diff --git a/.circleci/config.yml b/.circleci/config.yml index 78288bf1574..514f3a67f7a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,5 +1,85 @@ version: 2 jobs: + # Build a statically linked Falco release binary using musl + # This build is 100% static, there are no host dependencies + "build/musl": + docker: + - image: alpine:3.12 + steps: + - checkout: + path: /source-static/falco + - run: + name: Update base image + command: apk update + - run: + name: Install build dependencies + command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils + - run: + name: Prepare project + command: | + mkdir -p /build-static/release + cd /build-static/release + cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco + - run: + name: Build + command: | + cd /build-static/release + make -j4 all + - run: + name: Package + command: | + cd /build-static/release + make -j4 package + - run: + name: Run unit tests + command: | + cd /build-static/release + make tests + - run: + name: Prepare artifacts + command: | + mkdir -p /tmp/packages + cp /build-static/release/*.tar.gz /tmp/packages + - store_artifacts: + path: /tmp/packages + destination: /packages + - persist_to_workspace: + root: / + paths: + - build-static/release + - source-static + # Build the minimal Falco + # This build only contains the Falco engine and the basic input/output. + "build/minimal": + docker: + - image: ubuntu:focal + steps: + - checkout + - run: + name: Update base image + command: apt update -y + - run: + name: Install dependencies + command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y + - run: + name: Prepare project + command: | + mkdir build-minimal + pushd build-minimal + cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release .. + popd + - run: + name: Build + command: | + pushd build-minimal + make -j4 all + popd + - run: + name: Run unit tests + command: | + pushd build-minimal + make tests + popd # Build using ubuntu LTS # This build is dynamic, most dependencies are taken from the OS "build/ubuntu-focal": @@ -202,6 +282,21 @@ jobs: - run: name: Execute integration tests command: /usr/bin/entrypoint test + "tests/integration-static": + docker: + - image: falcosecurity/falco-tester:latest + environment: + SOURCE_DIR: "/source-static" + BUILD_DIR: "/build-static" + BUILD_TYPE: "release" + SKIP_PACKAGES_TESTS: "true" + steps: + - setup_remote_docker + - attach_workspace: + at: / + - run: + name: Execute integration tests + command: /usr/bin/entrypoint test "tests/driver-loader/integration": machine: image: ubuntu-1604:202004-01 @@ -267,10 +362,10 @@ jobs: FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override - run: - name: Publish tgz-dev + name: Publish bin-dev command: | - FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') - jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override + FALCO_VERSION=$(cat /build-musl/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') + jfrog bt u /build-musl/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override # Clenup the Falco development release packages "cleanup/packages-dev": docker: @@ -349,10 +444,10 @@ jobs: FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override - run: - name: Publish tgz + name: Publish bin command: | - FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') - jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override + FALCO_VERSION=$(cat /build-musl/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') + jfrog bt u /build-musl/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override # Publish docker packages "publish/docker": docker: @@ -394,6 +489,8 @@ workflows: version: 2 build_and_test: jobs: + - "build/musl" + - "build/minimal" - "build/ubuntu-focal" - "build/ubuntu-focal-debug" - "build/ubuntu-bionic" @@ -403,6 +500,9 @@ workflows: - "tests/integration": requires: - "build/centos7" + - "tests/integration-static": + requires: + - "build/musl" - "tests/driver-loader/integration": requires: - "build/centos7" @@ -424,6 +524,7 @@ workflows: only: master requires: - "rpm/sign" + - "tests/integration-static" - "cleanup/packages-dev": context: falco filters: @@ -445,6 +546,12 @@ workflows: - "tests/driver-loader/integration" release: jobs: + - "build/musl": + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ - "build/centos7": filters: tags: @@ -463,6 +570,7 @@ workflows: - "publish/packages": context: falco requires: + - "build/musl" - "rpm/sign" filters: tags: diff --git a/CMakeLists.txt b/CMakeLists.txt index 29d73cd1530..96f3ccd60dd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -16,6 +16,8 @@ project(falco) option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF) option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF) +option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF) +option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF) # Elapsed time # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this @@ -50,7 +52,15 @@ else() endif() message(STATUS "Build type: ${CMAKE_BUILD_TYPE}") -set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}") +if(MINIMAL_BUILD) + set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD") +endif() + +if(MUSL_OPTIMIZED_BUILD) + set(MUSL_FLAGS "-static -Os -D__NEED_struct_timespec -D__NEED_time_t") +endif() + +set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}") if(BUILD_WARNINGS_AS_ERRORS) set(CMAKE_SUPPRESSED_WARNINGS @@ -123,11 +133,13 @@ ExternalProject_Add( # yaml-cpp include(yaml-cpp) -# OpenSSL -include(OpenSSL) +if(NOT MINIMAL_BUILD) + # OpenSSL + include(OpenSSL) -# libcurl -include(cURL) + # libcurl + include(cURL) +endif() # LuaJIT set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src") @@ -194,26 +206,30 @@ ExternalProject_Add( BUILD_BYPRODUCTS ${TBB_LIB} INSTALL_COMMAND "") -# civetweb -set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/") -set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a") -set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include") -message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'") -ExternalProject_Add( - civetweb - URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz" - URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42" - CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib - COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include - BUILD_IN_SOURCE 1 - BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1 - INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1") +if(NOT MINIMAL_BUILD) + # civetweb + set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/") + set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a") + set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include") + message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'") + ExternalProject_Add( + civetweb + URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz" + URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42" + CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib + COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include + BUILD_IN_SOURCE 1 + BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1 + INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1") +endif() #string-view-lite include(DownloadStringViewLite) -# gRPC -include(gRPC) +if(NOT MINIMAL_BUILD) + # gRPC + include(gRPC) +endif() # sysdig include(sysdig) @@ -221,11 +237,13 @@ include(sysdig) # Installation install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}") -# Coverage -include(Coverage) +if(NOT MINIMAL_BUILD) + # Coverage + include(Coverage) -# Tests -add_subdirectory(test) + # Tests + add_subdirectory(test) +endif() # Rules add_subdirectory(rules) diff --git a/cmake/modules/CPackConfig.cmake b/cmake/modules/CPackConfig.cmake index 258d77693d5..2f7f2988e1d 100644 --- a/cmake/modules/CPackConfig.cmake +++ b/cmake/modules/CPackConfig.cmake @@ -25,7 +25,11 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio set(CPACK_STRIP_FILES "ON") set(CPACK_PACKAGE_RELOCATABLE "OFF") -set(CPACK_GENERATOR DEB RPM TGZ) +if(NOT CPACK_GENERATOR) + set(CPACK_GENERATOR DEB RPM TGZ) +endif() + +message(STATUS "Using package generators: ${CPACK_GENERATOR}") set(CPACK_DEBIAN_PACKAGE_SECTION "utils") set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64") diff --git a/cmake/modules/DownloadStringViewLite.cmake b/cmake/modules/DownloadStringViewLite.cmake index cbf2dedf614..26f409fc90e 