-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Falco driver loader enhancements #2165
Falco driver loader enhancements #2165
Conversation
Signed-off-by: Ian Robertson <ian.robertson@wpengine.com>
…parated) Signed-off-by: Ian Robertson <ian.robertson@wpengine.com>
Welcome @IanRobertson-wpe! It looks like this is your first PR to falcosecurity/falco 🎉 |
cc @FedeDP |
/milestone 0.33.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All in all, i really like the changes; i just left a minor comment.
Thank you for this patch :)
IFS=", " read -r -a urls <<< "${DRIVERS_REPO}" | ||
for url in "${urls[@]}"; do | ||
load_bpf_probe_download $url | ||
if [ $? -eq 0 ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check is missing from the kmod section above (after load_kernel_module_download $url
); is it ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the load_kernel_module_download function will immediately exit when it gets a good download/install, so I didn't need to do the same check on the errorlevel. If that function is not successful (if we need to try another url) it will return here and the loop can proceed. This is different from the probe wherein I must check the errorlevel to determine success, as that function does not directly exit and always returns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, thank you!
Changes LGTM! |
Was able to test this:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: 448daff7d6380c66a2a71727b35a1f3cc463b50c
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, IanRobertson-wpe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Really nice 👍
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
This PR introduces changes to the falco-driver-loader script.
to support multiple download URLs in the DRIVERS_REPO environment variable, and to store downloaded drivers in a folder that mirrors the download directory.
The DRIVERS_REPO environment variable can now be used to specify multiple download URLs by separating individual URLs by a comma. URLs will be attempted in order from first to last as specified. Once a successful download has been performed (per a successful result code from curl), any remaining URLs will not be attempted. This will allow, for example, users to specify their own custom driver repo URL without having to duplicate those that are already available in the standard downloads.falco.org repo.
Example:
DRIVERS_REPO="https://myrepo.mycompany.com/mydrivers,https://download.falco.org/driver"
When storing downloaded drivers, falco-driver-loader previously stored these under /root/.falco/. However, falco-driver-loader could load a mismatched DRIVER_VERSION kernel module or eBPF probe as there was no identifying information relating to the locally-stored driver. These drivers will now be stored under /root/.falco/${DRIVER_VERSION}/${ARCH}/, which exactly mirrors the download URL that is constructed. Thus, there is parity between the locally-stored download location and the download path. While preventing mismatched driver versions with Falco, this also provides the advantage of allowing users to pre-load drivers by placing these kernel modules and eBPF probes directly on disk through a distribution mechanism other than DRIVERS_REPO.
Which issue(s) this PR fixes:
N/A
Special notes for your reviewer:
Does this PR introduce a user-facing change?: