chore(docs): updates for new falcoctl driver tool. #1240
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/hold |
|
Then, we will need a subsequent PR to also update ways to run Falco with different drivers, now that Falco deprecated old I can do that in this PR since they are a bit tied together. |
|
Ok, ported |
6 tasks
LucaGuerra
reviewed
Jan 23, 2024
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…g it with new `engine.kind` Falco config key. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…and has been dropped. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
FedeDP
force-pushed
the
chore/update_falcoctl_driver
branch
from
9887b1d
to
d2f3b48
Compare
|
Rebased on top of master. |
FedeDP
force-pushed
the
chore/update_falcoctl_driver
branch
2 times, most recently
from
ea340dc
to
b44dc14
Compare
…ction. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Luca Guerra <luca@guerra.sh>
FedeDP
force-pushed
the
chore/update_falcoctl_driver
branch
from
b44dc14
to
0ce23d4
Compare
incertum
reviewed
Jan 30, 2024
| - Modern eBPF probe | ||
| - Classic eBPF probe |
There was a problem hiding this comment.
Classic or didn't we agree on Legacy? My preference would be Legacy as I believe most other docs call it that way.
|
|
||
| As you can notice, when your `kernel.perf_event_paranoid` is `>2` the capability `CAP_PERFMON` won't suffice, you would still need `CAP_SYS_ADMIN`. | ||
| So before disabling `CAP_SYS_ADMIN` check your `perf_event_paranoid` value with `sysctl kernel.perf_event_paranoid` and make sure their values are compatible with your distribution enforcement. | ||
|
|
||
| ## Modern eBPF probe | ||
|
|
||
| The {{< glossary_tooltip text="modern probe" term_id="modern-ebpf-probe" >}} is an alternative driver for Falco. The main advantage it brings to the table is that it is embedded into Falco, which means that you don't have to download or build anything, if your kernel is recent enough Falco will automatically inject it! |
There was a problem hiding this comment.
modern probe? stay consistent with modern_ebpf?
| @@ -97,13 +54,16 @@ sudo bpftool feature probe kernel | grep -q "program_type tracing is available" | |||
|
|
|||
| ### How to run it | |||
|
|
|||
| The modern eBPF probe supports all the installation methods of other drivers: | |||
| To enable the modern eBPF support in Falco, just set the `engine.kind` configuration key to `modern_ebpf`. Nothing else will be needed since no external artifact is required for it to work. | |||
There was a problem hiding this comment.
|
|
||
| The Falco community, in 0.24.0 promoted the userspace instrumentation feature to **[official support](https://github.com/falcosecurity/evolution#official-support)** to be included in Falco. | ||
| To enable the eBPF support in Falco set the `engine.kind` configuration key to `ebpf` and eventually customize `engine.ebpf.probe` to the path where the eBPF probe resides; the default path is the location used by `falcoctl driver` tool to install the eBPF probe. |
There was a problem hiding this comment.
Tell what the default path is here as well.
| @@ -36,7 +36,7 @@ If you use Falco for non-syscall events, such as some plugins, only download the | |||
| When using Falco for syscall monitoring, the Falco binary relies on having Falco's kernel driver available, which can fit into two paradigms based on its type: | |||
|
|
|||
| 1. Falco with modern BPF driver: Download the Falco binary artifact; the driver is already included in the binary, made possible by the CO-RE "Compile Once - Run Everywhere" feature, so no further action is needed. | |||
| 2. Falco with kernel module or traditional BPF driver: Also, download the Falco binary artifact, and additionally, download the kernel artifact corresponding to your kernel release (`uname -r`) for either `.ko` (kernel module) or `.o` (BPF driver) from the [driver](https://download.falco.org/?prefix=driver/) store. Navigate to the driver versions' directory that is compatible with the Falco binary (check with `falco --version`). To make this easier, Falco has a `falco-driver-loader` component that automates the driver download or tries to build it. The [Install](/docs/install-operate/installation/) guide will explain this more and the text blob below also has more information. | |||
| 2. Falco with kernel module or traditional BPF driver: Also, download the Falco binary artifact, and additionally, download the kernel artifact corresponding to your kernel release (`uname -r`) for either `.ko` (kernel module) or `.o` (BPF driver) from the [driver](https://download.falco.org/?prefix=driver/) store. Navigate to the driver versions' directory that is compatible with the Falco binary (check with `falco --version`). To make this easier, Falco has a `falcoctl driver` component that automates the driver download or tries to build it. The [Install](/docs/install-operate/installation/) guide will explain this more and the text blob below also has more information. | |||
There was a problem hiding this comment.