100644 --- a/cmake/modules/DownloadStringViewLite.cmake +++ b/cmake/modules/DownloadStringViewLite.cmake @@ -15,7 +15,7 @@ include(ExternalProject) set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix) set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include) -message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}") +message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}") ExternalProject_Add( string-view-lite diff --git a/cmake/modules/gRPC.cmake b/cmake/modules/gRPC.cmake index 9cfb937ca4a..9d94bf299d6 100644 --- a/cmake/modules/gRPC.cmake +++ b/cmake/modules/gRPC.cmake @@ -96,12 +96,17 @@ else() # that zlib will be very outdated set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib") set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a") + # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely + # that c-ares will be very outdated + set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares") + set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a") message(STATUS "Using bundled gRPC in '${GRPC_SRC}'") message( STATUS "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}") message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}") + message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}") message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}") get_filename_component(PROTOC_DIR ${PROTOC} PATH) diff --git a/cmake/modules/sysdig.cmake b/cmake/modules/sysdig.cmake index cfb53645096..deef6e683c7 100644 --- a/cmake/modules/sysdig.cmake +++ b/cmake/modules/sysdig.cmake @@ -17,7 +17,9 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo") # this needs to be here at the top if(USE_BUNDLED_DEPS) # explicitly force this dependency to use the bundled OpenSSL - set(USE_BUNDLED_OPENSSL ON) + if(NOT MINIMAL_BUILD) + set(USE_BUNDLED_OPENSSL ON) + endif() set(USE_BUNDLED_JQ ON) endif() @@ -27,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR}) # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake # -DSYSDIG_VERSION=dev ..` if(NOT SYSDIG_VERSION) - set(SYSDIG_VERSION "ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7") - set(SYSDIG_CHECKSUM "SHA256=43d274e4ce16b0d0e4dd00aab78006c902f36070d1cbb22d12a2685134a2ae51") + set(SYSDIG_VERSION "73554b9c48b06612eb50494ee6fa5b779c57edc0") # todo(leogr): set the correct version and checksum before merging + set(SYSDIG_CHECKSUM "SHA256=c1c73498a834533dea61c979786a4ac3866743c17829d81aef209ddaa1b31538") endif() set(PROBE_VERSION "${SYSDIG_VERSION}") @@ -55,6 +57,9 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver") # Add libscap directory add_definitions(-D_GNU_SOURCE) add_definitions(-DHAS_CAPTURE) +if(MUSL_OPTIMIZED_BUILD) + add_definitions(-DMUSL_OPTIMIZED) +endif() add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap") # Add libsinsp directory @@ -65,5 +70,8 @@ add_dependencies(sinsp tbb b64 luajit) set(CREATE_TEST_TARGETS OFF) if(USE_BUNDLED_DEPS) - add_dependencies(scap grpc curl jq) + add_dependencies(scap jq) + if(NOT MINIMAL_BUILD) + add_dependencies(scap curl grpc) + endif() endif() diff --git a/docker/builder/root/usr/bin/entrypoint b/docker/builder/root/usr/bin/entrypoint index fd8f8df2113..3bfadfd7e7e 100755 --- a/docker/builder/root/usr/bin/entrypoint +++ b/docker/builder/root/usr/bin/entrypoint @@ -34,6 +34,7 @@ case "$CMD" in -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \ -DCMAKE_INSTALL_PREFIX=/usr \ -DBUILD_DRIVER="$BUILD_DRIVER" \ + -DMINIMAL_BUILD="$MINIMAL_BUILD" \ -DBUILD_BPF="$BUILD_BPF" \ -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \ -DFALCO_VERSION="$FALCO_VERSION" \ diff --git a/docker/no-driver/Dockerfile b/docker/no-driver/Dockerfile index d70594d78e8..fe528d71b68 100644 --- a/docker/no-driver/Dockerfile +++ b/docker/no-driver/Dockerfile @@ -12,47 +12,16 @@ WORKDIR / ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz / -RUN apt-get update -y && \ - apt-get install -y binutils && \ - tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \ +RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \ rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \ mv falco-${FALCO_VERSION}-x86_64 falco && \ - strip falco/usr/bin/falco && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* + rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml FROM scratch -COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \ - /lib/x86_64-linux-gnu/libc.so.6 \ - /lib/x86_64-linux-gnu/libdl.so.2 \ - /lib/x86_64-linux-gnu/libgcc_s.so.1 \ - /lib/x86_64-linux-gnu/libm.so.6 \ - /lib/x86_64-linux-gnu/libnsl.so.1 \ - /lib/x86_64-linux-gnu/libnss_compat.so.2 \ - /lib/x86_64-linux-gnu/libnss_files.so.2 \ - /lib/x86_64-linux-gnu/libnss_nis.so.2 \ - /lib/x86_64-linux-gnu/libpthread.so.0 \ - /lib/x86_64-linux-gnu/librt.so.1 \ - /lib/x86_64-linux-gnu/libz.so.1 \ - /lib/x86_64-linux-gnu/ - -COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \ - /usr/lib/x86_64-linux-gnu/libstdc++.so.6 - -COPY --from=ubuntu /etc/ld.so.cache \ - /etc/nsswitch.conf \ - /etc/ld.so.cache \ - /etc/passwd \ - /etc/group \ - /etc/ - -COPY --from=ubuntu /etc/default/nss /etc/default/nss -COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 - COPY --from=ubuntu /falco / CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"] \ No newline at end of file diff --git a/docker/tester/root/usr/bin/entrypoint b/docker/tester/root/usr/bin/entrypoint index 73547d024de..4d975b6007f 100755 --- a/docker/tester/root/usr/bin/entrypoint +++ b/docker/tester/root/usr/bin/entrypoint @@ -1,9 +1,11 @@ #!/usr/bin/env bash -set -eu -o pipefail +set -u -o pipefail + +BUILD_DIR=${BUILD_DIR:-/build} +SOURCE_DIR=${SOURCE_DIR:-/source} +SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false} -SOURCE_DIR=/source -BUILD_DIR=/build CMD=${1:-test} shift @@ -56,9 +58,11 @@ case "$CMD" in fi # build docker images - build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb" - build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm" - build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz" + if [ "$SKIP_PACKAGES_TESTS" = false ] ; then + build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb" + build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm" + build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz" + fi # check that source directory contains Falco if [ ! -d "$SOURCE_DIR/falco/test" ]; then @@ -69,12 +73,14 @@ case "$CMD" in # run tests echo "Running regression tests ..." cd "$SOURCE_DIR/falco/test" - ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE" + SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE" # clean docker images - clean_image "deb" - clean_image "rpm" - clean_image "tar.gz" + if [ "$SKIP_PACKAGES_TESTS" = false ] ; then + clean_image "deb" + clean_image "rpm" + clean_image "tar.gz" + fi ;; "bash") CMD=/bin/bash diff --git a/rules/CMakeLists.txt b/rules/CMakeLists.txt index d7e8b30cb69..2a03d6625a0 100644 --- a/rules/CMakeLists.txt +++ b/rules/CMakeLists.txt @@ -37,8 +37,7 @@ if(DEFINED FALCO_COMPONENT) COMPONENT "${FALCO_COMPONENT}" DESTINATION "${FALCO_ETC_DIR}" RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}") - - # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects. +# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects. else() install( FILES falco_rules.yaml @@ -57,8 +56,8 @@ else() install( FILES application_rules.yaml - DESTINATION "/etc/falco/rules.available" + DESTINATION "${FALCO_ETC_DIR}/rules.available" RENAME "${FALCO_APP_RULES_DEST_FILENAME}") - install(DIRECTORY DESTINATION "/etc/falco/rules.d") + install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d") endif() diff --git a/test/run_regression_tests.sh b/test/run_regression_tests.sh index 7deae435a06..2dd450b52e0 100755 --- a/test/run_regression_tests.sh +++ b/test/run_regression_tests.sh @@ -19,6 +19,7 @@ set -euo pipefail SCRIPT=$(readlink -f $0) SCRIPTDIR=$(dirname "$SCRIPT") +SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false} # Trace file tarballs are now versioned. Any time a substantial change # is made that affects the interaction of rules+engine and the trace @@ -97,7 +98,13 @@ function run_tests() { # as we're watching the return status when running avocado. set +e TEST_RC=0 - for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do + suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml) + + if [ "$SKIP_PACKAGES_TESTS" = false ] ; then + suites+=($SCRIPTDIR/falco_tests_package.yaml) + fi + + for mult in "${suites[@]}"; do CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py" echo "Running $CMD" BUILD_DIR=${OPT_BUILD_DIR} $CMD diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index de0da2cfe55..dfb87fb8168 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -14,7 +14,11 @@ # License for the specific language governing permissions and limitations under # the License. # -set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp) +if(MINIMAL_BUILD) + set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp) +else() + set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp) +endif() set(FALCO_TESTED_LIBRARIES falco_engine) @@ -35,14 +39,25 @@ if(FALCO_BUILD_TESTS) add_executable(falco_test ${FALCO_TESTS_SOURCES}) target_link_libraries(falco_test PUBLIC ${FALCO_TESTED_LIBRARIES}) - target_include_directories( - falco_test - PUBLIC "${CATCH2_INCLUDE}" - "${FAKEIT_INCLUDE}" - "${PROJECT_SOURCE_DIR}/userspace/engine" - "${YAMLCPP_INCLUDE_DIR}" - "${CIVETWEB_INCLUDE_DIR}" - "${PROJECT_SOURCE_DIR}/userspace/falco") + + if(MINIMAL_BUILD) + target_include_directories( + falco_test + PUBLIC "${CATCH2_INCLUDE}" + "${FAKEIT_INCLUDE}" + "${PROJECT_SOURCE_DIR}/userspace/engine" + "${YAMLCPP_INCLUDE_DIR}" + "${PROJECT_SOURCE_DIR}/userspace/falco") + else() + target_include_directories( + falco_test + PUBLIC "${CATCH2_INCLUDE}" + "${FAKEIT_INCLUDE}" + "${PROJECT_SOURCE_DIR}/userspace/engine" + "${YAMLCPP_INCLUDE_DIR}" + "${CIVETWEB_INCLUDE_DIR}" + "${PROJECT_SOURCE_DIR}/userspace/falco") + endif() add_dependencies(falco_test catch2) include(CMakeParseArguments) diff --git a/userspace/engine/CMakeLists.txt b/userspace/engine/CMakeLists.txt index 25ff6d2aeea..ba4a431d8a3 100644 --- a/userspace/engine/CMakeLists.txt +++ b/userspace/engine/CMakeLists.txt @@ -27,18 +27,32 @@ if(USE_BUNDLED_DEPS) add_dependencies(falco_engine libyaml) endif() -target_include_directories( - falco_engine - PUBLIC - "${LUAJIT_INCLUDE}" - "${NJSON_INCLUDE}" - "${CURL_INCLUDE_DIR}" - "${TBB_INCLUDE_DIR}" - "${STRING_VIEW_LITE_INCLUDE}" - "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp" - "${SYSDIG_SOURCE_DIR}/userspace/libscap" - "${SYSDIG_SOURCE_DIR}/userspace/libsinsp" - "${PROJECT_BINARY_DIR}/userspace/engine") +if(MINIMAL_BUILD) + target_include_directories( + falco_engine + PUBLIC + "${LUAJIT_INCLUDE}" + "${NJSON_INCLUDE}" + "${TBB_INCLUDE_DIR}" + "${STRING_VIEW_LITE_INCLUDE}" + "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp" + "${SYSDIG_SOURCE_DIR}/userspace/libscap" + "${SYSDIG_SOURCE_DIR}/userspace/libsinsp" + "${PROJECT_BINARY_DIR}/userspace/engine") +else() + target_include_directories( + falco_engine + PUBLIC + "${LUAJIT_INCLUDE}" + "${NJSON_INCLUDE}" + "${CURL_INCLUDE_DIR}" + "${TBB_INCLUDE_DIR}" + "${STRING_VIEW_LITE_INCLUDE}" + "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp" + "${SYSDIG_SOURCE_DIR}/userspace/libscap" + "${SYSDIG_SOURCE_DIR}/userspace/libsinsp" + "${PROJECT_BINARY_DIR}/userspace/engine") +endif() target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${LPEG_LIB}" "${LYAML_LIB}" "${LIBYAML_LIB}") diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index 7704840f4ae..5177d9531cb 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -13,32 +13,35 @@ configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h) -add_custom_command( - OUTPUT - ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h - ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h - ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h - ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h - ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h - COMMENT "Generate gRPC API" - # Falco gRPC Version API - DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto - COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto - COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN} - ${CMAKE_CURRENT_SOURCE_DIR}/version.proto - # Falco gRPC Outputs API - DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto - COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto - ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto - COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN} - ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto - WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}) +if(NOT MINIMAL_BUILD) + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h + ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h + ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h + ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h + ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h + COMMENT "Generate gRPC API" + # Falco gRPC Version API + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto + COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto + COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN} + ${CMAKE_CURRENT_SOURCE_DIR}/version.proto + # Falco gRPC Outputs API + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto + COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto + ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto + COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN} + ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}) +endif() +if(MINIMAL_BUILD) add_executable( falco configuration.cpp @@ -47,66 +50,109 @@ add_executable( event_drops.cpp statsfilewriter.cpp falco.cpp - "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp" - webserver.cpp - grpc_context.cpp - grpc_server_impl.cpp - grpc_request_context.cpp - grpc_server.cpp - ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc - ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc) + "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp") +else() + add_executable( + falco + configuration.cpp + logger.cpp + falco_outputs.cpp + event_drops.cpp + statsfilewriter.cpp + falco.cpp + "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp" + webserver.cpp + grpc_context.cpp + grpc_server_impl.cpp + grpc_request_context.cpp + grpc_server.cpp + ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc + ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc) -add_dependencies(falco civetweb string-view-lite) + add_dependencies(falco civetweb) +endif() + +add_dependencies(falco string-view-lite) if(USE_BUNDLED_DEPS) add_dependencies(falco yamlcpp) endif() -target_include_directories( - falco - PUBLIC - "${SYSDIG_SOURCE_DIR}/userspace/sysdig" - "${PROJECT_SOURCE_DIR}/userspace/engine" - "${PROJECT_BINARY_DIR}/userspace/falco" - "${PROJECT_BINARY_DIR}/driver/src" - "${STRING_VIEW_LITE_INCLUDE}" - "${YAMLCPP_INCLUDE_DIR}" - "${CIVETWEB_INCLUDE_DIR}" - "${OPENSSL_INCLUDE_DIR}" - "${GRPC_INCLUDE}" - "${GRPCPP_INCLUDE}" - "${PROTOBUF_INCLUDE}" - "${CMAKE_CURRENT_BINARY_DIR}" - "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include") +if(MINIMAL_BUILD) + target_include_directories( + falco + PUBLIC + "${SYSDIG_SOURCE_DIR}/userspace/sysdig" + "${PROJECT_SOURCE_DIR}/userspace/engine" + "${PROJECT_BINARY_DIR}/userspace/falco" + "${PROJECT_BINARY_DIR}/driver/src" + "${STRING_VIEW_LITE_INCLUDE}" + "${YAMLCPP_INCLUDE_DIR}" + "${CMAKE_CURRENT_BINARY_DIR}" + "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include") -target_link_libraries( - falco - falco_engine - sinsp - "${GPR_LIB}" - "${GRPC_LIB}" - "${GRPCPP_LIB}" - "${PROTOBUF_LIB}" - "${OPENSSL_LIBRARY_SSL}" - "${OPENSSL_LIBRARY_CRYPTO}" - "${LIBYAML_LIB}" - "${YAMLCPP_LIB}" - "${CIVETWEB_LIB}") + target_link_libraries( + falco + falco_engine + sinsp + "${LIBYAML_LIB}" + "${YAMLCPP_LIB}") +else() + target_include_directories( + falco + PUBLIC + "${SYSDIG_SOURCE_DIR}/userspace/sysdig" + "${PROJECT_SOURCE_DIR}/userspace/engine" + "${PROJECT_BINARY_DIR}/userspace/falco" + "${PROJECT_BINARY_DIR}/driver/src" + "${STRING_VIEW_LITE_INCLUDE}" + "${YAMLCPP_INCLUDE_DIR}" + "${CIVETWEB_INCLUDE_DIR}" + "${OPENSSL_INCLUDE_DIR}" + "${GRPC_INCLUDE}" + "${GRPCPP_INCLUDE}" + "${PROTOBUF_INCLUDE}" + "${CMAKE_CURRENT_BINARY_DIR}" + "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include") -configure_file(config_falco.h.in config_falco.h) + target_link_libraries( + falco + falco_engine + sinsp + "${GPR_LIB}" + "${GRPC_LIB}" + "${GRPCPP_LIB}" + "${PROTOBUF_LIB}" + "${OPENSSL_LIBRARY_SSL}" + "${OPENSSL_LIBRARY_CRYPTO}" + "${LIBYAML_LIB}" + "${YAMLCPP_LIB}" + "${CIVETWEB_LIB}") +endif() -add_custom_command( - TARGET falco - COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR} ${OPENSSL_BINARY} - WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} - COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields") +configure_file(config_falco.h.in config_falco.h) -# add_custom_target(verify_engine_fields DEPENDS verify_engine_fields.sh falco_engine.h) +if(NOT MINIMAL_BUILD) + add_custom_command( + TARGET falco + COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR} + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields") +else() + MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.") +endif() -# add_dependencies(verify_engine_fields falco) +# strip the Falco binary when releasing using musl +if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release") + add_custom_command( + TARGET falco + POST_BUILD + COMMAND ${CMAKE_STRIP} --strip-unneeded falco + COMMENT "Strip the Falco binary when releasing the musl build") +endif() install(TARGETS falco DESTINATION ${FALCO_BIN_DIR}) install( diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 50e62eac493..7e1608674c3 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -43,8 +43,10 @@ limitations under the License. #include "falco_engine.h" #include "config_falco.h" #include "statsfilewriter.h" +#ifndef MINIMAL_BUILD #include "webserver.h" #include "grpc_server.h" +#endif #include "banned.h" // This raises a compilation error when certain functions are used typedef function open_t; @@ -104,6 +106,7 @@ static void usage() " Can not be specified with -t.\n" " -e Read the events from (in .scap format for sinsp events, or jsonl for\n" " k8s audit events) instead of tapping into live.\n" +#ifndef MINIMAL_BUILD " -k , --k8s-api \n" " Enable Kubernetes support by connecting to the API server specified as argument.\n" " E.g. \"http://admin:password@127.0.0.1:8080\".\n" @@ -117,15 +120,18 @@ static void usage() " for this option, it will be interpreted as the name of a file containing bearer token.\n" " Note that the format of this command-line option prohibits use of files whose names contain\n" " ':' or '#' characters in the file name.\n" +#endif " -L Show the name and description of all rules and exit.\n" " -l Show the name and description of the rule with name and exit.\n" " --list [] List all defined fields. If is provided, only list those fields for\n" " the source . Current values for are \"syscall\", \"k8s_audit\"\n" +#ifndef MINIMAL_BUILD " -m , --mesos-api \n" " Enable Mesos support by connecting to the API server\n" " specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n" " Marathon url is optional and defaults to Mesos address, port 8080.\n" " The API servers can also be specified via the environment variable FALCO_MESOS_API.\n" +#endif " -M Stop collecting after reached.\n" " -N When used with --list, only print field names.\n" " -o, --option = Set the value of option to . Overrides values in configuration file.\n" @@ -185,6 +191,7 @@ static void display_fatal_err(const string &msg) // Splitting into key=value or key.subkey=value will be handled by configuration class. std::list cmdline_options; +#ifndef MINIMAL_BUILD // Read a jsonl file containing k8s audit events and pass each to the engine. void read_k8s_audit_trace_file(falco_engine *engine, falco_outputs *outputs, @@ -213,6 +220,7 @@ void read_k8s_audit_trace_file(falco_engine *engine, } } } +#endif static std::string read_file(std::string filename) { @@ -429,9 +437,11 @@ int falco_init(int argc, char **argv) bool verbose = false; bool names_only = false; bool all_events = false; +#ifndef MINIMAL_BUILD string* k8s_api = 0; string* k8s_api_cert = 0; string* mesos_api = 0; +#endif string output_format = ""; uint32_t snaplen = 0; bool replace_container_info = false; @@ -461,9 +471,11 @@ int falco_init(int argc, char **argv) double duration; scap_stats cstats; +#ifndef MINIMAL_BUILD falco_webserver webserver; falco::grpc::server grpc_server; std::thread grpc_server_thread; +#endif static struct option long_options[] = { @@ -530,8 +542,10 @@ int falco_init(int argc, char **argv) break; case 'e': trace_filename = optarg; +#ifndef MINIMAL_BUILD k8s_api = new string(); mesos_api = new string(); +#endif break; case 'F': list_flds = optarg; @@ -539,21 +553,25 @@ int falco_init(int argc, char **argv) case 'i': print_ignored_events = true; break; +#ifndef MINIMAL_BUILD case 'k': k8s_api = new string(optarg); break; case 'K': k8s_api_cert = new string(optarg); break; +#endif case 'L': describe_all_rules = true; break; case 'l': describe_rule = optarg; break; +#ifndef MINIMAL_BUILD case 'm': mesos_api = new string(optarg); break; +#endif case 'M': duration_to_tot = atoi(optarg); if(duration_to_tot <= 0) @@ -1074,6 +1092,12 @@ int falco_init(int argc, char **argv) if(!trace_is_scap) { +#ifdef MINIMAL_BUILD + // Note that the webserver is not available when MINIMAL_BUILD is defined. + fprintf(stderr, "Cannot use k8s audit events trace file with a minimal Falco build"); + result = EXIT_FAILURE; + goto exit; +#else try { string line; nlohmann::json j; @@ -1098,6 +1122,7 @@ int falco_init(int argc, char **argv) result = EXIT_FAILURE; goto exit; } +#endif } } else @@ -1168,6 +1193,7 @@ int falco_init(int argc, char **argv) duration = ((double)clock()) / CLOCKS_PER_SEC; +#ifndef MINIMAL_BUILD // // Run k8s, if required // @@ -1251,12 +1277,15 @@ int falco_init(int argc, char **argv) grpc_server.run(); }); } +#endif if(!trace_filename.empty() && !trace_is_scap) { +#ifndef MINIMAL_BUILD read_k8s_audit_trace_file(engine, outputs, trace_filename); +#endif } else { @@ -1302,12 +1331,14 @@ int falco_init(int argc, char **argv) inspector->close(); engine->print_stats(); sdropmgr.print_stats(); +#ifndef MINIMAL_BUILD webserver.stop(); if(grpc_server_thread.joinable()) { grpc_server.shutdown(); grpc_server_thread.join(); } +#endif } catch(exception &e) { @@ -1315,12 +1346,14 @@ int falco_init(int argc, char **argv) result = EXIT_FAILURE; +#ifndef MINIMAL_BUILD webserver.stop(); if(grpc_server_thread.joinable()) { grpc_server.shutdown(); grpc_server_thread.join(); } +#endif } exit: diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp index 450d0c9e45c..fddc690246c 100644 --- a/userspace/falco/falco_outputs.cpp +++ b/userspace/falco/falco_outputs.cpp @@ -14,7 +14,9 @@ See the License for the specific language governing permissions and limitations under the License. */ +#ifndef MINIMAL_BUILD #include +#endif #include "falco_outputs.h" @@ -22,15 +24,19 @@ limitations under the License. #include "formats.h" #include "logger.h" +#ifndef MINIMAL_BUILD #include "falco_outputs_queue.h" +#endif #include "banned.h" // This raises a compilation error when certain functions are used using namespace std; const static struct luaL_reg ll_falco_outputs [] = { +#ifndef MINIMAL_BUILD {"handle_http", &falco_outputs::handle_http}, {"handle_grpc", &falco_outputs::handle_grpc}, +#endif {NULL, NULL} }; @@ -259,6 +265,7 @@ void falco_outputs::reopen_outputs() } } +#ifndef MINIMAL_BUILD int falco_outputs::handle_http(lua_State *ls) { CURL *curl = NULL; @@ -369,3 +376,4 @@ int falco_outputs::handle_grpc(lua_State *ls) return 1; } +#endif diff --git a/userspace/falco/falco_outputs.h b/userspace/falco/falco_outputs.h index 8f2007b80a1..8fc6ce1a3b1 100644 --- a/userspace/falco/falco_outputs.h +++ b/userspace/falco/falco_outputs.h @@ -74,8 +74,10 @@ class falco_outputs : public falco_common void reopen_outputs(); +#ifndef MINIMAL_BUILD static int handle_http(lua_State *ls); static int handle_grpc(lua_State *ls); +#endif private: diff --git a/userspace/falco/verify_engine_fields.sh b/userspace/falco/verify_engine_fields.sh index 37b3189ce0e..e5c2e650803 100644 --- a/userspace/falco/verify_engine_fields.sh +++ b/userspace/falco/verify_engine_fields.sh @@ -1,19 +1,12 @@ -#!/bin/sh +#!/bin/env/bash set -euo pipefail SOURCE_DIR=$1 -OPENSSL=$2 -if ! command -v "${OPENSSL}" version > /dev/null 2>&1; then - echo "No openssl command at ${OPENSSL}" - exit 1 -fi - -NEW_CHECKSUM=$(./falco --list -N | ${OPENSSL} dgst -sha256 | awk '{print $2}') +NEW_CHECKSUM=$(./falco --list -N | sha256sum | awk '{print $1}') CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g') - if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then echo "Set of fields supported has changed (new checksum $NEW_CHECKSUM != old checksum $CUR_CHECKSUM)." echo "Update checksum and/or version in falco_engine_version.h."