diff --git a/.circleci/config.yml b/.circleci/config.yml index 87252ea5690..242142b17c4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -32,6 +32,38 @@ jobs: pushd build make tests popd + # Debug build using ubuntu LTS + # This build is dynamic, most dependencies are taken from the OS + "build/ubuntu-bionic-debug": + docker: + - image: ubuntu:bionic + steps: + - checkout + - run: + name: Update base image + command: apt update -y + - run: + name: Install dependencies + command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y + - run: + name: Prepare project + command: | + mkdir build + pushd build + cmake -DCMAKE_BUILD_TYPE=debug .. + popd + - run: + name: Build + command: | + pushd build + make -j4 all + popd + - run: + name: Run unit tests + command: | + pushd build + make tests + popd # Build using our own builder base image using centos 7 # This build is static, dependencies are bundled in the falco binary "build/centos7": @@ -69,6 +101,28 @@ jobs: - store_artifacts: path: /tmp/packages destination: /packages + # Debug build using our own builder base image using centos 7 + # This build is static, dependencies are bundled in the falco binary + "build/centos7-debug": + docker: + - image: falcosecurity/falco-builder:latest + environment: + BUILD_TYPE: "debug" + steps: + - checkout: + path: /source/falco + - run: + name: Prepare project + command: /usr/bin/entrypoint cmake + - run: + name: Build + command: /usr/bin/entrypoint all + - run: + name: Run unit tests + command: /usr/bin/entrypoint tests + - run: + name: Build packages + command: /usr/bin/entrypoint package # Execute integration tests based on the build results coming from the "build/centos7" job "tests/integration": docker: @@ -84,12 +138,210 @@ jobs: - run: name: Execute integration tests command: /usr/bin/entrypoint test + # Sign rpm packages + "rpm/sign": + docker: + - image: falcosecurity/falco-builder:latest + steps: + - attach_workspace: + at: / + - run: + name: Install rpmsign + command: | + yum update -y + yum install rpm-sign -y + - run: + name: Sign rpm + command: | + echo "%_signature gpg" > ~/.rpmmacros + echo "%_gpg_name Falcosecurity Package Signing" >> ~/.rpmmacros + cd /build/release/ + echo '#!/usr/bin/expect -f' > sign + echo 'spawn rpmsign --addsign {*}$argv' >> sign + echo 'expect -exact "Enter pass phrase: "' >> sign + echo 'send -- "\n"' >> sign + echo 'expect eof' >> sign + chmod +x sign + echo $GPG_KEY | base64 -d | gpg --import + ./sign *.rpm + test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0 + - persist_to_workspace: + root: / + paths: + - build/release/*.rpm + # Publish the packages + "publish/packages-dev": + docker: + - image: docker.bintray.io/jfrog/jfrog-cli-go:latest + steps: + - attach_workspace: + at: / + - run: + name: Create versions + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET} + jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET} + jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET} + - run: + name: Publish deb-dev + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish + - run: + name: Publish rpm-dev + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish + - run: + name: Publish tgz-dev + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish + # Publish docker packages + "publish/docker-dev": + docker: + - image: docker:stable + steps: + - checkout + - setup_remote_docker + - run: + name: Build and publish slim-dev + command: | + docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master-slim docker/slim + docker push falcosecurity/falco:master-slim + - run: + name: Build and publish minimal-dev + command: | + docker build --build-arg VERSION_BUCKET=bin-dev -t falcosecurity/falco:master-minimal docker/minimal + docker push falcosecurity/falco:master-minimal + - run: + name: Build and publish dev + command: | + docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master docker/stable + docker push falcosecurity/falco:master + # Publish the packages + "publish/packages": + docker: + - image: docker.bintray.io/jfrog/jfrog-cli-go:latest + steps: + - attach_workspace: + at: / + - run: + name: Create versions + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --github-tag-rel-notes --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} + jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --github-tag-rel-notes --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} + jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --github-tag-rel-notes --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} + - run: + name: Publish deb + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --labels="falco","security","cncf","kubernetes" + - run: + name: Publish rpm + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish + - run: + name: Publish tgz + command: | + FALCO_VERSION=$(sed -e 's/^"//' -e 's/"$//' <<< $(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3)) + jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish + # Publish docker packages + "publish/docker": + docker: + - image: docker:stable + steps: + - checkout + - setup_remote_docker + - run: + name: Build and publish slim + command: | + docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim + docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim + docker push "falcosecurity/falco:${CIRCLE_TAG}-slim" + docker push "falcosecurity/falco:latest-slim" + - run: + name: Build and publish minimal + command: | + docker build --build-arg VERSION_BUCKET=bin -t "falcosecurity/falco:${CIRCLE_TAG}-minimal" docker/minimal + docker tag "falcosecurity/falco:${CIRCLE_TAG}-minimal" falcosecurity/falco:latest-minimal + docker push "falcosecurity/falco:${CIRCLE_TAG}-minimal" + docker push "falcosecurity/falco:latest-minimal" + - run: + name: Build and publish stable + command: | + docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable + docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest + docker push "falcosecurity/falco:${CIRCLE_TAG}" + docker push "falcosecurity/falco:latest" workflows: version: 2 build_and_test: jobs: - "build/ubuntu-bionic" + - "build/ubuntu-bionic-debug" - "build/centos7" + - "build/centos7-debug" - "tests/integration": requires: - "build/centos7" + - "rpm/sign": + context: falco + filters: + branches: + only: + - master + requires: + - "tests/integration" + - "publish/packages-dev": + context: falco + filters: + branches: + only: + - master + requires: + - "rpm/sign" + - "publish/docker-dev": + filters: + branches: + only: + - master + requires: + - "publish/packages-dev" + release: + jobs: + - "build/centos7": + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ + - "rpm/sign": + context: falco + requires: + - "build/centos7" + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ + - "publish/packages": + context: falco + requires: + - "rpm/sign" + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ + - "publish/docker": + requires: + - "publish/packages" + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ diff --git a/CMakeLists.txt b/CMakeLists.txt index bef38afe416..dcb2bb75795 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -48,6 +48,7 @@ else() set(CMAKE_BUILD_TYPE "release") set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}") endif() +message(STATUS "Build type: ${CMAKE_BUILD_TYPE}") set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}") diff --git a/brand/README.md b/brand/README.md index 811963d21c6..4cc75aa0752 100644 --- a/brand/README.md +++ b/brand/README.md @@ -28,7 +28,7 @@ The CNCF now owns The Falco Project. ### What is Runtime Security? Runtime security refers to an approach to preventing unwanted activity on a computer system. -With runtime security an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc). +With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc). Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques. Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment. diff --git a/cmake/modules/CPackConfig.cmake b/cmake/modules/CPackConfig.cmake index 1de295ed33c..6f647a01473 100644 --- a/cmake/modules/CPackConfig.cmake +++ b/cmake/modules/CPackConfig.cmake @@ -1,9 +1,12 @@ set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}") set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.") -set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses +set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security") set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt") set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}") +set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}") +set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}") +set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}") set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}") set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake") set(CPACK_STRIP_FILES "ON") diff --git a/docker/builder/Dockerfile b/docker/builder/Dockerfile index 1cef7619d78..c2c25a498a7 100644 --- a/docker/builder/Dockerfile +++ b/docker/builder/Dockerfile @@ -2,7 +2,7 @@ FROM centos:7 LABEL name="falcosecurity/falco-builder" LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake" -LABEL maintainer="opensource@sysdig.com" +LABEL maintainer="cncf-falco-dev@lists.cncf.io" ARG BUILD_TYPE=release ARG BUILD_DRIVER=OFF diff --git a/docker/dev/Dockerfile b/docker/dev/Dockerfile deleted file mode 100644 index 3ce49e88df1..00000000000 --- a/docker/dev/Dockerfile +++ /dev/null @@ -1,110 +0,0 @@ -FROM debian:unstable - -LABEL maintainer="opensource@sysdig.com" - -ENV FALCO_REPOSITORY dev - -LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE" - -ENV HOST_ROOT /host - -ENV HOME /root - -RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root - -ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ - -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - bash-completion \ - bc \ - clang-7 \ - ca-certificates \ - curl \ - dkms \ - gnupg2 \ - gcc \ - gdb \ - jq \ - libc6-dev \ - libelf-dev \ - llvm-7 \ - netcat \ - xz-utils \ - && rm -rf /var/lib/apt/lists/* - -# gcc 6 is no longer included in debian unstable, but we need it to -# build kernel modules on the default debian-based ami used by -# kops. So grab copies we've saved from debian snapshots with the -# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z -# or so. - -RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \ - && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \ - && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \ - && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \ - && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \ - && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \ - && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \ - && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \ - && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \ - && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \ - && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb - -# gcc 5 is no longer included in debian unstable, but we need it to -# build centos kernels, which are 3.x based and explicitly want a gcc -# version 3, 4, or 5 compiler. So grab copies we've saved from debian -# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z. - -RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \ - && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \ - && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \ - && curl -o libasan2_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \ - && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \ - && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \ - && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \ - && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \ - && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb - -# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the -# default to gcc-5. -RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc - -RUN rm -rf /usr/bin/clang \ - && rm -rf /usr/bin/llc \ - && ln -s /usr/bin/clang-7 /usr/bin/clang \ - && ln -s /usr/bin/llc-7 /usr/bin/llc - -RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \ - && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends falco \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Change the falco config within the container to enable ISO 8601 -# output. -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \ - && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml - -# Some base images have an empty /lib/modules by default -# If it's not empty, docker build will fail instead of -# silently overwriting the existing directory -RUN rm -df /lib/modules \ - && ln -s $HOST_ROOT/lib/modules /lib/modules - -# debian:unstable head contains binutils 2.31, which generates -# binaries that are incompatible with kernels < 4.16. So manually -# forcibly install binutils 2.30-22 instead. -RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \ - && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \ - && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \ - && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \ - && dpkg -i *binutils*.deb \ - && rm -f *binutils*.deb - -COPY ./docker-entrypoint.sh / - -ENTRYPOINT ["/docker-entrypoint.sh"] - -CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"] diff --git a/docker/dev/docker-entrypoint.sh b/docker/dev/docker-entrypoint.sh deleted file mode 100755 index 493b5cc1cc4..00000000000 --- a/docker/dev/docker-entrypoint.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright (C) 2019 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# set -e - -# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module - -if [[ -z "${SKIP_MODULE_LOAD}" ]]; then - echo "* Setting up /usr/src links from host" - - for i in "$HOST_ROOT/usr/src"/* - do - base=$(basename "$i") - ln -s "$i" "/usr/src/$base" - done - - /usr/bin/falco-probe-loader -fi - -exec "$@" \ No newline at end of file diff --git a/docker/event-generator/Dockerfile b/docker/event-generator/Dockerfile index 50b1c6e2394..b3be454c69b 100644 --- a/docker/event-generator/Dockerfile +++ b/docker/event-generator/Dockerfile @@ -1,5 +1,5 @@ FROM alpine:latest -LABEL maintainer="opensource@sysdig.com" +LABEL maintainer="cncf-falco-dev@lists.cncf.io" RUN apk add --no-cache bash g++ curl COPY ./event_generator.cpp /usr/local/bin COPY ./docker-entrypoint.sh ./k8s_event_generator.sh / diff --git a/docker/kernel/linuxkit/Dockerfile b/docker/kernel/linuxkit/Dockerfile index 78a567f13b2..4e1fe1fb4cc 100644 --- a/docker/kernel/linuxkit/Dockerfile +++ b/docker/kernel/linuxkit/Dockerfile @@ -5,7 +5,7 @@ ARG FALCO_VERSION=0.20.0 FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco FROM alpine:${ALPINE_VERSION} AS probe-build -LABEL maintainer="opensource@sysdig.com" +LABEL maintainer="cncf-falco-dev@lists.cncf.io" ARG KERNEL_VERSION=4.9.184 ARG FALCO_VERSION=0.20.0 ENV FALCO_VERSION=${FALCO_VERSION} diff --git a/docker/kernel/probeloader/Dockerfile b/docker/kernel/probeloader/Dockerfile index d29b19293ea..0a878115a73 100644 --- a/docker/kernel/probeloader/Dockerfile +++ b/docker/kernel/probeloader/Dockerfile @@ -12,7 +12,7 @@ RUN go mod vendor RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' . FROM scratch -LABEL maintainer="opensource@sysdig.com" +LABEL maintainer="cncf-falco-dev@lists.cncf.io" COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=build /falcoctl/falcoctl /falcoctl CMD ["/falcoctl", "install", "probe"] diff --git a/docker/local/Dockerfile b/docker/local/Dockerfile index 14433be8b3e..49e03f81c10 100644 --- a/docker/local/Dockerfile +++ b/docker/local/Dockerfile @@ -13,84 +13,82 @@ ENV HOME /root RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root -ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ - RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - bash-completion \ - bc \ - clang-7 \ - ca-certificates \ - curl \ - dkms \ - gnupg2 \ - gcc \ - jq \ - libc6-dev \ - libelf-dev \ - libyaml-0-2 \ - llvm-7 \ - netcat \ - xz-utils \ - libmpc3 \ - binutils \ - libgomp1 \ - libitm1 \ - libatomic1 \ - liblsan0 \ - libtsan0 \ - libmpx2 \ - libquadmath0 \ - libcc1-0 \ - && rm -rf /var/lib/apt/lists/* - -# gcc 6 is no longer included in debian unstable, but we need it to + && apt-get install -y --no-install-recommends \ + bash-completion \ + bc \ + clang-7 \ + ca-certificates \ + curl \ + dkms \ + gnupg2 \ + gcc \ + jq \ + libc6-dev \ + libelf-dev \ + libyaml-0-2 \ + llvm-7 \ + netcat \ + xz-utils \ + libmpc3 \ + binutils \ + libgomp1 \ + libitm1 \ + libatomic1 \ + liblsan0 \ + libtsan0 \ + libmpx2 \ + libquadmath0 \ + libcc1-0 \ + && rm -rf /var/lib/apt/lists/* + +# gcc 6 is no longer included in debian stable, but we need it to # build kernel modules on the default debian-based ami used by # kops. So grab copies we've saved from debian snapshots with the # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z # or so. -RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \ - && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \ - && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \ - && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \ - && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \ - && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \ - && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \ - && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \ - && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \ - && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \ - && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb - -# gcc 5 is no longer included in debian unstable, but we need it to +RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \ + && curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \ + && curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \ + && curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \ + && curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \ + && curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \ + && curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \ + && curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \ + && curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \ + && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \ + && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb + +# gcc 5 is no longer included in debian stable, but we need it to # build centos kernels, which are 3.x based and explicitly want a gcc # version 3, 4, or 5 compiler. So grab copies we've saved from debian # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z. -RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \ - && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \ - && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \ - && curl -o libasan2_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \ - && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \ - && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \ - && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \ - && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \ - && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb +RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \ + && curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \ + && curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \ + && curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \ + && curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \ + && curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \ + && curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \ + && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \ + && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the # default to gcc-5. RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc RUN rm -rf /usr/bin/clang \ - && rm -rf /usr/bin/llc \ - && ln -s /usr/bin/clang-7 /usr/bin/clang \ - && ln -s /usr/bin/llc-7 /usr/bin/llc + && rm -rf /usr/bin/llc \ + && ln -s /usr/bin/clang-7 /usr/bin/clang \ + && ln -s /usr/bin/llc-7 /usr/bin/llc # Some base images have an empty /lib/modules by default # If it's not empty, docker build will fail instead of # silently overwriting the existing directory RUN rm -df /lib/modules \ - && ln -s $HOST_ROOT/lib/modules /lib/modules + && ln -s $HOST_ROOT/lib/modules /lib/modules ADD falco-${FALCO_VERSION}-x86_64.deb / RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb @@ -100,15 +98,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \ && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml -# debian:unstable head contains binutils 2.31, which generates +# debian:stable head contains binutils 2.31, which generates # binaries that are incompatible with kernels < 4.16. So manually # forcibly install binutils 2.30-22 instead. -RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \ - && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \ - && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \ - && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \ - && dpkg -i *binutils*.deb \ - && rm -f *binutils*.deb +RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \ + && curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \ + && curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \ + && curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \ + && dpkg -i *binutils*.deb \ + && rm -f *binutils*.deb # The local container also copies some test trace files and # corresponding rules that are used when running regression tests. diff --git a/docker/minimal/Dockerfile b/docker/minimal/Dockerfile index 2fb492e2368..9020a4c5256 100644 --- a/docker/minimal/Dockerfile +++ b/docker/minimal/Dockerfile @@ -3,19 +3,20 @@ FROM ubuntu:18.04 as ubuntu LABEL maintainer="cncf-falco-dev@lists.cncf.io" ARG FALCO_VERSION=0.20.0 +ARG VERSION_BUCKET=bin ENV FALCO_VERSION=${FALCO_VERSION} +ENV VERSION_BUCKET=${VERSION_BUCKET} WORKDIR / -ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz / +ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz / -# ADD will download from URL and unntar RUN apt-get update && \ apt-get install -y libyaml-0-2 binutils && \ - # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \ - tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \ - rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \ + gzip -d falco-${FALCO_VERSION}-x86_64.tar.gz && \ + tar xfzv falco-${FALCO_VERSION}-x86_64.tar && \ + rm -f falco-${FALCO_VERSION}-x86_64.tar && \ mv falco-${FALCO_VERSION}-x86_64 falco && \ strip falco/usr/bin/falco && \ apt-get clean && \ diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile index 4a987fd5865..3d2f3405cdb 100644 --- a/docker/rhel/Dockerfile +++ b/docker/rhel/Dockerfile @@ -2,21 +2,21 @@ FROM registry.access.redhat.com/rhel7 LABEL maintainer="cncf-falco-dev@lists.cncf.io" -### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels -LABEL name="falco" \ - vendor="falcosecurity" \ - url="http://falco.org/" \ - summary="Container native runtime security" \ - description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \ - run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco' +## Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels +LABEL name="falco" +LABEL vendor="falcosecurity" +LABEL url="http://falco.org" +LABEL summary="Cloud Native Runtime Security" +LABEL description="Falco is an open-source project for intrusion and abnormality detection for Cloud Native platforms." +LABEL run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m ' COPY help.md /tmp/ ENV HOST_ROOT /host ENV HOME /root -ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo -RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \ +ADD https://falco.org/repo/falcosecurity-rpm.repo /etc/yum.repos.d/falcosecurity.repo +RUN rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc && \ rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ yum clean all && \ REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \ @@ -24,9 +24,9 @@ RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.pub yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \ --security --sec-severity=Important --sec-severity=Critical && \ yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \ - ### help file markdown to man conversion + ## help file markdown to man conversion go-md2man -in /tmp/help.md -out /help.1 && \ - ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh + ## we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh rm -fr /usr/src/kernels && \ rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \ yum clean all diff --git a/docker/slim-stable/Dockerfile b/docker/slim-stable/Dockerfile deleted file mode 100644 index 9083c8c0638..00000000000 --- a/docker/slim-stable/Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -FROM ubuntu:18.04 - -LABEL maintainer="cncf-falco-dev@lists.cncf.io" - -ENV FALCO_REPOSITORY stable - -LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE" - -ENV HOST_ROOT /host - -ENV HOME /root - -RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root - -ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ - -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - # bash-completion \ - # bc \ - ca-certificates \ - curl \ - gnupg2 \ - jq \ - # netcat \ - # xz-utils \ - && rm -rf /var/lib/apt/lists/* - -RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \ - && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends falco \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Change the falco config within the container to enable ISO 8601 -# output. -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \ - && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml - -# Some base images have an empty /lib/modules by default -# If it's not empty, docker build will fail instead of -# silently overwriting the existing directory -RUN rm -df /lib/modules \ - && ln -s $HOST_ROOT/lib/modules /lib/modules - -#COPY ./entrypoint.sh / -# ENTRYPOINT ["/entrypoint.sh"] - -CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"] diff --git a/docker/slim-dev/Dockerfile b/docker/slim/Dockerfile similarity index 70% rename from docker/slim-dev/Dockerfile rename to docker/slim/Dockerfile index e36a58c673a..d98e990b755 100644 --- a/docker/slim-dev/Dockerfile +++ b/docker/slim/Dockerfile @@ -2,33 +2,32 @@ FROM ubuntu:18.04 LABEL maintainer="cncf-falco-dev@lists.cncf.io" -ENV FALCO_REPOSITORY dev +LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name " -LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE" +ARG VERSION_BUCKET=deb -ENV HOST_ROOT /host +ENV VERSION_BUCKET=${VERSION_BUCKET} +ENV HOST_ROOT /host ENV HOME /root RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root -ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ - RUN apt-get update \ && apt-get install -y --no-install-recommends \ - # bash-completion \ - # bc \ + # bash-completion \ + # bc \ ca-certificates \ curl \ gnupg2 \ jq \ - # netcat \ - # xz-utils \ + # netcat \ + # xz-utils \ && rm -rf /var/lib/apt/lists/* -RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \ - && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \ - && apt-get update \ +RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \ + && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \ + && apt-get update -y \ && apt-get install -y --no-install-recommends falco \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -44,7 +43,4 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa RUN rm -df /lib/modules \ && ln -s $HOST_ROOT/lib/modules /lib/modules -#COPY ./entrypoint.sh / -# ENTRYPOINT ["/entrypoint.sh"] - CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"] diff --git a/docker/stable/Dockerfile b/docker/stable/Dockerfile index 0dfde2d05d6..4b47317cc62 100644 --- a/docker/stable/Dockerfile +++ b/docker/stable/Dockerfile @@ -2,18 +2,16 @@ FROM debian:stable LABEL maintainer="cncf-falco-dev@lists.cncf.io" -ENV FALCO_REPOSITORY stable +LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE" -LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE" +ARG VERSION_BUCKET=deb +ENV VERSION_BUCKET=${VERSION_BUCKET} ENV HOST_ROOT /host - ENV HOME /root RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root -ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/ - RUN apt-get update \ && apt-get install -y --no-install-recommends \ bash-completion \ @@ -33,36 +31,36 @@ RUN apt-get update \ xz-utils \ && rm -rf /var/lib/apt/lists/* -# gcc 6 is no longer included in debian unstable, but we need it to +# gcc 6 is no longer included in debian stable, but we need it to # build kernel modules on the default debian-based ami used by # kops. So grab copies we've saved from debian snapshots with the # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z # or so. -RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \ - && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \ - && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \ - && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \ - && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \ - && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \ - && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \ - && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \ - && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \ +RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \ + && curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \ + && curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \ + && curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \ + && curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \ + && curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \ + && curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \ + && curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \ + && curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \ && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \ && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb -# gcc 5 is no longer included in debian unstable, but we need it to +# gcc 5 is no longer included in debian stable, but we need it to # build centos kernels, which are 3.x based and explicitly want a gcc # version 3, 4, or 5 compiler. So grab copies we've saved from debian # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z. -RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \ - && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \ - && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \ - && curl -o libasan2_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \ - && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \ - && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \ - && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \ +RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \ + && curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \ + && curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \ + && curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \ + && curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \ + && curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \ + && curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \ && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \ && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb @@ -75,9 +73,9 @@ RUN rm -rf /usr/bin/clang \ && ln -s /usr/bin/clang-7 /usr/bin/clang \ && ln -s /usr/bin/llc-7 /usr/bin/llc -RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \ - && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \ - && apt-get update \ +RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \ + && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \ + && apt-get update -y \ && apt-get install -y --no-install-recommends falco \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -93,13 +91,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa RUN rm -df /lib/modules \ && ln -s $HOST_ROOT/lib/modules /lib/modules -# debian:unstable head contains binutils 2.31, which generates +# debian:stable head contains binutils 2.31, which generates # binaries that are incompatible with kernels < 4.16. So manually # forcibly install binutils 2.30-22 instead. -RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \ - && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \ - && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \ - && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \ +RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \ + && curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \ + && curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \ + && curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \ && dpkg -i *binutils*.deb \ && rm -f *binutils*.deb diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile index 7d64c85f94d..6f298e004c0 100644 --- a/docker/tester/Dockerfile +++ b/docker/tester/Dockerfile @@ -2,7 +2,7 @@ FROM fedora:31 LABEL name="falcosecurity/falco-tester" LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION= --name falcosecurity/falco-tester test" -LABEL maintainer="opensource@sysdig.com" +LABEL maintainer="cncf-falco-dev@lists.cncf.io" ENV FALCO_VERSION= ENV BUILD_TYPE=release diff --git a/docker/tester/root/runners/deb.Dockerfile b/docker/tester/root/runners/deb.Dockerfile index 547c87ce617..0c665d27221 100644 --- a/docker/tester/root/runners/deb.Dockerfile +++ b/docker/tester/root/runners/deb.Dockerfile @@ -1,5 +1,5 @@ FROM ubuntu:18.04 -LABEL maintainer="opensource@sysdig.com" +LABEL maintainer="cncf-falco-dev@lists.cncf.io" ARG FALCO_VERSION= RUN test -n FALCO_VERSION diff --git a/docker/tester/root/runners/rpm.Dockerfile b/docker/tester/root/runners/rpm.Dockerfile index 430a417dd1b..9bd0f786571 100644 --- a/docker/tester/root/runners/rpm.Dockerfile +++ b/docker/tester/root/runners/rpm.Dockerfile @@ -1,6 +1,6 @@ FROM centos:7 -LABEL maintainer="opensource@sysdig.com" +LABEL maintainer="cncf-falco-dev@lists.cncf.io" ARG FALCO_VERSION= RUN test -n FALCO_VERSION diff --git a/scripts/debian/falco b/scripts/debian/falco index ffe72922b87..552baf2ecba 100755 --- a/scripts/debian/falco +++ b/scripts/debian/falco @@ -26,7 +26,7 @@ # driven by system calls with support for containers. ### END INIT INFO -# Author: The Falco Authors +# Author: The Falco Authors # Do NOT "set -e"