update: support running multiple event sources in parallel

[jasondellaluce]

What type of PR is this?

/kind design

/kind feature

Any specific area of the project related to this PR?

/area engine

What this PR does / why we need it:

See #2074. This is the last piece of "glue code" that uses all the preliminary work to support multiple parallel event processing loops coming from different sources.

From the UX known so far for Falco, this is a big no-op. However, this now supports loading multiple plugin with event sourcing capability and running all of them in parallel along with the traditional syscall event source. Each event source runs in its dedicated thread and does not influence the others. For example, this re-enables having both the k8s_audit and the syscall event sources on the same Falco instance.

By default, Falco enables the syscall event source and all the event sources implemented by the loaded plugin. The set of event sources enabled for event processing can be influenced with the --enable-source and --disable-source CLI options.

Which issue(s) this PR fixes:

Special notes for your reviewer:

There is a user-facing change that needed to be introduced in the stats writer (-s and --stats-interval CLI options). Considering that multiple event source can now run in parallel, the old stats formatting didn't make sense anymore. As such, the periodic sample is now partitioned by event source. Here's an example of the expected output:

{
  "sample": 71,
  "k8s_audit": {
    "cur": {
      "events": 1
    },
    "delta": {
      "events": 1
    }
  },
  "syscall": {
    "cur": {
      "drop_pct": 0,
      "drops": 0,
      "events": 9525,
      "preemptions": 0
    },
    "delta": {
      "drop_pct": 0,
      "drops": 0,
      "events": 137,
      "preemptions": 0
    }
  }
}

Does this PR introduce a user-facing change?:

new: support running multiple event sources in parallel
update(userspace/falco)!: adapt stats writer for multiple parallel event sources

[FedeDP]

First-pass light review; i will surely need a second deeper review.

This is just useful for me to clear up some notions about the impl.

[FedeDP]

Do we want to always add syscall_source unconditionally, without checking if it is loaded?

[jasondellaluce]

Good point I'm gonna try to respond to this point and some of the other questions below. So, for event sources we maintain in the app state three things:

• loaded_sources: a set of names all loaded event sources. By default this contains syscall that is provided out-of-the-box by Falco, and the event sources coming from the loaded plugins.
• enabled_sources: a set of names all event sources and that are enabled for event processing (either in capture/offline or in live mode). By default this is the same as loaded_sources, and can then be changed with the --enable-source and --disable-source options.
• sources: a list indexed by source name that contains all information mapped to a given source. For example, we map 1 inspector for each source name, 1 filtercheck list, and so on

The action of adding an event source to the rule engine relies on the loaded_sources list, because the rule engine must be aware of all sources no matter if they are actually enabled for event processing or not, because otherwise it will not be able to load the configured rulesets. Doing otherwise will deteriorate the UX as Falco would stop with error at startup if configured with even a single rule attached to a non-enabled event source. This is also why the syscall event source is added unconditionally.

[jasondellaluce]

Note that the "all enabled by default" and the --disable-source options behavior are the same as when we had k8s_audit support bundled into Falco. I thought it made sense to reproduce the same UX (we didn't have --enable-source at that time, which now make things easier).

[FedeDP]

Makes sense! Thanks Jason!

[jasondellaluce]

/milestone 0.33.0

[FedeDP]

Local build is failing with

In file included from /home/federico/Work/falco/userspace/engine/filter_evttype_resolver.cpp:17:
/home/federico/Work/falco/userspace/engine/filter_evttype_resolver.h: In static member function ‘static void falco_event_types::check_range(uint16_t)’:
/home/federico/Work/falco/userspace/engine/filter_evttype_resolver.h:36:36: error: ‘range_error’ is not a member of ‘std’
36 |                         throw std::range_error("invalid event type");

Do i miss anything?
This is a clean build!

[jasondellaluce]

Local build is failing with

In file included from /home/federico/Work/falco/userspace/engine/filter_evttype_resolver.cpp:17:
/home/federico/Work/falco/userspace/engine/filter_evttype_resolver.h: In static member function ‘static void falco_event_types::check_range(uint16_t)’:
/home/federico/Work/falco/userspace/engine/filter_evttype_resolver.h:36:36: error: ‘range_error’ is not a member of ‘std’
36 |                         throw std::range_error("invalid event type");

Do i miss anything? This is a clean build!

Huh, I think this happens after rebasing on top of #2151. Does this happen on master too?

[FedeDP]

Does this happen on master too?

Confirm! Thanks! Weird that the issue is not spotted by the CI though.

[FedeDP]

Fixed by #2197

[jasondellaluce]

Fixed by #2197

Tests are back being all-green!

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 4ecde754214d0334b75968c12d0a49938fb37653

[leogr]

This is awesome! 🤩

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, jasondellaluce, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [FedeDP,jasondellaluce,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment