search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.38k stars 902 forks source link

Cut 0.31.0 Release #1857

Closed jasondellaluce closed 2 years ago

jasondellaluce commented 2 years ago

Scheduled to happen: ~2022-01-31

All targeted pull requests have been merged; waiting for build and tests for release 0.31.0.

Release Steps

Process is described in this document.

Release Blocking PRs

Nice-to-have PRs

Action Items

Open Questions

/milestone 0.31.0

/assign @jasondellaluce @terylt @Issif

/kind documentation

poiana commented 2 years ago

@jasondellaluce: GitHub didn't allow me to assign the following users: terylt.

Note that only falcosecurity members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to [this](https://github.com/falcosecurity/falco/issues/1857): >## Scheduled to happen: ~2022-01-31 > >All targeted pull requests have been merged; waiting for build and tests for release [0.31.0](https://github.com/falcosecurity/falco/milestone/21). > >## Release Steps > >Process is described in [this document](https://github.com/falcosecurity/falco/blob/master/RELEASE.md). > >## Release Blocking PRs > >**TODO** > >## Action Items > >- [ ] Pre-Release: Pick a final driver version in Falco >- [ ] Pre-release: Prebuilt drivers publish >- [ ] Pre-release: [Milestones](https://github.com/falcosecurity/falco/milestone/21) >- [ ] Pre-release: Changelog >- [ ] Release: Tag >- [ ] Release: GH Release >- [ ] Docs: Meeting Notes >- [ ] Website snapshot >- [ ] Website: bump Falco version to 0.30.0 >- [ ] Website: Updates > - https://github.com/falcosecurity/falco-website/pull/493 > - https://github.com/falcosecurity/falco-website/pull/515 > - Add plugin documentation for newest features (`get_init_schema` and `list_open_params`) >- [ ] Announcements: Blog >- [ ] Announcements: Send email >- [ ] Announcements: Falco Slack channel > >## Open Questions > >/milestone 0.31.0 > >/assign @jasondellaluce @terylt @Issif > >/kind documentation Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
leogr commented 2 years ago

Waiting for https://github.com/falcosecurity/libs/pull/185

jasondellaluce commented 2 years ago

In the milestone https://github.com/falcosecurity/falco/milestone/21 there are still some open PRs. Those are not blocking, but since the release date is approaching I think we should wait until the end of this week to see if some of them get merged.

Starting from Mon 24th, I would propose to stop merging PRs and start testing what we have for the rest of the week until the release.

leogr commented 2 years ago

Starting from Mon 24th, I would propose to stop merging PRs and start testing what we have for the rest of the week until the release.

Totally agree. :+1:

I would also pick the driver version within this week.

leogr commented 2 years ago

quick update: I, @jasondellaluce and @FedeDP noticed some minor issues (with rule checks on loading) that we're trying to fix.

leogr commented 2 years ago

quick update: I, @jasondellaluce and @FedeDP noticed some minor issues (with rule checks on loading) that we're trying to fix. Rule loader checks fixed here :point_right: https://github.com/falcosecurity/falco/pull/1864 (plus other small fixes).

We also need to update the cloudtrail plugin (a fix was merged recently) :point_right: https://github.com/falcosecurity/falco/pull/1865

Finally, as nice-to-have: https://github.com/falcosecurity/falco/pull/1863

leogr commented 2 years ago

Dev packages can be download from here :point_down: https://app.circleci.com/pipelines/github/falcosecurity/falco/2007/workflows/cee05a2c-4d58-44f2-b6e3-8c7013cc3fda/jobs/18259/artifacts

For the docker image:

docker pull falcosecurity/falco:master

I believe it's time to test :angel:

cc @Issif @terylt :pray:

leogr commented 2 years ago

Nice-to-have: https://github.com/falcosecurity/falco/pull/1810

leogr commented 2 years ago

A quick fix is needed. This https://github.com/falcosecurity/falco/blob/master/rules/aws_cloudtrail_rules.yaml#L23 is out-to-date. The cloudtrail plugin version must be bumped to 0.2.2, but also the json plugin is required (we have to add it too).

jasondellaluce commented 2 years ago

On top of this, we also need to include the newly-mergedexecveat syscall in the Falco ruleset. Apparentely, it execve is used at this line, so I think it would make sense to check for execveat there too 👉🏼 https://github.com/falcosecurity/falco/blob/2f82a9baa193825337049e4ac69793f3074d6110/rules/falco_rules.yaml#L66

FedeDP commented 2 years ago

@leogr done in https://github.com/falcosecurity/falco/pull/1867!

leogr commented 2 years ago

Update: pre-built drivers in the making :point_down: https://github.com/falcosecurity/test-infra/pull/613

Andreagit97 commented 2 years ago

@jasondellaluce done in #1868 :tada: !

jasondellaluce commented 2 years ago

There seem to be an issue with the musl optimized build. The ambiguity is that the MUSL_OPTIMIZED_BUILD is the name of the CMake option that triggers the musl build, whereas MUSL_OPTIMIZED is the name of the definition expected by libs. Falco passes the definition to libs in CMake here 👇🏼 https://github.com/falcosecurity/falco/blob/7750b6f209fdef7b709e22ee4325797dd01949ba/cmake/modules/falcosecurity-libs.cmake#L46

Falco spreadly uses MUSL_OPTIMIZED_BUILD as a code definition to exclude certain features, such as here 👇🏼 https://github.com/falcosecurity/falco/blob/7750b6f209fdef7b709e22ee4325797dd01949ba/userspace/falco/falco.cpp#L140 However, neither MUSL_OPTIMIZED_BUILD nor MUSL_OPTIMIZED is defined in Falco sources through CMake, which ends up not excluding any feature in musl builds.

leogr commented 2 years ago

There seem to be an issue with the musl optimized build. The ambiguity is that the MUSL_OPTIMIZED_BUILD is the name of the CMake option that triggers the musl build, whereas MUSL_OPTIMIZED is the name of the definition expected by libs. Falco passes the definition to libs in CMake here 👇🏼

https://github.com/falcosecurity/falco/blob/7750b6f209fdef7b709e22ee4325797dd01949ba/cmake/modules/falcosecurity-libs.cmake#L46

Falco spreadly uses MUSL_OPTIMIZED_BUILD as a code definition to exclude certain features, such as here 👇🏼

https://github.com/falcosecurity/falco/blob/7750b6f209fdef7b709e22ee4325797dd01949ba/userspace/falco/falco.cpp#L140

However, neither MUSL_OPTIMIZED_BUILD nor MUSL_OPTIMIZED is defined in Falco sources through CMake, which ends up not excluding any feature in musl builds.

https://github.com/falcosecurity/falco/pull/1871 is trying to fix the issue described above.

Moreover, while discovering the issue, we also realized that after https://github.com/falcosecurity/falco/pull/1853 got merged, the static build is not being published anymore. Since we believe it's still valuable we have decided to publish both the dynamic and the static flavor of the bin package (we will just use different file names), here the PR https://github.com/falcosecurity/falco/pull/1873 Thanks to @LucaGuerra for this last-minute effort :pray:

leogr commented 2 years ago

Another minor issue found: Lua files are now embedded into the Falco executable, but we have noticed a leftover: the --alternate-lua-dir flag (that cannot work and is not useful anymore). Here the fix https://github.com/falcosecurity/falco/pull/1872 Thanks to @FedeDP

Issif commented 2 years ago

I tested the last master image. I was able to test monitoring of syscalls and audit logs. I also tested the integration with Falcosidekick and its outputs. Everything worked as expected :+1:

image

image

terylt commented 2 years ago

I've been testing with the falco libs. Compiled a version of the sfcollector with it.. and it's passing unit tests, and we are running it through our battery of tests. Will update if I run into any issues.

jasondellaluce commented 2 years ago

/assign @terylt

leogr commented 2 years ago

quick update: currently, test-infra is building drivers for the new version and has no more capacity. for this reason, some PRs already approved are pending (tide is temporarily not working). The issue should be solved once the driver building completes.

juris commented 2 years ago

any chance for arm64 in this release?

jasondellaluce commented 2 years ago

Hey @juris , unfortunately arm64 support will not be shipped with this release. However I think this is one of the next goals for the near future.

jasondellaluce commented 2 years ago

Quick update. We seem to have spotted a bug related to the filtercheck system related to these issues:

EDIT: These two PRs should solve the issues:

jasondellaluce commented 2 years ago

Updates: We have fixed all the code issues found in the past few days!

Now, there seems to be a CircleCI problem that causes the publish/packages-deb-dev job to fail 👉🏼 https://app.circleci.com/pipelines/github/falcosecurity/falco/2033/workflows/d553bc07-6f2d-4563-b511-9024ce79193c/jobs/18624 However, we didn't introduce any change in that part, so it's unclear why this happens. We are currently investigating.

leogr commented 2 years ago

CircleCI functionality restored. We also cleaned up the deprecated centos::8 build.

All clear now.

We are ready to release once the changelog PR https://github.com/falcosecurity/falco/pull/1880 gets merged. :star_struck:

jasondellaluce commented 2 years ago

All the post-release work is finished! Thanks to everybody for the help! 🥳 🦅