Bake Sysdig/CNCF Falco #77
Conversation
There was a problem hiding this comment.
LGTM. Any chance to add the a mention in the README with maybe your small butane example? https://github.com/flatcar/sysext-bakery?tab=readme-ov-file#available-extensions
EDIT: Feel free to squash everything in one commit.
The README.MD was updated with the sample used in this PR! I'm on the cellphone rn so I cant rebase/squash manually. Its it possible to squash and merge? |
There was a problem hiding this comment.
Can you also add the targeted version that you would like to be released here:
https://github.com/flatcar/sysext-bakery/blob/main/release_build_versions.txt
I guess falco-0.38.1 is fine?
| - path: /etc/falco/falco.yaml | ||
| contents: | ||
| source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco.yaml" | ||
| - path: /etc/falco/falco_rules.yaml | ||
| contents: | ||
| source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco_rules.yaml" |
There was a problem hiding this comment.
I built the image and inspected the content. I see that those files are provided under /etc of the sysext (which of course won't be available once the image is mounted) but with this little trick, we can remove those lines and provide /etc/falco and friends directly via the sysext image:
diff --git a/create_falco_sysext.sh b/create_falco_sysext.sh
index dd7a15f..9fd8b94 100755
--- a/create_falco_sysext.sh
+++ b/create_falco_sysext.sh
@@ -83,5 +83,13 @@ RestrictRealtime=true
WantedBy=multi-user.target
EOF
+mkdir -p "${SYSEXTNAME}"/usr/share/falco/etc
+mv "${SYSEXTNAME}"{/etc/{falco,falcoctl},/usr/share/falco/etc/}
+
+mkdir -p "${SYSEXTNAME}"/usr/lib/tmpfiles.d
+cat <<EOF >"${SYSEXTNAME}"/usr/lib/tmpfiles.d/10-falco.conf
+C /etc/falco - - - - /usr/share/falco/etc/falco
+EOF
+
RELOAD=1 "${SCRIPTFOLDER}"/bake.sh "${SYSEXTNAME}"
rm -rf "${SYSEXTNAME}"What do you think?
| - path: /etc/falco/falco.yaml | |
| contents: | |
| source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco.yaml" | |
| - path: /etc/falco/falco_rules.yaml | |
| contents: | |
| source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco_rules.yaml" |
There was a problem hiding this comment.
Oh hey @tormath1 ! Thanks for the Tips!
This is my first time working with tmpfiles.d and I tested the suggestions that you made and they work beautifully!
But I could not make it to work in a scenario were I want to update a specific config file, like /etc/falco/falco.yaml :
storage:
files:
- path: /etc/falco/falco.yaml
contents:
inline: |
engine:
kind: modern_ebpf
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/rules.d
[CONTINUES...]
With the declaration above, the original falco files and folders are not copied to /etc/falco at all.
I tested the tmpfiles.d with with C and C+ modes, it exits with 0 but the falco files are not copied:
k3s-server1 /etc/falco # echo "C+ /etc/falco - - - - /usr/share/falco/etc/falco" | systemd-tmpfiles --create -
Looking for configuration files in (higher priority first):
/etc/tmpfiles.d
/run/tmpfiles.d
/usr/local/lib/tmpfiles.d
/usr/lib/tmpfiles.d
SELinux enabled state cached to: enabled
Successfully loaded SELinux database in 2.475ms, size on heap is 3141K.
Reading config from stdin…
Running create action for entry C /etc/falco
Copying tree "/usr/share/falco/etc/falco" to "/etc/falco".
k3s-server1 /etc/falco # ls /etc/falco
falco.yaml
k3s-server1 /etc/falco #
Do you know if is there a way to use all files present on the falco sysext but override the /etc/falco/falco.yaml or other specific file only?
There was a problem hiding this comment.
If is there a way to override config files then I can update the README.md accordingly and I believe that the sysext will be a in a good shape.
There was a problem hiding this comment.
Ok, so maybe we can go more in a more granular way with symlinks. Similar to:
https://github.com/flatcar/scripts/blob/e4cc483b6724e3953dc7d645b58f31128d1a92b7/build_library/sysext_mangle_flatcar-zfs#L31-L35
I'll try to have a look, I think it's worth to invest here. :)
There was a problem hiding this comment.
oh great! I really started to think that would not have a way to do it automatically, so we can handpick the files that we want to create using symlinks.
Let me test it.
Bake Falco as a systemd sysext image.
This PR aims to bake Falco as a systemd sysext
How to use
The following CL file use official falcon systemd files and also the workshop falco configuration (falco requires yaml configuration in place to work):
Checking the output of the
falco-modern-bpf.serviceoutputs some events (a k3s cluster running im my case):Testing done
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.