refactor(userspace): change falco engine design to properly support multiple sources #2017
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/milestone 0.32.0 |
leogr
reviewed
May 24, 2022
leogr
previously approved these changes
May 24, 2022
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jasondellaluce, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM label has been added. Git tree hash: 601628490bfc34691c108504061066ee49c54ef5
|
…r factory This interface will allow us to use different ruleset implementations inside the same engine. The goal is to define API boundaries that will allow swapping the current evttype-index ruleset implementation more easily. Key benefits include: smaller component with less responsibilities, easier substituibility, more testable design, opportunity to adopt different index strategies depending on the ruleset implementation. Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
…new filter_ruleset interface Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
…terface and have one ruleset for each source This also fixes a couple of bugs. With the current implementation, the multi-ruleset feature is broken with multiple sources. Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
…set interface Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
The filter_ruleset interface its implementation evt_type_index_ruleset have been modified as follows: - Only keep track of ruleset ids and not names. The falco engine will take care of mapping easy-to-remember ruleset names to ruleset ids. To emphasize this, use ruleset_id everywhere and not ruleset. Also, make it non-optional. - Have explicit separate functions to enable/disable rules, instead of a single enable() method combined with a boolean flag. This does *not* change the falco_engine interface, which has similar methods, to avoid breaking API changes. Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This updates the engine to comply and work properly with the newly-introduced interface design. Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
jasondellaluce
force-pushed
the
refactor/ruleset-factory
branch
from
67bbee2 to
2de6182
Compare
mstemm
approved these changes
May 24, 2022
|
LGTM label has been added. Git tree hash: f6d95256d7dd68b8a0935af9317a405f9978fc90
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind bug
/kind cleanup
/kind design
/kind feature
Any specific area of the project related to this PR?
This PR refactors and cleans up the design of the Falco Engine classes. Since introducing the notion of "multiple sources" due to the plugin system, the state management and the responsibilities of the internal components of the engine became ambiguous. The goal of these changes is to polish the design of the Falco Engine internals without introducing breaking changes in its interface, making it more extendible, and less error-prone. Overall, the changes involve:
complete_rule_loading()method infalco_engineto make the engine explicitly know when all rules have been loaded and enabled/disabled by Falco. So far, this knowledge has always been implicit.filter_ruleset. This allows injecting multiple ruleset implementations inside the engine, each with different indexing/optimization strategies. This will serve us in the future to have plugin-specific indexing strategies for rule matching because the current evttype-based is totally ineffective. The default ruleset implementation is still the evttype-indexing one, which is now a standalone class namedevttype_index_rulesetwith explicit responsibilities./area engine
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
The PR is big in LOC due to some parts of code being moved, however ~200 of those are related to unit test being ported to the new method definitions.
Does this PR introduce a user-facing change?: