ZeroDownTime/alpine-overlay
3
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Activity

feat: Migrate falco to use modern eBPF, latest version

Browse Source
This commit is contained in:
Stefan Reimer 2024-06-24 13:03:39 +00:00
parent 239143c856
commit 6a8c1cf723
9 changed files with 10 additions and 4693 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
kubezero/falco-kernel/APKBUILD
View File

@ -1,71 +0,0 @@
# Contributor: Stefan Reimer <stefan@zero-downtime.net>
# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
_flavor=lts
_extra_flavors=virt
pkgver=0.37.1
pkgrel=0
pkgname=falco-kernel-$_flavor
pkgdesc="Falco kernel module"
url="https://github.com/falcosecurity/falco"
arch="x86_64 aarch64"
license="AGPL-3.0"
makedepends="cmake linux-$_flavor-dev linux-headers"
# protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
# perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev"
options="!check"
source="
falco-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
"
builddir="$srcdir/falco-$pkgver"
for f in $_extra_flavors; do
makedepends="$makedepends linux-$f-dev"
subpackages="$subpackages falco-kernel-$f:_extra"
done
build() {
for flavor in $_flavor $_extra_flavors; do
mkdir -p $srcdir/falco-$pkgver/build-$flavor
# Hack running the build inside a container other uname -r returns host kernel
KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-"$flavor"))
cd $srcdir/falco-$pkgver/build-$flavor
cmake .. \
-DCMAKE_BUILD_TYPE=Release \
-DFALCO_VERSION=$pkgver \
-DCMAKE_INSTALL_PREFIX=/usr \
-DUSE_BUNDLED_DEPS=On \
-DMUSL_OPTIMIZED_BUILD=On
KERNELDIR=/lib/modules/$KERNEL_VERSION/build make driver
done
}
_package() {
local flavor=$1
local _out=$2
KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-"$flavor"))
depends="linux-$flavor~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')"
cd $srcdir/falco-$pkgver/build-$flavor
mkdir -p "$_out"/lib/modules/$KERNEL_VERSION/kernel
gzip -9 -c driver/falco.ko > "$_out"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz
}
package() {
_package $_flavor $pkgdir
}
_extra() {
flavor=${subpkgname##*-}
_package $flavor $subpkgdir
}
sha512sums="
257d526c4d3eadbe2c79852221fdb8076f94e421aa66753628770ae7384137b4672064cbe1ba0a4d88d14e8a7d08e2521d5bd82a312c4b1442d8ea6fbbbb2f28 falco-0.37.1.tar.gz
"

13
kubezero/falco/APKBUILD
View File

@ -1,13 +1,13 @@
# Contributor: Stefan Reimer <stefan@zero-downtime.net>
# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
pkgname=falco
pkgver=0.37.1
pkgver=0.38.1
pkgrel=0
pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
url="https://github.com/falcosecurity/falco"
arch="x86_64 aarch64"
license="AGPL-3.0"
makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone
makedepends="cmake clang bpftool linux-headers bash perl autoconf elfutils-dev libtool argp-standalone
musl-fts-dev
musl-libintl
musl-legacy-error
@ -20,7 +20,6 @@ makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-st
# yaml-cpp-dev
# "
options="!check"
#depends="falco-kernel~$pkgver"
# Original config
# https://raw.githubusercontent.com/falcosecurity/rules/main/rules/falco_rules.yaml
@ -51,10 +50,10 @@ build() {
-DMUSL_OPTIMIZED_BUILD=On \
-DBUILD_DRIVER=Off \
-DBUILD_BPF=Off \
-DBUILD_LIBSCAP_MODERN_BPF=Off \
-DBUILD_LIBSCAP_MODERN_BPF=On \
..
make falco || bash
make falco
}
package() {
@ -65,7 +64,7 @@ package() {
cd $pkgdir/etc/falco
patch --no-backup-if-mismatch -i $srcdir/falco.patch
patch --no-backup-if-mismatch -i $srcdir/rules.patch
# We dont build anything on targets so remove sources
rm -rf $pkgdir/usr/src
rm -rf $pkgdir/usr/lib
@ -73,7 +72,7 @@ package() {
}
sha512sums="
257d526c4d3eadbe2c79852221fdb8076f94e421aa66753628770ae7384137b4672064cbe1ba0a4d88d14e8a7d08e2521d5bd82a312c4b1442d8ea6fbbbb2f28 falco-0.37.1.tar.gz
f76b228328a3cf29f5795f7239393d7d05101f488e6ff09f5434237e906ec04a0139a5c91089c36cf3d01058584773b8fe0b1742e760a3e4953237fbc49e834f falco-0.38.1.tar.gz
b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08 falco.patch
487b8b64d2399fd7b706be29e3722983bcdfde3ab5cf0f78b2e9fe1055a4ad958976f591e739491e25a06d7cdf6894c1e153e892a87b83c7a962e23c9a104528 rules.patch
"

1053
kubezero/falco/falco.yaml
View File

File diff suppressed because it is too large Load Diff

1251
kubezero/falco/falco_rules.yaml
View File

File diff suppressed because it is too large Load Diff

1053
kubezero/falco/zdt_falco.yaml
View File

File diff suppressed because it is too large Load Diff

1251
kubezero/falco/zdt_falco_rules.yaml
View File

File diff suppressed because it is too large Load Diff

4
kubezero/falcoctl/APKBUILD
View File

@ -1,7 +1,7 @@
# Contributor: Stefan Reimer <stefan@zero-downtime.net>
# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
pkgname=falcoctl
pkgver=0.7.3
pkgver=0.8.0
pkgrel=0
pkgdesc="The official CLI tool for working with Falco and its ecosystem components."
url="https://github.com/falcosecurity/falcoctl"
@ -33,5 +33,5 @@ package() {
}
sha512sums="
61e539322c91125569c432ea1fc98c84b928795089829a062e6b5c74c7d1223cd71e557b7a8972ba7c6d1b534d1b87da254ee01e12c14038ced5a8f85a22a623 falcoctl-0.7.3.tar.gz
e62b59339ed1005bfcb9e59242bc187e8c9505173fc2c506f8990abf905062aaccdcc465fd01ffeec90886af1f4afea8448c3f128c84b18b145ffdf0a0f90dbf falcoctl-0.8.0.tar.gz
"

4
kubezero/zdt-base/APKBUILD
View File

@ -111,7 +111,7 @@ nocloud() {
}
sha512sums="
c1808572d074e1a91e0efc3c31462f6035159338843e51fbccca5102b2923506ce60ba9e1ef00b2fbb134da7a33f55af364e1bff15c272eb7f4ebc6035f33887 common.sh
36469bda1c6620547b8365610f8631142f42fae2a01408a622ba6ae6f85b45f2b5d6c785aa4d84895da6d91657061ab787beeb35c4883e2d3ba19d9a2841496f common.sh
cf8b75a81bb35e853761d21b15b5b109f15350c54daaf66d2912541a20f758c3ca237d58932e5608d2d3867fe15a07ebd694fd1c313a8290d15afc2b27a575dd boot.sh
eb7d5b6f92f500dbaba04a915cdd8d66e90456ca86bed86b3a9243f0c25577a9aa42c2ba28c3cad9dda6e6f2d14363411d78eff35656c7c60a6a8646f43dcba5 cloudbender-early.init
cac71c605324ad8e60b72f54b8c39ee0924205fcd1f072af9df92b0e8216bcde887ffec677eb2f0eacce3df430f31d5b5609e997d85f14389ee099fbde3c478f cloudbender.init
@ -123,7 +123,7 @@ b86dec8c059642309b2f583191457b7fac7264b75dc5f4a06ad641de6b76589c0571b8b72b515195
484bdcf001b71ce5feed26935db437c613c059790b99f3f5a3e788b129f3e22ba096843585309993446a88c0ab5d60fd0fa530ef3cfb6de1fd34ffc828172329 syslog-ng.logrotate.conf
e86eed7dd2f4507b04050b869927b471e8de26bc7d97e7064850478323380a0580a92de302509901ea531d6e3fa79afcbf24997ef13cd0496bb3ee719ad674ee syslog-ng.apparmor
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e cloudbender.stop
b93cec571afe5128ab4d7c3998b3dc48753897f37169a111f606a48d1982e6ffce52a4ac9568a6a062f621148fb652049b84926a40a62d89be3786e6836261e6 cloudbender.start
f106f3e9befdeaad6beef4bada0c774eb7745568b8d29eb86970ac9ea73d1aaac080676d399a11d462973d10e1aef08125bf78d7a362db47a53a2ba06df7d9b4 cloudbender.start
f8c052c7ec12c71937c7b8bc05d8374c588f345e303b30eda9c8612dff8f8f34a87a433648a3e9b85b278196ece198533b29680a303ff6478171d43f8e095189 dhcpcd-mtu.hook
e00a8f296c76446fe1241bf804c0108f47a2676f377a413ee9fede0943362a6582cad30fe13edd93f3d0daab0e2d7696553fb9458dca62adc05572dce339021a monitrc
c955dabe692c0a4a2fa2b09ab9096f6b14e83064b34ae8d22697096daf6551f00b590d837787d66ea1d0030a7cc30bef583cc4c936c980465663e73aec5fa2dc monit_alert.sh.aws

3
kubezero/zdt-base/zdt-base.post-install
View File

@ -19,9 +19,6 @@ sed -i -e 's/^[\s#]*FAST_STARTUP=.*/FAST_STARTUP=yes/' /etc/conf.d/chronyd
#sed -i -e 's/^[\s#]*rc_parallel=.*/rc_parallel="YES"/' /etc/rc.conf
#echo 'enable parallel openRC'
# load falco kernel module at boot
grep -q falco /etc/modules || echo falco >> /etc/modules
# Setup syslog-ng json logging and apparmor tweaks
cp /lib/zdt/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
cp /lib/zdt/syslog-ng.logrotate.conf /etc/logrotate.d/syslog-ng