From b496116fe39c743edd5d6056d49d5155612aaaaf Mon Sep 17 00:00:00 2001 From: David Archer Date: Mon, 30 Apr 2018 17:30:39 -0400 Subject: [PATCH 1/5] Don't make driver compilation fail when kernel is compiled with CONFIG_ORC_UNWINDER or CONFIG_STACK_VALIDATION. (#362) sysdig-CLA-1.0-signed-off-by: David Archer --- docker/dev/Dockerfile | 9 ++++++--- docker/local/Dockerfile | 9 ++++++--- docker/stable/Dockerfile | 9 ++++++--- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/docker/dev/Dockerfile b/docker/dev/Dockerfile index 605fbd5d52f..22c5c02735b 100644 --- a/docker/dev/Dockerfile +++ b/docker/dev/Dockerfile @@ -17,13 +17,16 @@ ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ RUN apt-get update \ && apt-get install -y --no-install-recommends \ bash-completion \ + ca-certificates \ curl \ - jq \ gnupg2 \ - ca-certificates \ gcc \ gcc-5 \ - gdb && rm -rf /var/lib/apt/lists/* + gdb \ + jq \ + libc6-dev \ + libelf-dev \ + && rm -rf /var/lib/apt/lists/* # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the # default to gcc-5. diff --git a/docker/local/Dockerfile b/docker/local/Dockerfile index 3bb85a22b07..7e75db18941 100644 --- a/docker/local/Dockerfile +++ b/docker/local/Dockerfile @@ -17,13 +17,16 @@ ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ RUN apt-get update \ && apt-get install -y --no-install-recommends \ bash-completion \ + ca-certificates \ curl \ - jq \ + dkms \ gnupg2 \ - ca-certificates \ gcc \ gcc-5 \ - dkms && rm -rf /var/lib/apt/lists/* + jq \ + libc6-dev \ + libelf-dev \ + && rm -rf /var/lib/apt/lists/* # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the # default to gcc-5. diff --git a/docker/stable/Dockerfile b/docker/stable/Dockerfile index 7887bb7b70c..bfbad4408a7 100644 --- a/docker/stable/Dockerfile +++ b/docker/stable/Dockerfile @@ -17,12 +17,15 @@ ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ RUN apt-get update \ && apt-get install -y --no-install-recommends \ bash-completion \ - curl \ - jq \ ca-certificates \ + curl \ gnupg2 \ gcc \ - gcc-5 && rm -rf /var/lib/apt/lists/* + gcc-5 \ + jq \ + libc6-dev \ + libelf-dev \ + && rm -rf /var/lib/apt/lists/* # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the # default to gcc-5. From 1fb53eefdb523cfce000459c6435e20d82bc6316 Mon Sep 17 00:00:00 2001 From: Xiang Dai <764524258@qq.com> Date: Tue, 12 Feb 2019 05:01:49 +0800 Subject: [PATCH 2/5] Update output (#511) falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com> Signed-off-by: Xiang Dai <764524258@qq.com> --- integrations/k8s-using-daemonset/README.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/integrations/k8s-using-daemonset/README.md b/integrations/k8s-using-daemonset/README.md index bb213b1c5af..03338631b70 100644 --- a/integrations/k8s-using-daemonset/README.md +++ b/integrations/k8s-using-daemonset/README.md @@ -58,7 +58,7 @@ Now that we have the requirements for our Daemon Set in place, we can create our ``` k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-daemonset-configmap.yaml -daemonset "falco" created +daemonset.extensions "falco-daemonset" created k8s-using-daemonset$ ``` @@ -78,14 +78,13 @@ In order to test that Falco is working correctly, you can launch a shell in a Po ``` k8s-using-daemonset$ kubectl get pods -NAME READY STATUS RESTARTS AGE -falco-74htl 1/1 Running 0 13h -falco-fqz2m 1/1 Running 0 13h -falco-sgjfx 1/1 Running 0 13h -k8s-using-daemonset$ kubectl exec -it falco-74htl bash -root@falco-74htl:/# exit -k8s-using-daemonset$ kubectl logs falco-74htl -{"output":"17:48:58.590038385: Notice A shell was spawned in a container with an attached terminal (user=root k8s.pod=falco-74htl container=a98c2aa8e670 shell=bash parent= cmdline=bash terminal=34816)","priority":"Notice","rule":"Terminal shell in container","time":"2017-12-20T17:48:58.590038385Z", "output_fields": {"container.id":"a98c2aa8e670","evt.time":1513792138590038385,"k8s.pod.name":"falco-74htl","proc.cmdline":"bash ","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}} +NAME READY STATUS RESTARTS AGE +falco-daemonset-b695d 1/1 Running 0 2d +falco-daemonset-n8q2v 1/1 Running 0 2d +k8s-using-daemonset$ kubectl exec -it falco-daemonset-b695d bash +root@falco-daemonset-b695d:/# exit +k8s-using-daemonset$ kubectl logs falco-daemonset-b695d +07:16:09.217866519: Error File below known binary directory renamed/removed (user=root command=event_generator pcmdline= operation=rename file= res=0 oldpath=/bin/true newpath=/bin/true.event-generator-sh ) k8s.ns=default k8s.pod=falco-event-generator-deployment-645444689b-j6mth container=0e67aad65846 k8s.ns=default k8s.pod=falco-event-generator-deployment-645444689b-j6mth container=0e67aad65846 k8s-using-daemonset$ ``` From e546555de8d1b59fef59700b6a36ec2811967d98 Mon Sep 17 00:00:00 2001 From: Xiang Dai <764524258@qq.com> Date: Thu, 21 Feb 2019 01:17:34 +0800 Subject: [PATCH 3/5] fix k8s install issue (#506) falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com> --- integrations/k8s-using-daemonset/README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/integrations/k8s-using-daemonset/README.md b/integrations/k8s-using-daemonset/README.md index 03338631b70..260fae88d4a 100644 --- a/integrations/k8s-using-daemonset/README.md +++ b/integrations/k8s-using-daemonset/README.md @@ -32,6 +32,7 @@ k8s-using-daemonset$ The Daemon Set also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll need to first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory (please note that you will need to create the /falco-config directory). Any modification of the configuration should be performed on these copies rather than the original files. ``` +k8s-using-daemonset$ mkdir -p k8s-with-rbac/falco-config k8s-using-daemonset$ cp ../../falco.yaml k8s-with-rbac/falco-config/ k8s-using-daemonset$ cp ../../rules/falco_rules.* k8s-with-rbac/falco-config/ k8s-using-daemonset$ cp ../../rules/k8s_audit_rules.yaml k8s-with-rbac/falco-config/ @@ -71,6 +72,24 @@ If you are running Kubernetes with Legacy Authorization enabled, you can use `ku k8s-using-daemonset$ kubectl create -f k8s-without-rbac/falco-daemonset.yaml ``` +When running falco via a container, you might see error messages like the following: +``` +mkdir: cannot create directory '/lib/modules/3.10.0-693.el7.centos.test.x86_64/kernel/extra': Read-only file system +cp: cannot create regular file '/lib/modules/3.10.0-693.el7.centos.test.x86_64/kernel/extra/falco-probe.ko.xz': No such file or directory +``` + +These error messages are innocuous, but if you would like to remove them you can change the /host/lib/modules mount to read-write, by doing below change in `k8s-with-rbac/falco +daemonset-configmap.yaml`: + +``` + - mountPath: /host/lib/modules + name: lib-modules +- readOnly: true ++ #readOnly: true +``` + +However, note that this will result in the `falco-probe.ko.xz` file being saved to `/lib/modules` on the host, even after the falco container is removed. + ## Verifying the installation From f4b0b3c09606ca0379f61fdf07ea879a2ea010f0 Mon Sep 17 00:00:00 2001 From: Xiang Dai <764524258@qq.com> Date: Thu, 21 Feb 2019 01:18:45 +0800 Subject: [PATCH 4/5] falco.yaml: change default program_output action (#507) falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com>1 --- falco.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/falco.yaml b/falco.yaml index c01a8f0de6e..eb376c27d7b 100644 --- a/falco.yaml +++ b/falco.yaml @@ -137,4 +137,4 @@ webserver: program_output: enabled: false keep_alive: false - program: mail -s "Falco Notification" someone@example.com + program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" From 8061088d0a07a10314b4dc036a2010218ca03af4 Mon Sep 17 00:00:00 2001 From: Kris Nova Date: Tue, 20 Aug 2019 15:13:32 -0700 Subject: [PATCH 5/5] Adding new open calls to README.md Signed-off-by: Kris Nova --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cd719c2f18b..84911c03f69 100644 --- a/README.md +++ b/README.md @@ -45,10 +45,16 @@ See [Falco Documentation](https://falco.org/docs/) to quickly get started using Join the Community --- +* [Join the mailing list](http://bit.ly/2TNO9Xk) for news and a Google calendar invite for our Falco open source meetings. Note: this is the only way to get a calendar invite for our open meetings. * [Website](https://falco.org) for Falco. -* We are working on a blog for the Falco project. In the meantime you can find [Falco](https://sysdig.com/blog/tag/falco/) posts over on the Sysdig blog. * Join our [Public Slack](https://slack.sysdig.com) channel for open source Sysdig and Falco announcements and discussions. +Office hours +--- + +Falco has an open office hour style call that happens Wednesdays at 8am Pacific. You can get a calendar invitiation to the call, by joining our mailing list - or - you can just join our [Zoom](https://sysdig.zoom.us/j/501370112) + + License Terms --- Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.