Skip to content

v0.1.2
Compare
Choose a tag to compare
@miki725 miki725 released this 18 Jan 13:28
· 143 commits to main since this release
v0.1.2
ab8ab0e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Download binaries at https://crashoverride.com/downloads

This is the first open source release of Chalk. For those who
participated in the public preview, there have been massive changes
from those releases, based on your excellent feedback. There's a
summary of those changes below.

Known Issues

At release time, here are known issues:

Documentation

  • We have not yet produced any developer documentation. We will do so
    soon.

  • The in-command help renderer did not get finished before
    release. Everything should display, but the output will have some
    obvious problems (spacing, wrapping, formatting choices, etc). If
    it's insufficient, use the online docs, which use the same core
    source material.

Containers

  • Our support for container marking is currently limited to Docker.

  • Chalk does not yet have any awareness of docker compose, bake or
    similar frameworks atop Docker. We only process containers created
    via direct docker invocation that's wrapped by chalk.

  • Similarly, Chalk does not yet capture any metadata around
    orchestration layers like Kubernetes or cloud-provider managed
    container solutions.

  • Chalk does not yet handle Docker HEREDOCs (which we've found aren't
    yet getting heavy use).

  • Chalk currently will refuse to automatically wrap or sign
    multi-architecture builds. It still will produce the desired
    container with a chalk mark, however.

OS / Hardware support

  • We are not supporting running chalk on Windows at this time (even
    under WSL2).

  • In fact, we are currently on supporting Linux and macOS for both x86_64 and
    arm64. More Posix platforms may work, but we are making no effort
    there at this point.

Data collection and Marking

  • We currently do not handle any form of PE binaries, so do not chalk
    .NET or other Windows applications.

  • There are other platforms we hope to mark that we don't yet support;
    see the roadmap section below.

Other

  • The bash autocomplete script installs on macOS, but because it's not
    a zsh script, it will not autocomplete file arguments, etc.

  • The signing functionality does download the cosign binary if not
    present and needed; this can take a bit of time, and should
    eventually be replaced with a native in-toto implementation.

  • Dy default, Chalk uses an advisory file lock to avoid overlapping
    writes to files by multiple chalk instances (particularly meant for
    protecting log files). This can lead to chalk instances giving up on
    obtaining the lock if you run multiple instances in the same
    environment at once.

Major changes since the preview releases

  • We've added automatic signing; run chalk setup; if you create a
    free account for our secret service, it'll generate a keypair for
    you, encrypt the private key, and automatically sign whenever
    possible. If you don't want to use the service, you'll have to
    provide a secret via environment variable, and should run setup with
    the --no-api-login flag.

  • We added automatic wrapping of container entry points, so that you
    can get beacon data when containers start up (via the chalk exec
    command).

  • We've additionally added the ability to have chalk exec send
    periodic heartbeat reports, so you can collect metadata about
    runtime workloads after startup.

  • There were several config file format changes based on
    feedback. Please contact us if you want help migrating, but things
    are even easier now.

  • ELF Chalk marks are now put into their own ELF section in the
    binary, so they will survive a strip operation.

  • We added / changed a number of metadata keys around Docker images
    and containers, and enhanced the interface for extracting data from
    containers.

  • We added an AWS IMDSv2 collection module, and associated metadata
    keys.

  • We added proc file system collection module.

  • We are now officially supporting arm64 Linux builds and macOS (arm64 and
    x86_64) builds of Chalk.

  • You can inject environment variables into docker images (previously
    we only supported labels)

  • Linux builds will now always fully statically compile with
    musl-built shared libraries. On macOS, libc is still dynamically
    loaded.

Roadmap Items

We are actively developing Chalk, and listening closely to the people
already using it. Below are a number of key items in our backlog that
we're considering. However, we have made no decisions on the order
we'll work on these things, and may add or drop items from the
list. For a more up-to-date view, please check our issues list in
GitHub.

All of the below are targets for our Open Source; we also will soon be
releasing services around Chalk (with a free tier).

  • A TUI (using Python 3) to make it very easy to build custom
    configurations for most needs, without having to touch a
    configuration file.

  • On-demand data collection from runtime environments (via triggers).

  • Heartbeat reports should be more flexible, to only report when some
    sort of condition(s) is(/are) met (both per-metadata key, and
    per-report).

  • Many changes / enhancements to make to the underlying configuration
    file format to benefit Chalk and its users.

  • Data collection modules for other cloud providers.

  • Data collection modules for orchestration systems, particularly k8s.

  • A chalk log command that can pretty-print (and search?) log
    entries from any readable source you configure (not just the default
    log file).

  • Better handling for multi-architecture builds.

  • Wrapping / data collection for docker compose and docker bake

  • Better OS X support (right now, it's just good enough for us to
    develop on; Linux is the primary target)

  • More off-the-shelf integrations (including third party tools)

  • Support for CI/CD data collection modules that are longer-running
    (requiring them to work on a copy of the dev or build environment)

  • Chalk mark support for in-the-browser JavaScript (we have an
    approach we know works, we just need to build it out).

  • Better support for specific platforms for serverless apps.

Note that Windows support is not a priority for us currently. We'd
love to get there eventually, but do not expect to get to it any time
soon, unless contributed by the community.

Assets 2