-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Own driver #224
Merged
Merged
Own driver #224
+291
−47
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Start packaging (and building when necessary) a falco-specific kernel module in falco releases. Previously, falco would depend on sysdig and use its kernel module instead. The kernel module was already templated to some degree in various places, so we just had to change the templated name from sysdig/sysdig-probe to falco/falco-probe. In containers, run falco-probe-loader instead of sysdig-probe-loader. This is actually a script in the sysdig repository which is modified in draios/sysdig#789, and uses the filename to indicate what kernel module to build and/or load. For the falco package itself, don't depend on sysdig any longer but instead depend on dkms and its dependencies, using sysdig as a guide on the set of required packages. Additionally, for the package pre-install/post-install scripts start running falco-probe-loader. Finally, add a --version argument to falco so it can pass the desired version string to falco-probe-loader.
bertocci
reviewed
Mar 21, 2017
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The falco-probe-loader parts look good
This was referenced Mar 21, 2017
Use -M <secs> (same as sysdig) to run falco for a specific duration and exit.
Once merged, this fixes #188. |
Add automated tests for running falco from a package and container. As a result, this will also test building the kernel module as well as runnning falco-probe-loader as a backup. In travis.yml, switch to the docker-enabled vm and install dkms. This changed the environment slightly, so change how avocado's python dependencies are installed. After building falco, copy the .deb package to docker/local and build a local docker image based on that package. Add the following new tests: - docker_package: this uses "docker run" to run the image created in travis.yml. This includes using dkms to build the kernel module and load it. In addition, the conf directory is mounted to /host/conf, the rules directory is mounted to /host/rules, and the traces directory is mounted to /host/traces. - docker_package_local_driver: this disables dkms via a volume mount that maps /dev/null to /usr/sbin/dkms and copies the kernel module by hand into the container to /root/.sysdig/falco-probe-....ko. As a result, falco-probe-loader will use the local kernel module instead of building one itself. - debian_package: this installs the .deb package and runs the installed version of falco. Ideally, there'd also be a test for downloading the driver, but since the driver depends on the kernel as well as the falco version string, you can't put a single driver on download.draios.com that will work long-term. These tests depend on the following new test attributes: - package: if present, this points to the docker image/debian package to install. - addl_docker_run_args: if present, will be added to the docker run command. - copy_local_driver: if present, will copy the built kernel module to ~/.sysdig. ~/.sysdig/* is always cleared out before each test. - run_duration: maps to falco's -M <secs> flag - trace_file is now optional. Also add some misc general test changes: - Clean up our use of process.run. By default it will fail a test if the run program returns non-zero, so we don't have to grab the exit status. In addition, get rid of sudo in the command lines and use the sudo attribute instead. - Fix some tests that were writing to files below /tmp/falco_outputs by creating the directory first. Useful when running avocado directly.
This was referenced Mar 25, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Start packaging (and building when necessary) a falco-specific kernel
module in falco releases. Previously, falco would depend on sysdig and
use its kernel module instead.
Also add some travis tests that test packaged builds.
See commits for details on changes.