And we call it traditional BPF driver -> change to consistent legacy eBPF driver
There was a problem hiding this comment.
Also change all old BPF driver references to eBPF ...
| @@ -109,6 +109,6 @@ For the Falco binary we don't provide specific update paths, you just have to re | |||
|
|
|||
| ## Special Note on Kernel Drivers and Kernel Upgrades | |||
|
|
|||
| When performing kernel upgrades on your host, a reboot is required. Consequently, the Falco binary restarts, and additionally, you must ensure that a new kernel driver corresponding to the updated kernel release (`uname -r`) is available when using the kernel module or traditional BPF driver. By using Falco's `falco-driver-loader`, these processes are automated for you, making it easy to handle kernel upgrades. The Falco Project features a kernel crawler and automated CI, ensuring you can always obtain the necessary pre-built driver artifact, even for the latest kernel releases we support. | |||
| When performing kernel upgrades on your host, a reboot is required. Consequently, the Falco binary restarts, and additionally, you must ensure that a new kernel driver corresponding to the updated kernel release (`uname -r`) is available when using the kernel module or traditional BPF driver. By using Falco's `falcoctl driver` tool, these processes are automated for you, making it easy to handle kernel upgrades. The Falco Project features a kernel crawler and automated CI, ensuring you can always obtain the necessary pre-built driver artifact, even for the latest kernel releases we support. | |||
There was a problem hiding this comment.
same old "traditional BPF driver" ref
| @@ -109,6 +109,6 @@ For the Falco binary we don't provide specific update paths, you just have to re | |||
|
|
|||
| ## Special Note on Kernel Drivers and Kernel Upgrades | |||
|
|
|||
| When performing kernel upgrades on your host, a reboot is required. Consequently, the Falco binary restarts, and additionally, you must ensure that a new kernel driver corresponding to the updated kernel release (`uname -r`) is available when using the kernel module or traditional BPF driver. By using Falco's `falco-driver-loader`, these processes are automated for you, making it easy to handle kernel upgrades. The Falco Project features a kernel crawler and automated CI, ensuring you can always obtain the necessary pre-built driver artifact, even for the latest kernel releases we support. | |||
| When performing kernel upgrades on your host, a reboot is required. Consequently, the Falco binary restarts, and additionally, you must ensure that a new kernel driver corresponding to the updated kernel release (`uname -r`) is available when using the kernel module or traditional BPF driver. By using Falco's `falcoctl driver` tool, these processes are automated for you, making it easy to handle kernel upgrades. The Falco Project features a kernel crawler and automated CI, ensuring you can always obtain the necessary pre-built driver artifact, even for the latest kernel releases we support. | |||
|
|
|||
| The great news is that modern BPF driver is more resilient to it, because of the CO-RE "Compile Once - Run Everywhere" feature that made it possible to bundle the driver into the Falco binary - it will just continue to work on the upgraded kernel. If possible, use modern BPF! | |||
There was a problem hiding this comment.
Actually could we string search for "modern BPF" and "traditional BPF" or "classic BPF" and change everything in one swing?
…ional to legacy for the old bpf probe. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
|
@incertum done everything! Thanks for the huge feedback! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind cleanup
Any specific area of the project related to this PR?
/area documentation
What this PR does / why we need it:
Updated falco-driver-loader related documentation to use new
falcoctl drivertool that will be shipped by Falco 0.37.Moreover, it updates the way to select a given driver in Falco, given the new
engineconfig file options.Finally, it uses a more coherent
legacy eBPFnaming in place oftraditionalorclassic, everywhere.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: