chore(docs): updates for new falcoctl driver tool.

content/en/docs/_index.md

@@ -71,8 +71,8 @@ Falco is composed of several main components:
  - Driver - is a software that adheres to the Falco driver specification and sends a stream of kernel events. Currently, Falco supports the following drivers:
 
     - (Default) Kernel module
-    - Classic BPF probe built
-    - Modern BPF (CO-RE paradigm and more)
+    - Modern eBPF probe (CO-RE paradigm and more)
+    - Legacy eBPF probe built
 
     For more information, see [Falco Drivers](event-sources/drivers).
 

content/en/docs/event-sources/kernel/architecture.md

@@ -11,7 +11,7 @@ This document describes the overall architecture that allows events from kernel
 
 The component of the [Falco libraries](https://github.com/falcosecurity/libs) that gathers data from the syscalls and interacts with the kernel is called `libscap`. Internally, it implements all functionality required to use the drivers to collect kernel events.
 
-When using the kernel module or classic eBPF probe, the driver will need to be installed and deployed separately as a kernel object or probe, while the modern eBPF probe can be installed directly by libscap.
+When using the kernel module or legacy eBPF probe, the driver will need to be installed and deployed separately as a kernel object or probe, while the modern eBPF probe can be installed directly by libscap.
 
 Upon connection to its kernel counterpart, libscap will need to negotiate the API Version and Schema Version that the driver recognizes. These versions are expressed with a [semver](https://semver.org/) subset and are [documented in the libs repository](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md).
 * The [API version](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#api-version-number) refers to the communication mechanism between the kernel and userspace. Every driver has a different communication mechanism which changes between versions. The kernel module may use `ioctl`s and a ring buffer, while the eBPF probes can use maps and different APIs depending on the kernel version and eBPF probe edition. Since some drivers can be deployed separately from Falco, at startup libscap will verify if the driver it's connecting to is compatible.

content/en/docs/install-operate/download.md

@@ -35,8 +35,8 @@ If you use Falco for non-syscall events, such as some plugins, only download the
 
 When using Falco for syscall monitoring, the Falco binary relies on having Falco's kernel driver available, which can fit into two paradigms based on its type:
 
-1. Falco with modern BPF driver: Download the Falco binary artifact; the driver is already included in the binary, made possible by the CO-RE "Compile Once - Run Everywhere" feature, so no further action is needed.
-2. Falco with kernel module or traditional BPF driver: Also, download the Falco binary artifact, and additionally, download the kernel artifact corresponding to your kernel release (`uname -r`) for either `.ko` (kernel module) or `.o` (BPF driver) from the [driver](https://download.falco.org/?prefix=driver/) store. Navigate to the driver versions' directory that is compatible with the Falco binary (check with `falco --version`). To make this easier, Falco has a `falco-driver-loader` component that automates the driver download or tries to build it. The [Install](/docs/install-operate/installation/) guide will explain this more and the text blob below also has more information.
+1. Falco with modern eBPF driver: Download the Falco binary artifact; the driver is already included in the binary, made possible by the CO-RE "Compile Once - Run Everywhere" feature, so no further action is needed.
+2. Falco with kernel module or legacy eBPF driver: Also, download the Falco binary artifact, and additionally, download the kernel artifact corresponding to your kernel release (`uname -r`) for either `.ko` (kernel module) or `.o` (eBPF driver) from the [driver](https://download.falco.org/?prefix=driver/) store. Navigate to the driver versions' directory that is compatible with the Falco binary (check with `falco --version`). To make this easier, Falco has a `falcoctl driver` component that automates the driver download or tries to build it. The [Install](/docs/install-operate/installation/) guide will explain this more and the text blob below also has more information.
 
 Falco also relies on both a [configuration](https://github.com/falcosecurity/falco/blob/master/falco.yaml) file and at least one Falco [rules](https://github.com/falcosecurity/rules) file. The default versions of these files come with the packages and the [Install](/docs/install-operate/installation/) covers additional tips and tricks for utilizing `falcoctl` in managing rules.
 
@@ -62,7 +62,7 @@ For Kubernetes deployments, see the [Deployment section](/docs/install-operate/d
 |[*version*](https://hub.docker.com/r/falcosecurity/falco-no-driver/tags)| `docker pull falcosecurity/falco-no-driver:<version>` | A specific version of Falco such as `{{< latest >}}` |
 |[latest](https://hub.docker.com/r/falcosecurity/falco-driver-loader/tags)| `docker pull falcosecurity/falco-driver-loader:latest` | The most recent version of `falco-driver-loader` with the building toolchain |
 |[*version*](https://hub.docker.com/r/falcosecurity/falco-driver-loader/tags)| `docker pull falcosecurity/falco-driver-loader:<version>` | A specific version of `falco-driver-loader` such as `{{< latest >}}` with the building toolchain |
-|[latest](https://hub.docker.com/r/falcosecurity/falco/tags)| `docker pull falcosecurity/falco:latest` | The most recent version with the `falco-driver-loader` included |
-|[*version*](https://hub.docker.com/r/falcosecurity/falco/tags)| `docker pull falcosecurity/falco:<version>` | A specific version of Falco such as `{{< latest >}}` with `falco-driver-loader` included |
+|[latest](https://hub.docker.com/r/falcosecurity/falco/tags)| `docker pull falcosecurity/falco:latest` | The most recent version with the `falcoctl driver` tool included |
+|[*version*](https://hub.docker.com/r/falcosecurity/falco/tags)| `docker pull falcosecurity/falco:<version>` | A specific version of Falco such as `{{< latest >}}` with `falcoctl driver` tool included |
 
 The list of all available images can be found [here](https://github.com/falcosecurity/falco/tree/master/docker).

content/en/docs/install-operate/installation.md

@@ -59,7 +59,10 @@ The Falco package will look into your system for the `dialog` binary, if the bin
 
 > _Note_:  If you don't have the `dialog` binary installed on your system a manual configuration is always required to start Falco services.
 
-Even if you have the `dialog` binary installed, you can disable the interactive prompt by using the `FALCO_FRONTEND` env variable, you should simply set its value to `noninteractive` when installing the package.
+Even if you have the `dialog` binary installed, you can disable the interactive prompt by using the `FALCO_FRONTEND` env variable, you should simply set its value to `noninteractive` when installing the package.  
+Also, if you wish to skip the interactive prompt but still be able to set a custom driver, you can use `FALCO_DRIVER_CHOICE` env variable, setting it to `kmod`, `ebpf` or `modern_ebpf`.  
+At the same time, you can also enable the `falcoctl` automatic ruleset by setting `FALCOCTL_ENABLED` to a non empty string.  
+The latter environment variables are also useful when you don't want to install `dialog` binary at all.
 
 ```bash
 FALCO_FRONTEND=noninteractive apt-get install -y falco
@@ -97,17 +100,17 @@ $ sudo apt-get install apt-transport-https
     sudo apt-get update -y
     ```
 
-4. Install some required dependencies that are needed to build the kernel module and the BPF probe
+4. Install some required dependencies that are needed to build the kernel module and the eBPF probe
 
     ```bash
     sudo apt install -y dkms make linux-headers-$(uname -r)
-    # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain
+    # If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
     sudo apt install -y clang llvm
     # You can install also the dialog package if you want it
     sudo apt install -y dialog
     ```
 
-    > _Note_: You don't need to install these deps if you want to the modern BPF probe
+    > _Note_: You don't need to install these deps if you want to the modern eBPF probe
 
 5. Install the Falco package
 
@@ -195,20 +198,20 @@ We have already seen [the installation steps](/docs/install-operate/installation
     yum update -y
     ```
 
-4. Install some required dependencies that are needed to build the kernel module and the BPF probe
+4. Install some required dependencies that are needed to build the kernel module and the eBPF probe
 
     ```bash
     # If necessary install it using: `yum install epel-release` (or `amazon-linux-extras install epel` in case of amzn2), then `yum install make dkms`.
     yum install -y dkms make
     # If the package was not found by the below command, you might need to run `yum distro-sync` in order to fix it. Rebooting the system may be required.
     yum install -y kernel-devel-$(uname -r)
-    # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain
+    # If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
     yum install -y clang llvm
     # You can install also the dialog package if you want it
     yum install -y dialog
     ```
 
-    > _Note_: You don't need to install these deps if you want to use the modern BPF probe
+    > _Note_: You don't need to install these deps if you want to use the modern eBPF probe
 
 5. Install the Falco package
 
@@ -254,19 +257,19 @@ We have already seen [the installation steps](/docs/install-operate/installation
     zypper -n update
     ```
 
-4. Install some required dependencies that are needed to build the kernel module and the BPF probe
+4. Install some required dependencies that are needed to build the kernel module and the eBPF probe
 
     ```bash
     zypper -n install dkms make
     # If the package was not found by the below command, you might need to run `zypper -n dist-upgrade` in order to fix it. Rebooting the system may be required.
     zypper -n install kernel-default-devel-$(uname -r | sed s/\-default//g)
-    # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain
+    # If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
     zypper -n install clang llvm
     # You can install also the dialog package if you want it
     zypper -n install dialog
     ```
 
-    > _Note_: You don't need to install these deps if you want to use the modern BPF probe
+    > _Note_: You don't need to install these deps if you want to use the modern eBPF probe
 
 5. Install Falco:
 
@@ -297,41 +300,50 @@ In these steps, we are targeting a Debian-like system on `x86_64` architecture.
     cp -R falco-{{< latest >}}-x86_64/* /
     ```
 
-3. Install some required dependencies that are needed to build the kernel module and the BPF probe. If you want to use other sources like the modern BPF probe or plugins you can skip this step.
+3. Install some required dependencies that are needed to build the kernel module and the eBPF probe. If you want to use other sources like the modern eBPF probe or plugins you can skip this step.
 
     ```bash
     apt update -y
     apt install -y dkms make linux-headers-$(uname -r)
-    # If you use the falco-driver-loader to build the BPF probe locally you need also clang toolchain
+    # If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
     apt install -y clang llvm
     ```
 
-4. Run `falco-driver-loader` binary to install the kernel module or the BPF probe. If you want to use other sources like the modern BPF probe or plugins you can skip this step.
+4. Use `falcoctl driver` tool to configure Falco and install the kernel module or the eBPF probe. If you want to use other sources like the modern eBPF probe or plugins you can skip this step.
    {{% pageinfo color="info" %}}
 
-   To install the driver, the `falco-driver-loader` script requires write and execution permissions on the `/tmp` directory, as it will try to create and execute a script from there.
-
+   To install the driver, write and execution permissions on the `/tmp` directory are required, since `falcoctl` will try to create and execute a script from there.
+    
    {{% /pageinfo %}}
 
    ```bash
-   # If you want to install the kernel module
-   falco-driver-loader module
-   # If you want to install the eBPF probe
-   falco-driver-loader bpf
+   # If you want to use the kernel module, configure Falco for it
+   falcoctl driver config --type kmod
+   # If you want to use the eBPF probe, configure Falco for it
+   falcoctl driver config --type ebpf
+   # Install the chosen driver
+   falcoctl driver install
    ```
 
-   By default, the `falco-driver-loader` script tries to download a prebuilt driver from [the official Falco download s3 bucket](https://download.falco.org/?prefix=driver/). If a driver is found then it is inserted into `${HOME}/.falco/`. Otherwise, the script tries to compile the driver locally, for this reason, you need the dependencies at step [3].
+   By default, the `falcoctl driver install` command tries to download a prebuilt driver from [the official Falco download s3 bucket](https://download.falco.org/?prefix=driver/). If a driver is found then it is inserted into `${HOME}/.falco/`. Otherwise, the script tries to compile the driver locally, for this reason, you need the dependencies at step [3].
 
-   You can use the env variable `DRIVERS_REPO` to override the default repository URL for prebuilt drivers. The URL must not have the trailing slash, i.e. `https://myhost.mydomain.com` or if the server has a subdirectories structure `https://myhost.mydomain.com/drivers`. The drivers must be hosted with the following structure:
+   You can use the env variable `FALCOCTL_DRIVER_REPOS` to override the default repository URL for prebuilt drivers. The URL must not have the trailing slash, i.e. `https://myhost.mydomain.com` or if the server has a subdirectories structure `https://myhost.mydomain.com/drivers`. The drivers must be hosted with the following structure:
 
    ```bash
-   /${driver_version}/falco_${target}_${kernelrelease}_${kernelversion}.[ko|o]
+   /${driver_version}/${arch}/falco_${target}_${kernelrelease}_${kernelversion}.[ko|o]
    ```
 
    where `ko` and `o` stand for Kernel module and `eBPF` probe respectively. This is an example:
 
    ```text
-   /a259b4bf49c3330d9ad6c3eed9eb1a31954259a6/falco_amazonlinux2_4.14.128-112.105.amzn2.x86_64_1.ko
+   /7.0.0+driver/x86_64/falco_amazonlinux2022_5.10.75-82.359.amzn2022.x86_64_1.ko
+   ```
+
+> If you wish to print some debug info, you can use:
+
+   ```bash
+   # If you want to use the kernel module, configure Falco for it
+   falcoctl driver printenv
    ```
 
 You are finally ready to [run the Falco binary](/docs/install-operate/running#falco-binary)!
@@ -449,9 +461,9 @@ This section aims to offer further guidance when something doesn't go as expecte
 
 ### Driver issues
 
-* `falco-driver-loader: Unable to find a prebuilt falco eBPF probe / module`
+* `ERROR failed: unable to find a prebuilt driver`
 
-This error message appears when the falco driver loader tool, which looks for the Falco driver and loads it in memory, is not able to find a pre-built driver, neither as an eBPF probe nor as a kernel module, at the [Falco driver repository] (https://download.falco.org).
+This error message appears when the falcoctl driver loader tool, which looks for the Falco driver and loads it in memory, is not able to find a pre-built driver, neither as an eBPF probe nor as a kernel module, at the [Falco driver repository] (https://download.falco.org).
 
 {{% pageinfo color=info %}}