docs(proposals): proposal for a libs plugin system #1637
Conversation
There was a problem hiding this comment.
Thanks for sending this Loris!
Would you please make the proposal document a markdown (.md) file?
Aside from cosmetic changes (for which I left suggestions that you can accept) to the document, I also have some questions (some of which you can find inline):
-
Can you describe in finer details how the plugins loading phase will be intended to work?
-
Is Falco (precisely the underlying libs) able to detect (and how) malfunctioning plugins? Which strategies will be implemented to do not let malfunctioning plugins interfere will the correct Falco flow?
-
Is the community expected to have a registry of official plugins known to work correctly with Falco? I see an
IDfield that makes me think of creating a falcosecurity machinery that provides ARN-like IDs to plugins -
How filter name clashes (eg., plugin 1 exports
ct.*plugin 2 exportsct.*too) is intended to be handled?
Sorry for the text wall full of questions :)
proposals/20210501-plugin-system
Outdated
|
|
||
| ### Plugins format | ||
|
|
||
| Plugins are dynamic libraries (.so files in Unix, .dll files in windows) that reside in specific well known locations and export a minimum set of functions that the libraries will recognize. |
There was a problem hiding this comment.
What are these well-known locations?
There was a problem hiding this comment.
I added a section "Loading plugins in falcosecurity/falco" with more details and example syntax. In short, it's below the "share" directory e.g. /usr/share/falco/plugins.
|
Thank you @leodido! I tired to address you questions in the document, and I incorporated your suggestions. |
| ## Non-Goals | ||
|
|
||
| - To implement plugins other than source and extractor: to be approached as separate task | ||
| - To document the plugin framework and interface: to be approached as separate task |
There was a problem hiding this comment.
I'd love to see some documentation be added to the framework in the proposal.... even if it's just a Readme.
Does this just refer to official documentation via falco.org?
There was a problem hiding this comment.
We copied over the proposed C API in the proposal and it matches the initial implementations that are referenced in the Examples section. We'll also create official documentation PRs/repos/etc as well once the proposal is accepted and we can get the relevant repos in the falcosecurity org.
|
LOVE this, giving all my support for this from AWS side. |
mstemm
force-pushed
the
plugins-proposal
branch
2 times, most recently
from
eca0498 to
a746be6
Compare
Description of changes to falcosecurity/libs and /falco to support plugins to provide events and extract fields from events. Signed-off-by: Loris Degioanni <loris@sysdig.com> Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Mark Stemm <mark.stemm@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
There was a problem hiding this comment.
A long discussion has already taken place around the proposal, and I believe more than before that the proposed plugin infrastructure will be really beneficial for Falco. The plugin system will allow ingesting new input sources we can't imagine right now. The possibilities are endless. Furthermore, it will help reorganize some parts of the current implementation, making them more robust, generic, and maintainable (for example, one that comes to my mind right now is the K8s Audit Log implementation).
I have participated a bit in the making of the current experimental implementation and tried it extensively. For this reason, I am quite confident in saying that the proposal goes in the right direction.
Now, although some implementation details might still need to be changed or fine-tuned (e.g., find a better way for declaring fields instead of using a JSON string), I think it is time to take a step forward to start to experiment concretely. Likely, further interactions will be needed before achieving the "state of the art", but we will not discover that until we try in a real-world environment.
Thus, big +1 for me 🚀
Last but not least, thank you for this awesome proposal :)
|
LGTM label has been added. Git tree hash: 4f1ed82f2879563d3e039389fd61b90194748b1f
|
|
I have a branch around to use something similar to create plugins for configuring Falco (and do things like passing rules and configs from any programs that can produce an Thanks for the proposal, LGTM https://github.com/falcosecurity/falco/tree/libhawk-rules |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ldegio, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
leogr
changed the title
What type of PR is this?
/kind design
Any specific area of the project related to this PR?
/area proposals
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: