update!: bump libs version, and support latest plugin features, add --nodriver option #2552
Conversation
|
/milestone 0.35.0 |
| @@ -147,6 +149,19 @@ bool options::parse(int argc, char **argv, std::string &errstr) | |||
|
|
|||
| list_fields = m_cmdline_parsed.count("list") > 0 ? true : false; | |||
|
|
|||
| int open_modes = 0; | |||
| open_modes += !trace_filename.empty(); | |||
There was a problem hiding this comment.
it seems like a joke that every engine is opened in a different way but that's the sad truth 😂 maybe one day we will us an enum
| @@ -117,7 +117,7 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state& | |||
| auto manager = s.offline_inspector->get_plugin_manager(); | |||
| for (const auto &p : manager->plugins()) | |||
| { | |||
| if (p->caps() & CAP_SOURCING) | |||
| if (p->caps() & CAP_SOURCING && p->id() != 0) | |||
There was a problem hiding this comment.
this check is used in more than one place probably at a certain point we could create an helper for it
There was a problem hiding this comment.
I agree, i think a small method would help making the code more readable.
|
LGTM label has been added. Git tree hash: cc849d088cf43451e1403e2cb3069136d442da7a
|
jasondellaluce
force-pushed
the
update/libs-sync
branch
from
87a73e1 to
d0e2670
Compare
…34bc8f5aef Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
…ourcing system events Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
jasondellaluce
force-pushed
the
update/libs-sync
branch
from
d0e2670 to
40d6683
Compare
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
jasondellaluce
force-pushed
the
update/libs-sync
branch
from
40d6683 to
9dc5362
Compare
|
LGTM label has been added. Git tree hash: 44081af7b5289184c96f2f74b475bcc666d9de2c
|
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
| && r.warn_evttypes) | ||
| auto evttypes = libsinsp::filter::ast::ppm_event_codes(ast.get()); | ||
| evttypes.insert(ppm_event_code::PPME_ASYNCEVENT_E); | ||
| if ((evttypes.empty() || evttypes.size() > 100) && r.warn_evttypes) |
There was a problem hiding this comment.
evvtypes.empty() can't ever be true here since we've just added PPME_ASYNCEVENT_E, right?
There was a problem hiding this comment.
Good catch, thanks!
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
|
LGTM label has been added. Git tree hash: a179f875a2c7dc5f3ff3451aa27cd65365b080c5
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, FedeDP, jasondellaluce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
/kind feature
Any specific area of the project related to this PR?
/area build
/area engine
What this PR does / why we need it:
This PR updates the libs and driver dependencies to the latest mainline of falcosecurity/libs. This brings in all the latest changes of the plugin framework, including the new plugin API major version change 3.0.0 (which can be seen as a breaking changes, old plugins based on the API 2.X.X will be rejected by future Falco versions).
This also supports plugins with the new event parsing and async events capabilities. Accordingly, a new
--nodriveroption has been introduced to open live captures without drivers. This can be used when loading with plugins generating system events to instruct Falco about using the plugins for the system events capture instead of one of the drivers.Also, this carries a couple of fixes in Falco, such as properly constructing the config object (which caused spurious test failures), and making all the different open options mutually exclusive (e.g.
-u,--moder-bpf, etc...).Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?: