Add jenkins checks (#584)

* Supporting files to build/test via jenkins

Changes to build/test via jenkins, which also means running all tests in
a container instead of directly on the host:

- Jenkinsfile controls the stages, build.sh does the build and
  run-tests.sh does the regression tests.

- Create a new container falcosecurity/falco-tester that includes the
  dependencies required to run the regression tests. This is a different
  image than falco-builder because it doesn't need to be centos 6 based,
  doesn't install any compiler/etc, and installs the test running
  framework we use (avocado). We now use a newer version of avocado,
  which resulted in some small changes to how it is run and how yaml
  options are parsed.

- Modify run_regression_tests.sh to download trace files to the build
  directory and only if not present. Also honor BUILD_TYPE/BUILD_DIR,
  which is provided via the docker run cmd.

- The package tests are now moved to a separate falco_tests_package.yaml
  file. They will use rpm installs by default instead of debian
  packages. Also add the ability to install rpms in addition to debian
  packages.

- Automate the process of creating the docker local package by: 1)
  Adding CMake rules to copy the Dockerfile, entrypoint to the build
  directory and 2) Copy test trace files and rules into the build
  directory. This allows running the docker build command from
  build/docker/local instead of the source directory.

- Modify the way the container test is run a bit to use the trace
  files/rules copied into the container directly instead of host-mounted
  trace files.

* Use container builder + tester for travis

We'll probably be using jenkins soon, but this will allow switching back
to travis later if we want.

* Use download.draios.com for binutils packages

That way we won't be dependent on snapshot.debian.org.

.travis.yml

@@ -31,29 +31,12 @@ install:
     - git clone https://github.com/draios/sysdig.git ../sysdig
     # if available, use the branch with the same name in sysdig
     - pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using sysdig branch:" $(git rev-parse --abbrev-ref HEAD) && popd
-    - sudo apt-get install -y python-pip libvirt-dev jq dkms
-    - cd ..
-    - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz
-    - tar -zxvf avocado-36.0-tar.gz
-    - cd avocado-36.0lts
-    - sed -e 's/libvirt-python>=1.2.9/libvirt-python>=1.2.9,<4.1.0/' < requirements.txt  > /tmp/requirements.txt && mv /tmp/requirements.txt ./requirements.txt
-    - sudo -H pip install -r requirements.txt
-    - sudo python setup.py install
-    - cd ../falco
-before_script:
-    - export KERNELDIR=/lib/modules/$(uname -r)/build
 script:
-    - set -e
     - mkdir build
     - cd build
-    - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DDRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
-    - make VERBOSE=1
-    - make package
-    - cp falco*.deb ../docker/local
-    - cd ../docker/local
-    - docker build -t falcosecurity/falco:test .
-    - cd ../..
-    - sudo test/run_regression_tests.sh $TRAVIS_BRANCH
+    - docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder cmake
+    - docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder package
+    - docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-tester
 notifications:
   webhooks:
     urls:

CMakeLists.txt

@@ -599,7 +599,9 @@ endif()
 install(FILES falco.yaml
 	DESTINATION "${FALCO_ETC_DIR}")
 
+add_subdirectory(test)
 add_subdirectory(rules)
+add_subdirectory(docker)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")

docker/CMakeLists.txt

@@ -0,0 +1 @@
+add_subdirectory(local)

docker/dev/Dockerfile

@@ -96,11 +96,12 @@ RUN rm -df /lib/modules \
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb \
+ && rm -f *binutils*.deb
 
 COPY ./docker-entrypoint.sh /
 

docker/local/CMakeLists.txt

@@ -0,0 +1,17 @@
+add_subdirectory(traces)
+add_subdirectory(rules)
+
+add_custom_target(local-Dockerfile ALL
+	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile)
+
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
+	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
+	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile)
+
+add_custom_target(local-docker-entrypoint ALL
+	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint)
+
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint
+	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint.sh
+	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh)
+

docker/local/Dockerfile

@@ -2,7 +2,8 @@ FROM debian:unstable
 
 LABEL maintainer="Sysdig <support@sysdig.com>"
 
-ENV FALCO_VERSION 0.1.1dev
+ARG FALCO_VERSION=0.1.1dev
+ENV FALCO_VERSION ${FALCO_VERSION}
 
 LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
@@ -91,11 +92,17 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb \
+ && rm -f *binutils*.deb
+
+# The local container also copies some test trace files and
+# corresponding rules that are used when running regression tests.
+COPY rules/*.yaml /rules/
+COPY traces/*.scap /traces/
 
 COPY ./docker-entrypoint.sh /
 

docker/local/rules/CMakeLists.txt

@@ -0,0 +1,13 @@
+# Note: list of rules is created at cmake time, not build time
+file(GLOB test_rule_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
+
+foreach(rule_file_path ${test_rule_files})
+	get_filename_component(rule_file ${rule_file_path} NAME)
+	add_custom_target(docker-local-rule-${rule_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${rule_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
+		COMMAND ${CMAKE_COMMAND} -E copy ${rule_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
+		DEPENDS ${rule_file_path})
+endforeach()
+

docker/local/traces/CMakeLists.txt

@@ -0,0 +1,13 @@
+# Note: list of traces is created at cmake time, not build time
+file(GLOB test_trace_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
+
+foreach(trace_file_path ${test_trace_files})
+	get_filename_component(trace_file ${trace_file_path} NAME)
+	add_custom_target(docker-local-trace-${trace_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		DEPENDS ${trace_file_path})
+endforeach()
+

docker/stable/Dockerfile

@@ -95,11 +95,12 @@ RUN rm -df /lib/modules \
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb \
+ && rm -f *binutils*.deb
 
 COPY ./docker-entrypoint.sh /
 

docker/tester/Dockerfile

@@ -0,0 +1,17 @@
+FROM centos:7
+
+ENV FALCO_VERSION 0.1.1dev
+ENV BUILD_TYPE Release
+
+RUN yum -y install epel-release && \
+    yum -y install \
+      python-pip \
+      docker \
+      jq \
+      unzip
+
+RUN pip install avocado-framework avocado-framework-plugin-varianter-yaml-to-mux
+
+COPY entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]

docker/tester/entrypoint.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SOURCE_DIR=/source
+BUILD_DIR=/build
+TASK=${1:-test}
+
+if [ $TASK == "test" ]; then
+    echo "Building local docker image falcosecurity/falco:test from latest debian package..."
+    cp $BUILD_DIR/$BUILD_TYPE/falco*.deb $BUILD_DIR/$BUILD_TYPE/docker/local
+    cd $BUILD_DIR/$BUILD_TYPE/docker/local && docker build --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test .
+
+    echo "Running regression tests"
+    cd $SOURCE_DIR/falco/test
+    bash run_regression_tests.sh $BUILD_DIR/$BUILD_TYPE
+
+    docker rmi falcosecurity/falco:test || true
+    exit 0
+fi
+
+if [ $TASK == "bash" ]; then
+    exec /bin/bash
+fi

scripts/jenkins/build-pipeline/Jenkinsfile

@@ -0,0 +1,71 @@
+void setBuildStatus(String context, String message, String state) {
+    step([
+	  $class: "GitHubCommitStatusSetter",
+	  reposSource: [$class: "ManuallyEnteredRepositorySource", url: "https://github.com/falcosecurity/falco"],
+	  contextSource: [$class: "ManuallyEnteredCommitContextSource", context: context],
+	  errorHandlers: [[$class: "ChangingBuildStatusErrorHandler", result: "UNSTABLE"]],
+	  statusResultSource: [ $class: "ConditionalStatusResultSource", results: [[$class: "AnyBuildResult", message: message, state: state]] ]
+	  ]);
+}
+
+pipeline {
+	agent { label "agent-docker-builder" }
+	stages {
+	    stage("Check out dependencies") {
+		steps {
+		    dir("falco") {
+			checkout([$class: "GitSCM",
+				  branches: [[name: "refs/heads/"+env.BRANCH_NAME]],
+				  doGenerateSubmoduleConfigurations: false,
+				  extensions: [],
+				  submoduleCfg: [],
+				  userRemoteConfigs: [[credentialsId: "github-jenkins-user-token", url: "https://github.com/draios/falco"]]])
+			    }
+		    dir("sysdig") {
+			checkout([$class: "GitSCM",
+				  branches: [[name: "dev"]],
+				  doGenerateSubmoduleConfigurations: false,
+				  extensions: [],
+				  submoduleCfg: [],
+				  userRemoteConfigs: [[credentialsId: "github-jenkins-user-token", url: "https://github.com/draios/sysdig"]]])
+			    }
+		}
+	    }
+	    stage("Build") {
+		steps {
+		    script{
+			sh("./falco/scripts/jenkins/build-pipeline/build.sh")
+		    }
+		}
+		post {
+		    success {
+			setBuildStatus("Build", "Build Successful", "SUCCESS")
+		    }
+		    failure {
+			setBuildStatus("Build", "Build Failed", "FAILURE")
+		    }
+		}
+	    }
+	    stage("Run tests") {
+		steps {
+		    script{
+			sh("./falco/scripts/jenkins/build-pipeline/run-tests.sh")
+		    }
+		}
+		post {
+		    success {
+			setBuildStatus("Run tests", "All tests passed", "SUCCESS")
+		    }
+		    failure {
+			setBuildStatus("Run tests", "One or more tests failed", "FAILURE")
+		    }
+		}
+	    }
+	}
+	post {
+		always {
+			cleanWs()
+		}
+	}
+}
+

scripts/jenkins/build-pipeline/build.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -xeuo pipefail
+
+export FALCO_VERSION=0.1.$((2700+BUILD_NUMBER))dev
+
+rm -rf ${WORKSPACE}/build
+mkdir ${WORKSPACE}/build
+
+docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION=${FALCO_VERSION} -e MAKE_JOBS=4 -v ${WORKSPACE}:/source -v ${WORKSPACE}/build:/build falcosecurity/falco-builder cmake
+docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION=${FALCO_VERSION} -e MAKE_JOBS=4 -v ${WORKSPACE}:/source -v ${WORKSPACE}/build:/build falcosecurity/falco-builder package

scripts/jenkins/build-pipeline/run-tests.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -xeuo pipefail
+
+export FALCO_VERSION=0.1.$((2700+BUILD_NUMBER))dev
+
+docker pull falcosecurity/falco-tester
+docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION=${FALCO_VERSION} -v ${WORKSPACE}:/source -v ${WORKSPACE}/build:/build falcosecurity/falco-tester
+
+exit 0

test/CMakeLists.txt

@@ -0,0 +1 @@
+add_subdirectory(trace_files)