From 786ccf7f2aacc58ae004abb1b143ef8236491ac5 Mon Sep 17 00:00:00 2001 From: Ariadne Conill Date: Wed, 29 Nov 2023 16:01:35 -0800 Subject: [PATCH 1/8] falco: build with BPF driver Signed-off-by: Ariadne Conill --- falco.yaml | 133 ++++++++++++++++++++++++++++-------------------- falco/tbb.patch | 15 ++++++ 2 files changed, 92 insertions(+), 56 deletions(-) create mode 100644 falco/tbb.patch diff --git a/falco.yaml b/falco.yaml index 28d48239c48..08522e5bb16 100644 --- a/falco.yaml +++ b/falco.yaml @@ -12,57 +12,51 @@ package: environment: contents: packages: + - abseil-cpp-dev + - autoconf + - automake + - bash + - binutils + - bpftool - build-base - busybox + - c-ares-dev - ca-certificates-bundle - - clang-16 - - gcc + - clang-16-dev - cmake - - make + - curl-dev + - elfutils-dev - git - - bash - - perl + - grpc-dev + - icu-dev + - jsoncpp-dev + - jq-dev + - libbpf-dev + - libcurl-openssl4 + - libelf + - libsystemd + - libtbb-dev + - libtool + - libzstd1 - linux-headers - - autoconf - - automake + - llvm16 - m4 - - libtool - - elfutils-dev - - libelf - - libelf-static - - patch - - binutils - - libbpf - - openssl + - make - openssl-dev - - yaml-dev - - c-ares - - c-ares-dev - - protobuf + - patch + - perl - protobuf-dev - - protobuf-c-dev - - re2 - re2-dev - - zlib-dev - - libcurl-openssl4 - - llvm16 - - abseil-cpp - - abseil-cpp-dev - - abseillib - - jq-dev - - curl-dev - - grpc - - grpc-dev - - icu - - icu-dev - - yaml-cpp - - yaml-cpp-dev - systemd-dev - - libsystemd - - libzstd1 + - yaml-cpp-dev + - yaml-dev + - zlib-dev - zstd - zstd-dev - - libtbb-dev + # TODO: Believe these are needed for 'make sinsp' to succeed. + - tinydir + - uthash + - valijson pipeline: - uses: git-checkout @@ -72,37 +66,64 @@ pipeline: expected-commit: 1b62b5ccd1c64cd972ef0252262075cbf42a130c recurse-submodules: true - - runs: | - # Replace the find_dependency with find_package macro for newer cmake, otherwise it will fail. - sed -i 's/find_dependency(Protobuf CONFIG)/find_package(Protobuf CONFIG)/' /usr/lib64/cmake/grpc/gRPCConfig.cmake + - uses: patch + with: + # to prevent usage of vendored tbb + patches: tbb.patch - runs: | mkdir -p "${{targets.destdir}}"/etc/falco install -Dm755 ./falco.yaml "${{targets.destdir}}"/etc/falco/falco.yaml - sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < "${{targets.destdir}}"/etc/falco/falco.yaml - - working-directory: build + - runs: | + sed -i '165s/${FALCO_LIBRARIES}/${FALCO_LIBRARIES} zstd/' userspace/falco/CMakeLists.txt + + - working-directory: /home/build/build + # NOTE: These flags have been specifically set. Do not go changing these + # as part of development! They need to be set as they are. + # TODO: REMOVE THIS COMMENT ABOVE BEFORE MERGING pipeline: - runs: | - cmake \ - -DCMAKE_INSTALL_PREFIX=/usr \ - -DCMAKE_INSTALL_LIBDIR=/usr/lib \ - -DFALCO_ETC_DIR=/etc/falco \ - -DCMAKE_BUILD_TYPE=Release \ - -DUSE_BUNDLED_DEPS=Off \ - -DMINIMAL_BUILD=On \ - -DBUILD_DRIVER=On \ - -DBUILD_FALCO_MODERN_BPF=Off \ - -DBUILD_BPF=Off \ - .. + cmake \ + -Wno-dev \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_INSTALL_LIBDIR=lib \ + -DCMAKE_BUILD_TYPE=MinSizeRel \ + -DUSE_BUNDLED_TBB=OFF \ + -DUSE_BUNDLED_RE2=OFF \ + -DUSE_BUNDLED_JSONCPP=OFF \ + -DBUILD_FALCO_MODERN_BPF=ON \ + -DBUILD_STATIC_LIBS=OFF \ + -DUSE_BUNDLED_DEPS=OFF \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_DRIVER=OFF \ + -DFALCOSECURITY_SHARED_LIBS_VERSION=0 \ + -DFALCOSECURITY_SHARED_LIBS_SOVERSION=0 \ + .. - runs: | - make falco + make falco -j$(nproc) + make install PREFIX="/usr" DESTDIR="${{targets.destdir}}" install -Dm755 ./userspace/falco/falco "${{targets.destdir}}"/usr/bin/falco + - runs: | + mv "${{targets.destdir}}"/usr/lib/falcosecurity/* "${{targets.destdir}}"/usr/lib/ + rm -rf "${{targets.destdir}}"/usr/lib/falcosecurity/ - uses: strip +subpackages: + - name: falco-dev + description: Falco development headers + pipeline: + - uses: split/dev + + - name: falco-src + description: Falco kernel module sources + pipeline: + - runs: | + mkdir -p "${{targets.contextdir}}"/usr + mv "${{targets.destdir}}"/usr/src "${{targets.contextdir}}"/usr/src + update: enabled: true github: identifier: falcosecurity/falco - strip-prefix: v diff --git a/falco/tbb.patch b/falco/tbb.patch new file mode 100644 index 00000000000..25b1f9ee3cb --- /dev/null +++ b/falco/tbb.patch @@ -0,0 +1,15 @@ +diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt +index 973655f2..c1771319 100644 +--- a/userspace/falco/CMakeLists.txt ++++ b/userspace/falco/CMakeLists.txt +@@ -83,6 +83,9@@ set( + FALCO_LIBRARIES + falco_engine + sinsp ++ "${JSONCPP_LIB}" ++ "${TBB_LIB}" ++ "${RE2_LIB}" + "${YAMLCPP_LIB}" + ) + + From cc0729ac07841721ab1757bd131ba27635ad30d3 Mon Sep 17 00:00:00 2001 From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com> Date: Thu, 30 Nov 2023 00:07:39 +0000 Subject: [PATCH 2/8] py3-botocore/1.33.3 package update --- py3-botocore.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/py3-botocore.yaml b/py3-botocore.yaml index 2760b66bf0f..123b0521362 100644 --- a/py3-botocore.yaml +++ b/py3-botocore.yaml @@ -1,6 +1,6 @@ package: name: py3-botocore - version: 1.33.2 + version: 1.33.3 epoch: 0 description: "The low-level, core functionality of Boto3" copyright: @@ -27,7 +27,7 @@ pipeline: - uses: fetch with: uri: https://files.pythonhosted.org/packages/source/b/botocore/botocore-${{package.version}}.tar.gz - expected-sha256: 16a30faac6e6f17961c009defb74ab1a3508b8abc58fab98e7cf96af0d91ea84 + expected-sha256: 462528fc8dc1953bc19841fd2ccee1626ec8f5b13d9e451e13452c71de2fe0dc - runs: | python3 setup.py build From 1de27bc5ec9cb5ca44977ce50a1bdc2a48f7c635 Mon Sep 17 00:00:00 2001 From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com> Date: Thu, 30 Nov 2023 00:07:43 +0000 Subject: [PATCH 3/8] perl/5.38.2 package update --- perl.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/perl.yaml b/perl.yaml index 745fae15778..1db8022c3ec 100644 --- a/perl.yaml +++ b/perl.yaml @@ -1,6 +1,6 @@ package: name: perl - version: 5.38.1 # when bumping this version also bump Perl packages epochs to trigger a rebuild + version: 5.38.2 # when bumping this version also bump Perl packages epochs to trigger a rebuild epoch: 0 description: "Larry Wall's Practical Extraction and Report Language" copyright: @@ -21,7 +21,7 @@ pipeline: - uses: fetch with: uri: https://www.cpan.org/src/5.0/perl-${{package.version}}.tar.gz - expected-sha256: e9b02f3f37f73f38e456ef76d7daded16141cfd91dd4aa271c5f9e6332eade98 + expected-sha256: a0a31534451eb7b83c7d6594a497543a54d488bc90ca00f5e34762577f40655e # Delete bundled zlib and bzip2 sources - runs: | From c164bd3f649ef9c96cfb24a0846b73e2556aacda Mon Sep 17 00:00:00 2001 From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com> Date: Thu, 30 Nov 2023 00:12:22 +0000 Subject: [PATCH 4/8] containerd/1.7.10 package update --- containerd.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containerd.yaml b/containerd.yaml index 07d31d670e0..5faa4886b6c 100644 --- a/containerd.yaml +++ b/containerd.yaml @@ -1,6 +1,6 @@ package: name: containerd - version: 1.7.9 + version: 1.7.10 epoch: 0 description: An open and reliable container runtime copyright: @@ -23,7 +23,7 @@ pipeline: with: repository: https://github.com/containerd/containerd tag: v${{package.version}} - expected-commit: 4f03e100cb967922bec7459a78d16ccbac9bb81d + expected-commit: 4e1fe7492b9df85914c389d1f15a3ceedbb280ac - runs: | make VERSION="v${{package.version}}" From cfcbe075de5cc65de3a9d69eeb99c8c288ef233c Mon Sep 17 00:00:00 2001 From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com> Date: Thu, 30 Nov 2023 00:12:32 +0000 Subject: [PATCH 5/8] zarf/0.31.3 package update --- zarf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zarf.yaml b/zarf.yaml index f8826127c65..6c58cb2d583 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -1,6 +1,6 @@ package: name: zarf - version: 0.31.2 + version: 0.31.3 epoch: 0 description: DevSecOps for Air Gap & Limited-Connection Systems. copyright: @@ -19,7 +19,7 @@ pipeline: - uses: git-checkout with: repository: https://github.com/defenseunicorns/zarf - expected-commit: 06c8e53e6a88ced00f1d8bc769e3d3f8efe7751a + expected-commit: 68238ab55823ca9eab2c3f66ac707e05ecd9e430 tag: v${{package.version}} - uses: go/build From b1c13d5208d873e0affa087a8a7ba36168fdf48a Mon Sep 17 00:00:00 2001 From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com> Date: Thu, 30 Nov 2023 00:12:41 +0000 Subject: [PATCH 6/8] aws-crt-cpp/0.24.9 package update --- aws-crt-cpp.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-crt-cpp.yaml b/aws-crt-cpp.yaml index b6ed98910d7..4475a747edc 100644 --- a/aws-crt-cpp.yaml +++ b/aws-crt-cpp.yaml @@ -1,6 +1,6 @@ package: name: aws-crt-cpp - version: 0.24.8 + version: 0.24.9 epoch: 0 description: "C++ wrapper around the aws-c-* libraries. Provides Cross-Platform Transport Protocols and SSL/TLS implementations for C++" copyright: @@ -32,7 +32,7 @@ pipeline: with: repository: https://github.com/awslabs/aws-crt-cpp tag: v${{package.version}} - expected-commit: 39e29736fa6cbea5607db8f5c1fea5b59c793213 + expected-commit: 5f1eae687f86a8b356521fa61d6685d10dfecd28 - runs: | if [ "$CBUILD" != "$CHOST" ]; then From 7de627f9e9cc8dc0a6b8da2e374d64a41f32aff9 Mon Sep 17 00:00:00 2001 From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com> Date: Thu, 30 Nov 2023 00:12:46 +0000 Subject: [PATCH 7/8] aws-c-s3/0.4.3 package update --- aws-c-s3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-c-s3.yaml b/aws-c-s3.yaml index 46975b95a3c..55f6dda9b7e 100644 --- a/aws-c-s3.yaml +++ b/aws-c-s3.yaml @@ -1,6 +1,6 @@ package: name: aws-c-s3 - version: 0.4.1 + version: 0.4.3 epoch: 0 description: "AWS C99 library implementation for communicating with the S3 service" copyright: @@ -36,7 +36,7 @@ environment: pipeline: - uses: fetch with: - expected-sha256: 139cf462db2bcf5eb6b6317051b9419b7dde027759f07c3f4f52f8af944c6e92 + expected-sha256: 993efb6c644eaaddf2f9e2f8fdc52b62b2c6f1546199ffb37a650e1f0953e239 uri: https://github.com/awslabs/aws-c-s3/archive/refs/tags/v${{package.version}}.tar.gz - runs: | From 0d64fcc31fc8d17bcd321bea9ab807a95a50f969 Mon Sep 17 00:00:00 2001 From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com> Date: Thu, 30 Nov 2023 00:12:56 +0000 Subject: [PATCH 8/8] mdbook/0.4.36 package update --- mdbook.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mdbook.yaml b/mdbook.yaml index e3e356ac24b..cf2d40afd93 100644 --- a/mdbook.yaml +++ b/mdbook.yaml @@ -1,6 +1,6 @@ package: name: mdbook - version: 0.4.35 + version: 0.4.36 epoch: 0 description: "Create book from markdown files. Like Gitbook but implemented in Rust." copyright: @@ -24,7 +24,7 @@ pipeline: with: repository: https://github.com/rust-lang/mdbook tag: v${{package.version}} - expected-commit: 94e0a44e152d8d7c62620e83e0632160977b1dd5 + expected-commit: b7f46213c7df8f499eca0c82e7b41804cc15e369 - name: Configure and build runs: |