Andreagit97
commented
1 year ago Thank you for reporting this, we will try to address it ASAP :)
Closed happy-dude closed 1 year ago
Andreagit97
commented
1 year ago Thank you for reporting this, we will try to address it ASAP :)
leogr
commented
1 year ago /assign @Andreagit97
incertum
commented
1 year ago Already successfully updated an internal CI to support modern_bpf for super early pre-experimental release tests, here is how you could go about it in case it is useful in addition to Andrea's docs and fixes:
Pipeline 1: After this pipeline I have the modern_bpf probe skeleton header published in an internal artifacts store.
First pulling an internally published libs source! Then:
mkdir -p libs/build
cd libs/build
cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_GVISOR=OFF -DCREATE_TEST_TARGETS=OFF -DBUILD_LIBSCAP_MODERN_BPF=ON ../
make ProbeSkeleton;now --> PUBLISH skel_dir/bpf_probe.skel.h to an internal artifacts store.
Using an ubuntu image similar to below for Pipeline 1 (probably could be cleaned up for sure ... ), please note I pre-published bpftool internally as well instead of building when building the container below:
FROM ubuntu:22.10
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update -y
RUN apt --fix-broken -y install
RUN apt-get install -y build-essential libssl-dev zlib1g-dev libbz2-dev \
libreadline-dev libsqlite3-dev wget curl libncurses5-dev libncursesw5-dev \
xz-utils tk-dev libffi-dev liblzma-dev jq golang build-essential git libncurses-dev pkg-config autoconf libtool libelf-dev \
libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libgrpc++-dev protobuf-compiler-grpc libcurl4-openssl-dev libyaml-cpp-dev cmake rpm libelf-dev
RUN apt-get install -y rpm2cpio cpio sudo zstd
RUN apt-get install -y llvm-11 clang-11 gcc-11
RUN apt-get install -y llvm-13 clang-13
RUN apt-get install -y llvm-14 clang-14
RUN update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
RUN update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
RUN apt install libc6 -y
RUN wget <INTERNAL_URL>/v7.0.0-ubuntu-bpftool.tar.gz
RUN tar xvf v7.0.0-ubuntu-bpftool.tar.gz -C /usr/bin/
# RUN git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch && cd bpftool && git submodule update --init && cd src && make && make installPipeline 2: Build Falco using the previously published modern_bpf skeleton header.
The Falco builder container is adopted from Andrea's new container from here. Using a centos7 container will help to be older GLIBC versions compliant when building Falco:
FROM centos:7
RUN yum -y install centos-release-scl; \
yum -y install devtoolset-8-gcc devtoolset-8-gcc-c++; \
yum install -y git wget make m4 rpm-build which
# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase
RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \
gzip -d /tmp/cmake.tar.gz; \
tar -xpf /tmp/cmake.tar --directory=/tmp; \
cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \
rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
RUN source scl_source enable devtoolset-8;
RUN cp -f /opt/rh/devtoolset-8/root/usr/bin/gcc /usr/bin/gcc; cp -f /opt/rh/devtoolset-8/root/usr/bin/g++ /usr/bin/g++;Depending on your build platform source scl_source enable devtoolset-8 may not work and you'll have to accomplish this manually.
Then fetch your modern_bpf skeleton header and build Falco:
Updated: I also fetch the same internally published libs source in Falco's cmake project setup!
mkdir -p /tmp/skel-dir/
wget -O /tmp/skel-dir/bpf_probe.skel.h <INTERNAL_URL>
cmake -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DUSE_BUNDLED_DEPS=ON -DBUILD_BPF=OFF -DBUILD_DRIVER=OFF -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/tmp/skel-dir/ ..
happy-dude
commented
1 year ago Just a quick update: Thanks to related issue threads and @incertum's concise instructions, I was able to build+deploy falco w/ modern-bpf for my org 😃 Thanks y'all!!
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
leogr
commented
1 year ago /remove-lifecycle stale
cc @Andreagit97
poiana
commented
1 year ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Andreagit97
commented
1 year ago Hi folks, sorry I forgot to update this! Some time ago @FedeDP and I tried to bundle bpftool inside Falco build. unfortunately, we realized that probably this is not the right thing to do, bpftool is just a binary, not a library that we have to link against, so adding it to our build phase would just complicate our CMake build (complex enough) creating something difficult to maintain. So I would say that we should keep bpftool as an external dependency at least for now... sorry :(
happy-dude
commented
1 year ago Thanks for the update! I think that's fine, as long as it's properly documented as a dependency.
Closing as won't fix 👍
Motivation
When I was upgrading my internal release of Falco with the latest upstream commits, I wanted to evaluate the modern BPF probe. Unfortunately, I ran into build troubles where
bpftoolwas required.This ticket is a feature request to include + build
bpftoolwhen specifying USE_BUNDLED_DEPS.Feature
bpftoolas part of USE_BUNDLED_DEPS.Additional context
Looking at issue #2343, it turns out that a
update-alternativescommand helps with clang/gcc confusion in cmake and bpftool needs to be built as a dependency and is not currently included when-DUSE_BUNDLED_DEPS=Onis used.Quoting @Andreagit97 :