From 59565e3355fb29b5f6f07500c3016570ca85f903 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Mon, 20 Jan 2020 11:38:32 +0000 Subject: [PATCH 1/7] chore: remove travis Co-authored-by: Lorenzo Fontana Signed-off-by: Leonardo Di Donato --- .travis.yml | 37 ------------------------------------- 1 file changed, 37 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 8fb30ee9f27..00000000000 --- a/.travis.yml +++ /dev/null @@ -1,37 +0,0 @@ -# -# Copyright (C) 2019 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -language: cpp -compiler: gcc -env: - - BUILD_TYPE=debug - - BUILD_TYPE=release -dist: bionic -services: - - docker -before_install: - - sudo apt update -y -install: - - sudo apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc -y - - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) - - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev - - git clone https://github.com/draios/sysdig.git ../sysdig - - pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using branch:" $(git rev-parse --abbrev-ref HEAD) && popd -script: - - mkdir build - - pushd build && cmake .. && make -j4 all && make tests && popd - # todo(fntlnz): execute tests and regression tests at this point - #- ./scripts/build "${TRAVIS_BUILD_DIR}/.." "${TRAVIS_BUILD_DIR}/build" From dc7d7c28ce2b1b7e7ec434a9d5eadc9472926d5a Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Mon, 20 Jan 2020 11:38:57 +0000 Subject: [PATCH 2/7] chore: remove jenkins Co-authored-by: Lorenzo Fontana Signed-off-by: Leonardo Di Donato --- scripts/jenkins/build-pipeline/Jenkinsfile | 100 --------------------- scripts/jenkins/build-pipeline/build | 28 ------ scripts/jenkins/build-pipeline/run-tests | 33 ------- scripts/jenkins/build-pipeline/version | 23 ----- 4 files changed, 184 deletions(-) delete mode 100644 scripts/jenkins/build-pipeline/Jenkinsfile delete mode 100755 scripts/jenkins/build-pipeline/build delete mode 100755 scripts/jenkins/build-pipeline/run-tests delete mode 100755 scripts/jenkins/build-pipeline/version diff --git a/scripts/jenkins/build-pipeline/Jenkinsfile b/scripts/jenkins/build-pipeline/Jenkinsfile deleted file mode 100644 index 329eec95484..00000000000 --- a/scripts/jenkins/build-pipeline/Jenkinsfile +++ /dev/null @@ -1,100 +0,0 @@ -void setBuildStatus(String context, String message, String state) { - step([ - $class: "GitHubCommitStatusSetter", - reposSource: [ - $class: "ManuallyEnteredRepositorySource", - url: "https://github.com/falcosecurity/falco" - ], - contextSource: [ - $class: "ManuallyEnteredCommitContextSource", - context: context - ], - errorHandlers: [[ - $class: "ChangingBuildStatusErrorHandler", - result: "UNSTABLE" - ]], - statusResultSource: [ - $class: "ConditionalStatusResultSource", - results: [[ - $class: "AnyBuildResult", - message: message, - state: state - ]] - ] - ]); -} - -def version = 'UNKNOWN' - -pipeline { - agent { label "agent-docker-builder" } - stages { - stage("Check out dependencies") { - steps { - dir("falco") { - checkout([ - $class: "GitSCM", - branches: [[name: "refs/heads/"+env.BRANCH_NAME]], - doGenerateSubmoduleConfigurations: false, - extensions: [], - submoduleCfg: [], - userRemoteConfigs: [[ - credentialsId: "github-jenkins-user-token", - url: "https://github.com/falcosecurity/falco" - ]] - ]) - } - dir("sysdig") { - checkout([ - $class: "GitSCM", - branches: [[name: "dev"]], - doGenerateSubmoduleConfigurations: false, - extensions: [], - submoduleCfg: [], - userRemoteConfigs: [[ - credentialsId: "github-jenkins-user-token", - url: "https://github.com/draios/sysdig" - ]] - ]) - } - } - } - stage("Build") { - steps { - script{ - version = sh(returnStdout: true, script: "./falco/scripts/jenkins/build-pipeline/version") - sh("./falco/scripts/jenkins/build-pipeline/build ${version}") - } - } - post { - success { - setBuildStatus("Build", "Build Successful", "SUCCESS") - } - failure { - setBuildStatus("Build", "Build Failed", "FAILURE") - } - } - } - stage("Run tests") { - steps { - script{ - sh("./falco/scripts/jenkins/build-pipeline/run-tests ${version}") - } - } - post { - success { - setBuildStatus("Run tests", "All tests passed", "SUCCESS") - } - failure { - setBuildStatus("Run tests", "One or more tests failed", "FAILURE") - } - } - } - } - post { - always { - cleanWs() - } - } -} - diff --git a/scripts/jenkins/build-pipeline/build b/scripts/jenkins/build-pipeline/build deleted file mode 100755 index b45e7f72d29..00000000000 --- a/scripts/jenkins/build-pipeline/build +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash - -set -eu -o pipefail - -if [ $# -eq 0 ]; then - >&2 echo "Missing arguments." - exit 1 -fi -if [ -z "$1" ]; then - >&2 echo "Missing version." - exit 1 -fi -if [ "$1" == "UNKNOWN" ]; then - >&2 echo "Unknown version." - exit 1 -fi - -FALCO_VERSION=$1 -BUILD_DIR="${WORKSPACE}/build" -FALCOBUILDER_IMAGE="falcosecurity/falco-builder" - -docker pull $FALCOBUILDER_IMAGE - -rm -rf "$BUILD_DIR" -mkdir "$BUILD_DIR" - -docker run -u "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION="$FALCO_VERSION" -v "$WORKSPACE":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" cmake -docker run -u "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION="$FALCO_VERSION" -v $"$WORKSPACE":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" package \ No newline at end of file diff --git a/scripts/jenkins/build-pipeline/run-tests b/scripts/jenkins/build-pipeline/run-tests deleted file mode 100755 index 78825086a9e..00000000000 --- a/scripts/jenkins/build-pipeline/run-tests +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash - -set -eu -o pipefail - -if [ $# -eq 0 ]; then - >&2 echo "Missing arguments." - exit 1 -fi -if [ -z "$1" ]; then - >&2 echo "Missing version." - exit 1 -fi -if [ "$1" == "UNKNOWN" ]; then - >&2 echo "Unknown version." - exit 1 -fi - -FALCO_VERSION=$1 -BUILD_DIR="${WORKSPACE}/build" -FALCOTESTER_IMAGE="falcosecurity/falco-tester" - -docker pull $FALCOTESTER_IMAGE - -docker run \ - -v /boot:/boot:ro \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v /etc/passwd:/etc/passwd:ro \ - -e FALCO_VERSION="$FALCO_VERSION" \ - -v "$WORKSPACE":/source \ - -v "$BUILD_DIR":/build \ - "$FALCOTESTER_IMAGE" test - -exit 0 \ No newline at end of file diff --git a/scripts/jenkins/build-pipeline/version b/scripts/jenkins/build-pipeline/version deleted file mode 100755 index aa06b60be21..00000000000 --- a/scripts/jenkins/build-pipeline/version +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -# Do not add "x" -set -eu -o pipefail - -BUILD_DIR="${WORKSPACE}/build" -FALCOBUILDER_IMAGE="falcosecurity/falco-builder" - -docker pull $FALCOBUILDER_IMAGE > /dev/null - -rm -rf "$BUILD_DIR" -mkdir "$BUILD_DIR" - -CMAKE_CMD="docker run -u $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -v $WORKSPACE:/source -v $BUILD_DIR:/build -a stdout -a stderr $FALCOBUILDER_IMAGE cmake" - -FALCO_VERSION=$($CMAKE_CMD | grep -oP "Falco version: v?\K(\d+)\.[a-z0-9]{1,7}(\.[a-z0-9]+)?" || echo "UNKNOWN") - -if [ "$FALCO_VERSION" == "UNKNOWN" ]; then - >&2 echo "Unknown version." - exit 1 -fi - -echo "$FALCO_VERSION.$((2700+BUILD_NUMBER))" \ No newline at end of file From a07f597ab044c7c638a4ddc14b01c2e081928cb4 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Mon, 20 Jan 2020 11:39:27 +0000 Subject: [PATCH 3/7] update: deb/rpm falco description Co-authored-by: Lorenzo Fontana Signed-off-by: Leonardo Di Donato --- scripts/description.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/description.txt b/scripts/description.txt index 1f49b10e522..564d5c6c09d 100644 --- a/scripts/description.txt +++ b/scripts/description.txt @@ -1 +1 @@ -Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms such as Kubernetes, Mesosphere, and Cloud Foundry. Detect abnormal application behavior. Alert via Slack, Fluentd, NATS, and more. Protect your platform by taking action through serverless (FaaS) frameworks, or other automation. \ No newline at end of file +Falco, the open source cloud-native runtime security project, is the defacto Kubernetes threat detection engine. Falco detects unexpected application behavior and alerts on threats at runtime. \ No newline at end of file From 0b0ce11503e7a820e15590d08f57e722391dc709 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Mon, 20 Jan 2020 11:39:44 +0000 Subject: [PATCH 4/7] chore: remove old build script Co-authored-by: Lorenzo Fontana Signed-off-by: Leonardo Di Donato --- scripts/build | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100755 scripts/build diff --git a/scripts/build b/scripts/build deleted file mode 100755 index d0216ef8370..00000000000 --- a/scripts/build +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash - -set -xeuo pipefail - -SOURCE_DIR=$1 -BUILD_DIR=$2 -FALCOBUILDER_IMAGE="falcosecurity/falco-builder" -FALCOTESTER_IMAGE="falcosecurity/falco-tester" - -docker run --user "$(id -u)":"$(id -g)" -v /etc/passwd:/etc/passwd:ro -e BUILD_TYPE="$BUILD_TYPE" -v "$SOURCE_DIR":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" cmake -docker run --user "$(id -u)":"$(id -g)" -v /etc/passwd:/etc/passwd:ro -e BUILD_TYPE="$BUILD_TYPE" -v "$SOURCE_DIR":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" package -docker run --user "$(id -u)":"$(id -g)" -v /etc/passwd:/etc/passwd:ro -e BUILD_TYPE="$BUILD_TYPE" -v "$SOURCE_DIR":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" tests - -# Deduct currently built version -CURRENT_FALCO_VERSION=$(docker run -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" bash -c "./build/$BUILD_TYPE/userspace/falco/falco --version" | cut -d' ' -f3 | tr -d '\r') - -# Execute regression tests -docker run \ - -v /boot:/boot:ro \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v /etc/passwd:/etc/passwd:ro \ - -v "$SOURCE_DIR":/source \ - -v "$BUILD_DIR":/build \ - -e BUILD_TYPE="$BUILD_TYPE" \ - -e FALCO_VERSION="$CURRENT_FALCO_VERSION" \ - "$FALCOTESTER_IMAGE" test From f01f5ecf1560d01ed090a38f572dd9eb941050d7 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Mon, 20 Jan 2020 11:40:05 +0000 Subject: [PATCH 5/7] build: remove SYSDIG_DIR variable Co-authored-by: Lorenzo Fontana Signed-off-by: Leonardo Di Donato --- scripts/CMakeLists.txt | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 54a2c52493b..c532b4173fc 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -17,10 +17,6 @@ configure_file(debian/postinst.in debian/postinst) configure_file(debian/prerm.in debian/prerm) -if(NOT SYSDIG_DIR) - set(SYSDIG_DIR "${PROJECT_SOURCE_DIR}/../sysdig") -endif() - file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco" DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") From 3c5a98e83f12927a6ecc53dff5b066eb2c6363c8 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Mon, 20 Jan 2020 12:16:27 +0000 Subject: [PATCH 6/7] update: force deps to always use the system openssl Co-authored-by: Lorenzo Fontana Signed-off-by: Leonardo Di Donato --- cmake/modules/sysdig.cmake | 3 +++ docker/builder/root/usr/bin/entrypoint | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cmake/modules/sysdig.cmake b/cmake/modules/sysdig.cmake index 43fb131dc7e..a21dd201c38 100644 --- a/cmake/modules/sysdig.cmake +++ b/cmake/modules/sysdig.cmake @@ -43,6 +43,9 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR} add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp") add_dependencies(sinsp tbb b64 luajit) +# explicitly force this dependency to use the system OpenSSL +set(USE_BUNDLED_OPENSSL OFF) + if(USE_BUNDLED_DEPS) add_dependencies(scap grpc curl jq) endif() diff --git a/docker/builder/root/usr/bin/entrypoint b/docker/builder/root/usr/bin/entrypoint index f930ecdacbb..fd8f8df2113 100755 --- a/docker/builder/root/usr/bin/entrypoint +++ b/docker/builder/root/usr/bin/entrypoint @@ -39,7 +39,6 @@ case "$CMD" in -DFALCO_VERSION="$FALCO_VERSION" \ -DDRAIOS_DEBUG_FLAGS="$DRAIOS_DEBUG_FLAGS" \ -DUSE_BUNDLED_DEPS=ON \ - -DUSE_BUNDLED_OPENSSL=OFF \ "$SOURCE_DIR/falco" exit "$(printf '%d\n' $?)" ;; From 2afd027ab922954a63cb2b78c9379ab25ce1321f Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Mon, 20 Jan 2020 12:19:36 +0000 Subject: [PATCH 7/7] build: use latest falco-builder and falco-tester into CI Co-authored-by: Lorenzo Fontana Signed-off-by: Leonardo Di Donato --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b073e7b95e5..43f042fd165 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -36,7 +36,7 @@ jobs: # This build is static, dependencies are bundled in the falco binary "build/centos8": docker: - - image: falcosecurity/falco-builder:dynamic-builds # todo(fntlnz): replace this with the actual image once PR #968 is merged + - image: falcosecurity/falco-builder:latest environment: BUILD_TYPE: "release" steps: @@ -72,7 +72,7 @@ jobs: # Execute integration tests based on the build results coming from the "build/centos8" job "tests/integration": docker: - - image: falcosecurity/falco-tester:dynamic-builds # todo(fntlnz): replace this with the actual image once PR #968 is merged + - image: falcosecurity/falco-tester:latest environment: SOURCE_DIR: "/source" BUILD_DIR: "/build"