diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f6d83f8d65..e41ac53c6a9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,13 +33,15 @@ jobs: test-dev-packages: needs: [fetch-version, build-dev-packages] uses: ./.github/workflows/reusable_test_packages.yaml - strategy: - fail-fast: false - matrix: - static: ["static", ""] + # The musl build job is currently disabled because we link libelf dynamically and it is + # not possible to dynamically link with musl + # strategy: + # fail-fast: false + # matrix: + # static: ["static", ""] with: arch: x86_64 - static: ${{ matrix.static != '' && true || false }} + # static: ${{ matrix.static != '' && true || false }} version: ${{ needs.fetch-version.outputs.version }} test-dev-packages-arm64: diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 2068547d268..37f9ed8c04b 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -31,13 +31,15 @@ jobs: test-dev-packages: needs: [fetch-version, build-dev-packages] uses: ./.github/workflows/reusable_test_packages.yaml - strategy: - fail-fast: false - matrix: - static: ["static", ""] + # The musl build job is currently disabled because we link libelf dynamically and it is + # not possible to dynamically link with musl + # strategy: + # fail-fast: false + # matrix: + # static: ["static", ""] with: arch: x86_64 - static: ${{ matrix.static != '' && true || false }} + # static: ${{ matrix.static != '' && true || false }} version: ${{ needs.fetch-version.outputs.version }} test-dev-packages-arm64: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c1aa2f261eb..af05dd2b527 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -69,13 +69,16 @@ jobs: test-packages: needs: [release-settings, build-packages] uses: ./.github/workflows/reusable_test_packages.yaml - strategy: - fail-fast: false - matrix: - static: ["static", ""] + + # The musl build job is currently disabled because we link libelf dynamically and it is + # not possible to dynamically link with musl + # strategy: + # fail-fast: false + # matrix: + # static: ["static", ""] with: arch: x86_64 - static: ${{ matrix.static != '' && true || false }} + # static: ${{ matrix.static != '' && true || false }} version: ${{ github.event.release.tag_name }} test-packages-arm64: diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index 5b818b6de22..14b7444478e 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -20,7 +20,7 @@ jobs: # Always install deps before invoking checkout action, to properly perform a full clone. - name: Install build dependencies run: | - dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel + dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel - name: Checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 @@ -50,7 +50,7 @@ jobs: yum -y install centos-release-scl yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ source /opt/rh/devtoolset-9/enable - yum install -y wget git make m4 rpm-build perl-IPC-Cmd + yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd - name: Checkout # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc. @@ -118,9 +118,12 @@ jobs: path: | ${{ github.workspace }}/build/falco-*.rpm + # The musl build job is currently disabled because we link libelf dynamically and it is + # not possible to dynamically link with musl build-musl-package: # x86_64 only for now - if: ${{ inputs.arch == 'x86_64' }} + # if: ${{ inputs.arch == 'x86_64' }} + if: false runs-on: ubuntu-latest container: alpine:3.17 steps: diff --git a/.github/workflows/reusable_fetch_version.yaml b/.github/workflows/reusable_fetch_version.yaml index 0217ef63091..458c15781d4 100644 --- a/.github/workflows/reusable_fetch_version.yaml +++ b/.github/workflows/reusable_fetch_version.yaml @@ -31,7 +31,7 @@ jobs: - name: Configure project run: | mkdir build && cd build - cmake -DUSE_BUNDLED_DEPS=On .. + cmake -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off .. - name: Load and store Falco version output id: store_version diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml index 530e5dd8418..11b0bf4fa0e 100644 --- a/.github/workflows/reusable_publish_packages.yaml +++ b/.github/workflows/reusable_publish_packages.yaml @@ -65,7 +65,10 @@ jobs: name: falco-${{ inputs.version }}-aarch64.tar.gz path: /tmp/falco-build-bin + # The musl build job is currently disabled because we link libelf dynamically and it is + # not possible to dynamically link with musl - name: Download static binary x86_64 + if: false uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-static-x86_64.tar.gz @@ -89,8 +92,11 @@ jobs: run: | ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64 ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64 - + + # The musl build job is currently disabled because we link libelf dynamically and it is + # not possible to dynamically link with musl - name: Publish static + if: false run: | ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64 diff --git a/.github/workflows/staticanalysis.yaml b/.github/workflows/staticanalysis.yaml index 1186c9e0bd6..43868cffd8f 100644 --- a/.github/workflows/staticanalysis.yaml +++ b/.github/workflows/staticanalysis.yaml @@ -20,7 +20,7 @@ jobs: - name: Build and run cppcheck 🏎️ run: | mkdir build - cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off .. + cd build && cmake -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off .. make -j4 cppcheck make -j4 cppcheck_htmlreport diff --git a/CMakeLists.txt b/CMakeLists.txt index 5b0c74d7856..bb593992449 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -16,6 +16,7 @@ cmake_minimum_required(VERSION 3.5.1) project(falco) option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF) +option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON) option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF) option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF) option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF) diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index 5b6c653e5a2..fc9bb128b2c 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -34,8 +34,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "bfbc0076b4dd52054f858cc45e98f1fdd9a91010") - set(DRIVER_CHECKSUM "SHA256=e987fef047925171be1f599e15e7ab0f5afc88a19596518bcaebd5dc9c3c81ef") + set(DRIVER_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62") + set(DRIVER_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 07bb0a1eaf9..dff89949dca 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -35,8 +35,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "bfbc0076b4dd52054f858cc45e98f1fdd9a91010") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=e987fef047925171be1f599e15e7ab0f5afc88a19596518bcaebd5dc9c3c81ef") + set(FALCOSECURITY_LIBS_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2") endif() # cd /path/to/build && cmake /path/to/source @@ -87,6 +87,10 @@ set(USE_BUNDLED_NLOHMANN_JSON ON CACHE BOOL "") set(USE_BUNDLED_VALIJSON ON CACHE BOOL "") set(USE_BUNDLED_RE2 ON CACHE BOOL "") set(USE_BUNDLED_UTHASH ON CACHE BOOL "") +if(USE_DYNAMIC_LIBELF) + set(USE_BUNDLED_LIBELF OFF CACHE BOOL "") + set(USE_SHARED_LIBELF ON CACHE BOOL "") +endif() list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules") diff --git a/docker/no-driver/Dockerfile b/docker/no-driver/Dockerfile index f1d3213ae70..e3fa571b92a 100644 --- a/docker/no-driver/Dockerfile +++ b/docker/no-driver/Dockerfile @@ -28,7 +28,7 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" # NOTE: for the "least privileged" use case, please refer to the official documentation -RUN apt-get -y update && apt-get -y install ca-certificates curl jq \ +RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \ && apt clean -y && rm -rf /var/lib/apt/lists/* ENV HOST_ROOT /host diff --git a/docker/no-driver/Dockerfile.distroless b/docker/no-driver/Dockerfile.distroless index 9900cc3c4cf..2e99771eb77 100644 --- a/docker/no-driver/Dockerfile.distroless +++ b/docker/no-driver/Dockerfile.distroless @@ -6,7 +6,7 @@ ARG VERSION_BUCKET=bin ENV FALCO_VERSION=${FALCO_VERSION} ENV VERSION_BUCKET=${VERSION_BUCKET} -RUN apk update && apk add build-base gcc curl ca-certificates jq +RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils WORKDIR / @@ -21,7 +21,7 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml -FROM cgr.dev/chainguard/glibc-dynamic +FROM cgr.dev/chainguard/wolfi-base LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" @@ -29,6 +29,8 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" # NOTE: for the "least privileged" use case, please refer to the official documentation +RUN apk update && apk add libelf + ENV HOST_ROOT /host ENV HOME /root diff --git a/userspace/engine/falco_engine_version.h b/userspace/engine/falco_engine_version.h index fe4bab91ffd..932249c4dc4 100644 --- a/userspace/engine/falco_engine_version.h +++ b/userspace/engine/falco_engine_version.h @@ -20,7 +20,7 @@ limitations under the License. // The version of this Falco engine #define FALCO_ENGINE_VERSION_MAJOR 0 -#define FALCO_ENGINE_VERSION_MINOR 32 +#define FALCO_ENGINE_VERSION_MINOR 33 #define FALCO_ENGINE_VERSION_PATCH 0 #define FALCO_ENGINE_VERSION \ @@ -34,4 +34,4 @@ limitations under the License. // It represents the fields supported by this version of Falco, // the event types, and the underlying driverevent schema. It's used to // detetect changes in engine version in our CI jobs. -#define FALCO_ENGINE_CHECKSUM "b5e45959d248f7c28ad51ac12962150770770d1dd4506e8f7aa90d68ba670c12" +#define FALCO_ENGINE_CHECKSUM "6de427ad72fad5911239683aa6627833f8006a2350808730c436a85fc8648a9a"