Falco by hand, you can find the full usage description for Falco by typing: +## Falco binary -```console +Here you can find some examples of how to run Falco after having [installed](/docs/getting-started/installation/#falco-binary) it using the binary package + + +```bash +# Kernel module (default driver) +falco +# eBPF probe +FALCO_BPF_PROBE="" falco +# modern eBPF probe +falco --modern-bpf +# For more info see all available options falco --help ``` -{{% pageinfo color="primary" %}} +{{% pageinfo color="warning" %}} -Are you looking for userspace instrumentation? Please see [this page](/docs/event-sources/drivers/#userspace-instrumentation). +If you are using the eBPF probe, in order to ensure that performance is not degraded, make sure that -{{% /pageinfo %}} +* Your kernel has `CONFIG_BPF_JIT` enabled +* `net.core.bpf_jit_enable` is set to 1 (enable the BPF JIT Compiler) +* This can be verified via `sysctl -n net.core.bpf_jit_enable` +{{% /pageinfo %}} -## Run within Docker {#docker} +## Docker {#docker} {{% pageinfo color="primary" %}} @@ -63,6 +72,7 @@ You can find instructions on how to install the kernel headers for your system u Falco ships a set of official [docker images](/docs/getting-started/download#images). The images can be used in two ways as follows: + - [Least privileged (recommended)](#docker-least-privileged) - [Fully privileged](#docker-privileged) @@ -90,11 +100,9 @@ Once the kernel module has been installed directly on the host system, it can be falcosecurity/falco-driver-loader:latest ``` - The `falcosecurity/falco-driver-loader` image just wraps the `falco-driver-loader` script. You can find more about its usage [here](/docs/getting-started/installation#install-driver) - 2. Run Falco in a container using Docker with the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege): ```shell @@ -106,7 +114,6 @@ You can find more about its usage [here](/docs/getting-started/installation#inst falcosecurity/falco-no-driver:latest ``` - {{% pageinfo color="warning" %}} If you are running Falco on a system with the AppArmor LSM enabled (e.g Ubuntu), you will also need to pass `--security-opt apparmor:unconfined` to the `docker run` command above. @@ -119,18 +126,19 @@ docker info | grep -i apparmor {{% /pageinfo %}} - {{% pageinfo color="primary" %}} Note that `ls /dev/falco* | xargs -I {} echo --device {}` outputs a `--device /dev/falcoX` option per CPU (ie. just the devices created by the Falco's kernel module). Also, `-e HOST_ROOT=/` is necessary since with `--device` there is no way to remap devices to `/host/dev/`. {{% /pageinfo %}} -To run Falco in least privileged mode with the eBPF driver, we list all the required capabilities: +To run Falco in least privileged mode with the eBPF driver, we list all the required capabilities: + - on kernels <5.8, Falco requires `CAP_SYS_ADMIN`, `CAP_SYS_RESOURCE` and `CAP_SYS_PTRACE` - on kernels >=5.8, `CAP_BPF` and `CAP_PERFMON` were separated out of `CAP_SYS_ADMIN`, so the required capabilities are `CAP_BPF`, `CAP_PERFMON`, `CAP_SYS_RESOURCE`, `CAP_SYS_PTRACE`. Unfortunately, Docker does not yet support adding the two newly introduced capabilities with the `--cap-add` option. For this reason, we continue using `CAP_SYS_ADMIN`, given that it still allows performing the same operations granted by `CAP_BPF` and `CAP_PERFMON`. In the near future, Docker will support adding these two capabilities and we will be able to replace `CAP_SYS_ADMIN`. 1. Install the eBPF probe + ```shell docker pull falcosecurity/falco-driver-loader:latest docker run --rm -i -t \ @@ -143,7 +151,9 @@ To run Falco in least privileged mode with the eBPF driver, we list all the requ -v /etc:/host/etc:ro \ falcosecurity/falco-driver-loader:latest bpf ``` + 2. Then, run Falco + ```shell docker pull falcosecurity/falco-no-driver:latest docker run --rm -i -t \ @@ -161,9 +171,10 @@ To run Falco in least privileged mode with the eBPF driver, we list all the requ {{% pageinfo color="warning" %}} -Again, you will need to add `--security-opt apparmor:unconfined` to the last command if your system has the AppArmor LSM enabled. +Again, you will need to add `--security-opt apparmor:unconfined` to the last command if your system has the AppArmor LSM enabled. {{% /pageinfo %}} + ### Fully privileged {#docker-privileged} To run Falco in a container using Docker with full privileges use the following commands. @@ -230,6 +241,7 @@ docker run --rm -i -t \ ``` To use `falco-no-driver` and `falco-driver-loader` with the eBPF probe you have to remove the `-v /dev:/host/dev` (which is only required by the Kernel Module) and add: + ```shell -e FALCO_BPF_PROBE="" -v /root/.falco:/root/.falco \ ``` @@ -240,6 +252,7 @@ Other configurable options: - `SKIP_DRIVER_LOADER` - Set this environment variable to avoid running `falco-driver-loader` when the `falcosecurity/falco` image starts. Useful when the driver has been already installed on the host by other means. ## Rules validation + It's possible to validate Falco rules without installation by using the Docker image. ```bash diff --git a/content/en/docs/getting-started/upgrade.md b/content/en/docs/getting-started/upgrade.md index 7605c1b65..92abbefaa 100644 --- a/content/en/docs/getting-started/upgrade.md +++ b/content/en/docs/getting-started/upgrade.md @@ -4,21 +4,26 @@ description: Upgrading Falco on a Linux system weight: 3 --- -This section provides upgrading paths for Falco if previously installed following the [Install](../installation/) section. +This section provides upgrading paths for Falco if previously installed following the [Install](../installation/) section. -## Upgrading - -According to the installation method you chose, you first have to remove the active kernel module before upgrading Falco to the latest version: +{{% pageinfo color="warning" %}} +If you are using the kernel module, please remove it before upgrading Falco to avoid issues during the upgrade. -```shell +```bash rmmod falco ``` +{{% /pageinfo %}} + +## Falco packages + +Here there are no specific steps to follow, you just need to type the specific commands for your distro. Please remember to specify the `FALCO_FRONTEND=noninteractive` env variable if you don't want to use the `dialog` during the upgrade + ### Debian/Ubuntu {#debian} {{% pageinfo color="warning" %}} -If you configured the `apt` repository by having followed the instructions for Falco 0.27.0 or older, -you may need to update the repository URL: + +If you configured the `apt` repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, **fell free to ignore this message** ```shell sed -i 's,https://dl.bintray.com/falcosecurity/deb,https://download.falco.org/packages/deb,' /etc/apt/sources.list.d/falcosecurity.list @@ -30,7 +35,7 @@ Check in the `apt-get update` log that `https://download.falco.org/packages/deb` {{% /pageinfo %}} -If you installed Falco by following the [provided instructions](../installation/#debian): +If you installed Falco by following the [provided instructions](../installation/#installation-details): ```shell apt-get --only-upgrade install falco @@ -39,8 +44,7 @@ apt-get --only-upgrade install falco ### CentOS/RHEL/Fedora/Amazon Linux {#centos-rhel} {{% pageinfo color="warning" %}} -If you configured the `yum` repository by having followed the instructions for Falco 0.27.0 or older, -you may need to update the repository URL: +If you configured the `yum` repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, **fell free to ignore this message** ```shell sed -i 's,https://dl.bintray.com/falcosecurity/rpm,https://download.falco.org/packages/rpm,' /etc/yum.repos.d/falcosecurity.repo @@ -52,16 +56,19 @@ Then check that the `falcosecurity-rpm` repository is pointing to `https://downl ```shell yum repolist -v falcosecurity-rpm ``` + {{% /pageinfo %}} If you installed Falco by following the [provided instructions](../installation/#centos-rhel): 1. Check for updates: + ```shell yum check-update ``` 2. If a newer Falco version is available: + ```shell yum update falco ``` @@ -69,8 +76,7 @@ If you installed Falco by following the [provided instructions](../installation/ ### openSUSE {#suse} {{% pageinfo color="warning" %}} -If you configured the `zypper` repository by having followed the instructions for Falco 0.27.0 or older, -you may need to update the repository URL: +If you configured the `zypper` repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, **fell free to ignore this message** ```shell sed -i 's,https://dl.bintray.com/falcosecurity/rpm,https://download.falco.org/packages/rpm,' /etc/zypp/repos.d/falcosecurity.repo @@ -82,6 +88,7 @@ Then check that the `falcosecurity-rpm` repository is pointing to `https://downl ```shell zypper lr falcosecurity-rpm ``` + {{% /pageinfo %}} If you installed Falco by following the [provided instructions](../installation/#suse): @@ -89,3 +96,7 @@ If you installed Falco by following the [provided instructions](../installation/ ```shell zypper update falco ``` + +## Falco binary + +For the Falco binary we don't provide specific update paths, you just have to remove files installed by the old `tar.gz` and download the new version of Falco as described [here](../installation/#falco-binary)