[WIP] update(CI): Integration of modern BPF probe into Falco #2282
Conversation
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Andreagit97
force-pushed
the
falco_modern_probe
branch
from
efccccb to
8fb8141
Compare
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Andreagit97
force-pushed
the
falco_modern_probe
branch
from
8fb8141 to
b4e5adc
Compare
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
|
cc @leogr |
Andreagit97
force-pushed
the
falco_modern_probe
branch
from
f3f8a46 to
21b1dd6
Compare
Unify them; plus, rework systemd units to support eBPF too. Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Andreagit97
force-pushed
the
falco_modern_probe
branch
from
21b1dd6 to
d8d6c0e
Compare
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Andreagit97
force-pushed
the
falco_modern_probe
branch
from
bd11114 to
5d1b0c5
Compare
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
| mkdir -p skeleton-build | ||
| cd skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../ | ||
| make ProbeSkeleton |
There was a problem hiding this comment.
@Andreagit97: Would building on ubuntu-22.04 work for example for running Falco w/ modern_bpf on let's say a centos7 6.0 kernel? When we debugged the possible "heisenbug" I recall it would need to be built in a centos7 container because of old GLIBC version 2.17 constraints (given the modern probe is baked into scap). In that case need to build newer clang versions from source in the centos7 container or maybe curl pre-built clang artifacts from Falco's Artifact store?
There was a problem hiding this comment.
Or given below when you use the centos7 container this is all not a problem and it works. In that case please disregard.
There was a problem hiding this comment.
yeah, the trick here is to build the header file (so the BPF skeleton) on a recent machine with the latest clang/llvm versions like ubuntu 22.04 since building it directly on centos7 would be a real pain. After that, we use this header file to build Falco on centos7 in this way the modern probe should be compliant with lower versions of GLIBC like 2.17 as you mentioned :)
|
Just a quick update: After a short period of testing, we will merge this PR and the modern probe will be regularly shipped into Falco 0.34 as another possible syscall source 🥳 |
|
/milestone 0.34.0 |
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
|
/hold |
|
We will leave this PR open until Falco 0.34 is released after that we will close it. The PR with the modern probe integration within Falco is this one #2320 |
|
You can find the new packages and docker images directly on the master branch |
|
@Andreagit97: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area build
/area CI
What this PR does / why we need it:
This PR tries to integrate the modern BPF probe into Falco, 3 main aspects will be evaluated:
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?: