From 2b3b5434ae720cf5ad5d0fb589acad628aa1c967 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Tue, 13 Dec 2022 15:51:31 +0100 Subject: [PATCH 1/5] chore: bump libs/driver version Signed-off-by: Andrea Terzolo --- cmake/modules/driver.cmake | 4 ++-- cmake/modules/falcosecurity-libs.cmake | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index d0855f7c75e..d15702d52f2 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -26,8 +26,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "4.0.0-rc1+driver") - set(DRIVER_CHECKSUM "SHA256=82d18ca00d245e5b7195c420b00a4c895190b6de77be0feb13b98861d749f257") + set(DRIVER_VERSION "090f4f08c341ef1bb866170deef1c6b72e7e5d43") + set(DRIVER_CHECKSUM "SHA256=8b24b8ebb83c5d0a323e5ab0d8b8858ec2ffa5b6d0496c9eab9b5c796f7ced3b") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index ebdb9b01665..0d110742338 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -27,8 +27,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "0.10.0-rc1") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=af2fcd9017d1611d3c5068405632eb3aa5cd578514ed8f06cb02ebca5556fd1d") + set(FALCOSECURITY_LIBS_VERSION "090f4f08c341ef1bb866170deef1c6b72e7e5d43") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=8b24b8ebb83c5d0a323e5ab0d8b8858ec2ffa5b6d0496c9eab9b5c796f7ced3b") endif() # cd /path/to/build && cmake /path/to/source From ae51c0358591ac226b7fd61e82434f2df4d63833 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Tue, 13 Dec 2022 15:51:43 +0100 Subject: [PATCH 2/5] update(ci): update ci jobs to generate Falco images with modern probe Signed-off-by: Andrea Terzolo --- .circleci/config.yml | 129 ++++++++++-------- docker/builder/README.md | 8 ++ .../builder/modern-falco-builder.Dockerfile | 42 ++++++ 3 files changed, 123 insertions(+), 56 deletions(-) create mode 100644 docker/builder/README.md create mode 100644 docker/builder/modern-falco-builder.Dockerfile diff --git a/.circleci/config.yml b/.circleci/config.yml index ff3539ea94b..7d13306662c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -3,51 +3,54 @@ jobs: "build-arm64": machine: enabled: true - image: ubuntu-2004:202101-01 + image: ubuntu-2204:2022.10.2 resource_class: arm.medium steps: - - checkout: - path: /tmp/source-arm64/falco - - run: - name: Prepare project - command: | - mkdir -p /tmp/build-arm64 && mkdir -p /tmp/build-arm64/release && \ - docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \ - falcosecurity/falco-builder:latest \ - cmake - - run: - name: Build - command: | - docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \ - falcosecurity/falco-builder:latest \ - all + + # Install dependencies to build the modern BPF probe skeleton. - run: - name: Run unit tests + name: Install deps ⛓️ command: | - docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \ - falcosecurity/falco-builder:latest \ - tests + sudo apt update + sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev + sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90 + sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90 + git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch + cd bpftool + git submodule update --init + cd src && sudo make install + + # Path to the source code + - checkout: + path: /tmp/source-arm64/falco + + # Build the skeleton - run: - name: Build packages + name: Build modern BPF skeleton 🐝 command: | - docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \ - falcosecurity/falco-builder:latest \ - package + mkdir -p /tmp/source-arm64/falco/skeleton-build + cd /tmp/source-arm64/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../ + make ProbeSkeleton + + # Build the Falco packages (tar, deb, rpm) inside the centos7 builder. + # This dockerfile returns as output: + # - the build directory. (under /tmp/${DEST_BUILD_DIR}) + # - the 3 packages: tar, deb, rpm. (under /tmp/packages) - run: - name: Prepare Artifacts + name: Build Falco packages 🏗️ command: | - mkdir -p /tmp/packages - cp /tmp/build-arm64/release/*.deb /tmp/packages - cp /tmp/build-arm64/release/*.tar.gz /tmp/packages - cp /tmp/build-arm64/release/*.rpm /tmp/packages + DOCKER_BUILDKIT=1 docker build -f /tmp/source-arm64/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build-arm64/release /tmp/source-arm64/falco + - store_artifacts: path: /tmp/packages destination: /packages + - persist_to_workspace: root: /tmp paths: - build-arm64/release - source-arm64 + # Build a statically linked Falco release binary using musl # This build is 100% static, there are no host dependencies "build-musl": @@ -96,43 +99,57 @@ jobs: paths: - build-static/release - source-static - # Build using our own builder base image using centos 7 + # This build is static, dependencies are bundled in the Falco binary "build-centos7": - docker: - - image: falcosecurity/falco-builder:latest - environment: - BUILD_TYPE: "release" + machine: + enabled: true + image: ubuntu-2204:2022.10.2 steps: - - checkout: - path: /source/falco - - run: - name: Prepare project - command: /usr/bin/entrypoint cmake - - run: - name: Build - command: /usr/bin/entrypoint all + + # Install dependencies to build the modern BPF probe skeleton. - run: - name: Run unit tests - command: /usr/bin/entrypoint tests + name: Install deps ⛓️ + command: | + sudo apt update + sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev + sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90 + sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90 + git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch + cd bpftool + git submodule update --init + cd src && sudo make install + + # Path for the source code + - checkout: + path: /tmp/source/falco + - run: - name: Build packages - command: /usr/bin/entrypoint package - - persist_to_workspace: - root: / - paths: - - build/release - - source + name: Build modern BPF skeleton 🐝 + command: | + mkdir -p /tmp/source/falco/skeleton-build + cd /tmp/source/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../ + make ProbeSkeleton + + # Build the Falco packages (tar, deb, rpm) inside the centos7 builder. + # This dockerfile returns as output: + # - the build directory. (under /tmp/${DEST_BUILD_DIR}) + # - the 3 packages: tar, deb, rpm. (under /tmp/packages) - run: - name: Prepare artifacts + name: Build Falco packages 🏗️ command: | - mkdir -p /tmp/packages - cp /build/release/*.deb /tmp/packages - cp /build/release/*.tar.gz /tmp/packages - cp /build/release/*.rpm /tmp/packages + DOCKER_BUILDKIT=1 docker build -f /tmp/source/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build/release /tmp/source/falco + - store_artifacts: path: /tmp/packages destination: /packages + + - persist_to_workspace: + root: /tmp + paths: + - build/release + - source + # Execute integration tests based on the build results coming from the "build-centos7" job "tests-integration": docker: diff --git a/docker/builder/README.md b/docker/builder/README.md new file mode 100644 index 00000000000..3081e9cde14 --- /dev/null +++ b/docker/builder/README.md @@ -0,0 +1,8 @@ +# Builder folder + +* We use `Dockerfile` to build the `centos7` Falco builder image. +* We use `modern-falco-builder.Dockerfile` to build Falco with the modern probe and return it as a Dockerfile output. This Dockerfile doesn't generate a Docker image but returns as output (through the `--output` command): + * Falco `tar.gz`. + * Falco `deb` package. + * Falco `rpm` package. + * Falco build directory, used by other CI jobs. diff --git a/docker/builder/modern-falco-builder.Dockerfile b/docker/builder/modern-falco-builder.Dockerfile new file mode 100644 index 00000000000..9221ce3b81a --- /dev/null +++ b/docker/builder/modern-falco-builder.Dockerfile @@ -0,0 +1,42 @@ + +FROM centos:7 AS build-stage + +# To build Falco you need to pass the cmake option +ARG CMAKE_OPTIONS="" +ARG MAKE_JOBS=4 + +# Install all the dependencies +WORKDIR / + +RUN yum -y install centos-release-scl; \ + yum -y install devtoolset-8-gcc devtoolset-8-gcc-c++; \ + source scl_source enable devtoolset-8; \ + yum install -y git wget make m4 rpm-build + +# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase +RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \ + gzip -d /tmp/cmake.tar.gz; \ + tar -xpf /tmp/cmake.tar --directory=/tmp; \ + cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \ + rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/ + +# Copy Falco folder from the build context +COPY . /source +WORKDIR /build/release + +# We need `make tests` and `make all` for integration tests. +RUN source scl_source enable devtoolset-8; \ + cmake ${CMAKE_OPTIONS} /source; \ + make falco -j${MAKE_JOBS}; \ + make package; \ + make tests -j${MAKE_JOBS}; \ + make all -j${MAKE_JOBS} + +FROM scratch AS export-stage + +ARG DEST_BUILD_DIR="/build" + +COPY --from=build-stage /build/release/falco-*.tar.gz /packages/ +COPY --from=build-stage /build/release/falco-*.deb /packages/ +COPY --from=build-stage /build/release/falco-*.rpm /packages/ +COPY --from=build-stage /build/release/ ${DEST_BUILD_DIR} From cf39d87ec0dd1bcd7f03f5b78fbb0be289498e8e Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Tue, 13 Dec 2022 22:45:50 +0100 Subject: [PATCH 3/5] update(ci): support modern bpf with musl build Signed-off-by: Andrea Terzolo --- .circleci/config.yml | 6 +++--- cmake/modules/driver.cmake | 4 ++-- cmake/modules/falcosecurity-libs.cmake | 4 ++-- test/CMakeLists.txt | 6 ++++-- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7d13306662c..920eb595b6d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -55,7 +55,7 @@ jobs: # This build is 100% static, there are no host dependencies "build-musl": docker: - - image: alpine:3.12 + - image: alpine:3.17 steps: - checkout: path: /source-static/falco @@ -64,13 +64,13 @@ jobs: command: apk update - run: name: Install build dependencies - command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils + command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang - run: name: Prepare project command: | mkdir -p /build-static/release cd /build-static/release - cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco + cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco - run: name: Build command: | diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index d15702d52f2..cbc023ca597 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -26,8 +26,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "090f4f08c341ef1bb866170deef1c6b72e7e5d43") - set(DRIVER_CHECKSUM "SHA256=8b24b8ebb83c5d0a323e5ab0d8b8858ec2ffa5b6d0496c9eab9b5c796f7ced3b") + set(DRIVER_VERSION "4.0.0+driver") + set(DRIVER_CHECKSUM "SHA256=0f71a4e4492847ce6ca35fe6f9ecdf682f603c878397e57d7628a0cd60a29aed") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 0d110742338..926e86223a1 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -27,8 +27,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "090f4f08c341ef1bb866170deef1c6b72e7e5d43") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=8b24b8ebb83c5d0a323e5ab0d8b8858ec2ffa5b6d0496c9eab9b5c796f7ced3b") + set(FALCOSECURITY_LIBS_VERSION "0.10.0") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=08863e345668e984e5d00db4ff02540a52d739a8b2792046615dff4bfbc0459d") endif() # cd /path/to/build && cmake /path/to/source diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index bfc5c268755..980a2dfffe6 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -1,4 +1,6 @@ add_subdirectory(trace_files) -add_subdirectory(plugins) -add_subdirectory(confs/plugins) +if(NOT MUSL_OPTIMIZED_BUILD) + add_subdirectory(plugins) + add_subdirectory(confs/plugins) +endif() From bb33841d1f8a5833122041282a6009ce7c48f9d9 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Fri, 16 Dec 2022 12:18:13 +0100 Subject: [PATCH 4/5] ci: bump resource class Signed-off-by: Andrea Terzolo --- .circleci/config.yml | 3 ++- docker/builder/modern-falco-builder.Dockerfile | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 920eb595b6d..5e72f7bf7e2 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -4,7 +4,7 @@ jobs: machine: enabled: true image: ubuntu-2204:2022.10.2 - resource_class: arm.medium + resource_class: arm.large steps: # Install dependencies to build the modern BPF probe skeleton. @@ -105,6 +105,7 @@ jobs: machine: enabled: true image: ubuntu-2204:2022.10.2 + resource_class: large steps: # Install dependencies to build the modern BPF probe skeleton. diff --git a/docker/builder/modern-falco-builder.Dockerfile b/docker/builder/modern-falco-builder.Dockerfile index 9221ce3b81a..192cc82c403 100644 --- a/docker/builder/modern-falco-builder.Dockerfile +++ b/docker/builder/modern-falco-builder.Dockerfile @@ -3,7 +3,7 @@ FROM centos:7 AS build-stage # To build Falco you need to pass the cmake option ARG CMAKE_OPTIONS="" -ARG MAKE_JOBS=4 +ARG MAKE_JOBS=6 # Install all the dependencies WORKDIR / From f5a7597993cbedc944e58b8b3164d85b2c736179 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Fri, 16 Dec 2022 13:24:40 +0100 Subject: [PATCH 5/5] update(ci): bump also `musl` job Signed-off-by: Andrea Terzolo --- .circleci/config.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 5e72f7bf7e2..ff81a336bd2 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -56,6 +56,7 @@ jobs: "build-musl": docker: - image: alpine:3.17 + resource_class: large steps: - checkout: path: /source-static/falco @@ -75,12 +76,12 @@ jobs: name: Build command: | cd /build-static/release - make -j4 all + make -j6 all - run: name: Package command: | cd /build-static/release - make -j4 package + make -j6 package - run: name: Run unit tests command: |