search

flatcar / sysext-bakery

Recipes for baking systemd-sysext images
Apache License 2.0
73 stars 39 forks source link

Bake Sysdig/CNCF Falco #77

Closed gcavalcante8808 closed 6 days ago

gcavalcante8808 commented 5 months ago

Bake Falco as a systemd sysext image.

This PR aims to bake Falco as a systemd sysext

How to use

The following CL file use official falcon systemd files and also the workshop falco configuration (falco requires yaml configuration in place to work):

systemd:
  units:
    #source: https://raw.githubusercontent.com/falcosecurity/falco/master/scripts/systemd/falco-bpf.service
    - name: falco-modern-bpf.service
      enabled: true
      contents: |
        [Unit]
        Description=Falco: Container Native Runtime Security with modern ebpf
        Documentation=https://falco.org/docs/
        Before=falcoctl-artifact-follow.service
        Wants=falcoctl-artifact-follow.service

        [Service]
        Type=simple
        User=root
        ExecStart=/usr/bin/falco -o engine.kind=modern_ebpf
        ExecReload=kill -1 $MAINPID
        UMask=0077
        TimeoutSec=30
        RestartSec=15s
        Restart=on-failure
        PrivateTmp=true
        NoNewPrivileges=yes
        ProtectHome=read-only
        ProtectSystem=full
        ProtectKernelTunables=true
        RestrictRealtime=true
        RestrictAddressFamilies=~AF_PACKET
        StandardOutput=null

        [Install]
        WantedBy=multi-user.target

    # source: https://raw.githubusercontent.com/falcosecurity/falco/master/scripts/systemd/falcoctl-artifact-follow.service
    - name: falcoctl-artifact-follow.service
      contents: |
        [Unit]
        Description=Falcoctl Artifact Follow: automatic artifacts update service
        Documentation=https://falco.org/docs/
        PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custom.service

        [Service]
        Type=simple
        User=root
        ExecStart=/usr/bin/falcoctl artifact follow --allowed-types=rulesfile
        UMask=0077
        TimeoutSec=30
        RestartSec=15s
        Restart=on-failure
        PrivateTmp=true
        NoNewPrivileges=yes
        ProtectSystem=true
        ReadWriteDirectories=/usr/share/falco
        ProtectKernelTunables=true
        RestrictRealtime=true

        [Install]
        WantedBy=multi-user.target

storage:
  files:
    - path: /etc/falco/falco.yaml
      contents:
        source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco.yaml"
    - path: /etc/falco/falco_rules.yaml
      contents:
        source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco_rules.yaml"
    - path: /etc/extensions/falco.raw
      contents:
        source: "<LINK>"

Checking the output of the falco-modern-bpf.service outputs some events (a k3s cluster running im my case):

image

Testing done

gcavalcante8808 commented 5 months ago

LGTM. Any chance to add the a mention in the README with maybe your small butane example? https://github.com/flatcar/sysext-bakery?tab=readme-ov-file#available-extensions

EDIT: Feel free to squash everything in one commit.

The README.MD was updated with the sample used in this PR!

I'm on the cellphone rn so I cant rebase/squash manually. Its it possible to squash and merge?

mnbro commented 6 days ago

@gcavalcante8808 @tormath1 Do you have any news on this? Will it be merged?

tormath1 commented 6 days ago

@gcavalcante8808 @tormath1 Do you have any news on this? Will it be merged?

Hey there, @gcavalcante8808 let me know if you still interested to merge this. I added a small comment, I think it's good to go. We just need to rebase and add the targeted version to this file: https://github.com/flatcar/sysext-bakery/blob/main/release_build_versions.txt (to automatically build this sysext at the next release)

gcavalcante8808 commented 6 days ago

@gcavalcante8808 @tormath1 Do you have any news on this? Will it be merged?

Hey there, @gcavalcante8808 let me know if you still interested to merge this. I added a small comment, I think it's good to go. We just need to rebase and add the targeted version to this file: https://github.com/flatcar/sysext-bakery/blob/main/release_build_versions.txt (to automatically build this sysext at the next release)

Oh hey @tormath1 ! Yeah, sure lets finish this!

Edit: Branch Updated.

gcavalcante8808 commented 6 days ago

Thanks, two small nits for the documentation - and we still need to add: falco-0.39.1 to this file: https://github.com/flatcar/sysext-bakery/blob/main/release_build_versions.txt.

Feel free to squash all your commits into one :)

I've tried to squash locally but I could not without a backmerge. Can we squash&merge instead?

I've also added the release version.

tormath1 commented 6 days ago

@gcavalcante8808 Thanks a lot for your contribution, I'll trigger a release tomorrow.

tormath1 commented 4 days ago

@gcavalcante8808 the sysext is now available here: https://github.com/flatcar/sysext-bakery/releases/tag/latest