diff --git a/falco.yaml b/falco.yaml index 85862a1d478..4638c2c1b88 100644 --- a/falco.yaml +++ b/falco.yaml @@ -227,9 +227,10 @@ file_output: stdout_output: enabled: true -# Falco contains an embedded webserver that can be used to accept K8s -# Audit Events. These config options control the behavior of that -# webserver. (By default, the webserver is enabled). +# Falco contains an embedded webserver that is used to implement an health +# endpoint for checking if Falco is up and running. These config options control +# the behavior of that webserver. By default, the webserver is enabled and +# the endpoint is /healthz. # # The ssl_certificate is a combination SSL Certificate and corresponding # key contained in a single file. You can generate a key/cert as follows: @@ -237,11 +238,10 @@ stdout_output: # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem # $ cat certificate.pem key.pem > falco.pem # $ sudo cp falco.pem /etc/falco/falco.pem -# -# It also exposes a healthy endpoint that can be used to check if Falco is up and running -# By default the endpoint is /healthz webserver: enabled: true + # when threadiness is 0, Falco automatically guesses it depending on the number of online cores + threadiness: 0 listen_port: 8765 k8s_healthz_endpoint: /healthz ssl_enabled: false diff --git a/userspace/falco/app_actions/start_webserver.cpp b/userspace/falco/app_actions/start_webserver.cpp index 3da117fed0d..8e2b0070f41 100644 --- a/userspace/falco/app_actions/start_webserver.cpp +++ b/userspace/falco/app_actions/start_webserver.cpp @@ -27,8 +27,14 @@ application::run_result application::start_webserver() if(!is_capture_mode() && m_state->config->m_webserver_enabled) { std::string ssl_option = (m_state->config->m_webserver_ssl_enabled ? " (SSL)" : ""); - falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(m_state->config->m_webserver_listen_port) + ssl_option + "\n"); + falco_logger::log(LOG_INFO, "Starting health webserver with threadiness " + + to_string(m_state->config->m_webserver_threadiness) + + ", listening on port " + + to_string(m_state->config->m_webserver_listen_port) + + ssl_option + "\n"); + m_state->webserver.start( + m_state->config->m_webserver_threadiness, m_state->config->m_webserver_listen_port, m_state->config->m_webserver_k8s_healthz_endpoint, m_state->config->m_webserver_ssl_certificate, diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index f35ea5341ec..b8bbe0621d3 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -35,6 +35,7 @@ falco_configuration::falco_configuration(): m_buffered_outputs(false), m_time_format_iso_8601(false), m_webserver_enabled(false), + m_webserver_threadiness(0), m_webserver_listen_port(8765), m_webserver_k8s_healthz_endpoint("/healthz"), m_webserver_ssl_enabled(false), @@ -207,10 +208,15 @@ void falco_configuration::init(string conf_filename, const vector &cmdli falco_logger::log_syslog = m_config->get_scalar("log_syslog", true); m_webserver_enabled = m_config->get_scalar("webserver.enabled", false); + m_webserver_threadiness = m_config->get_scalar("webserver.threadiness", 0); m_webserver_listen_port = m_config->get_scalar("webserver.listen_port", 8765); m_webserver_k8s_healthz_endpoint = m_config->get_scalar("webserver.k8s_healthz_endpoint", "/healthz"); m_webserver_ssl_enabled = m_config->get_scalar("webserver.ssl_enabled", false); m_webserver_ssl_certificate = m_config->get_scalar("webserver.ssl_certificate", "/etc/falco/falco.pem"); + if(m_webserver_threadiness == 0) + { + m_webserver_threadiness = falco::utils::hardware_concurrency(); + } std::list syscall_event_drop_acts; m_config->get_sequence(syscall_event_drop_acts, "syscall_event_drops.actions"); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 41fc1525ca7..e3b1c79a943 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -250,6 +250,7 @@ class falco_configuration std::string m_grpc_root_certs; bool m_webserver_enabled; + uint32_t m_webserver_threadiness; uint32_t m_webserver_listen_port; std::string m_webserver_k8s_healthz_endpoint; bool m_webserver_ssl_enabled; diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp index 46e0fa81be0..c4567db91a5 100644 --- a/userspace/falco/webserver.cpp +++ b/userspace/falco/webserver.cpp @@ -15,6 +15,7 @@ limitations under the License. */ #include "webserver.h" +#include "falco_utils.h" #include falco_webserver::~falco_webserver() @@ -23,10 +24,11 @@ falco_webserver::~falco_webserver() } void falco_webserver::start( - uint32_t listen_port, - std::string& healthz_endpoint, - std::string &ssl_certificate, - bool ssl_enabled) + uint32_t threadiness, + uint32_t listen_port, + std::string& healthz_endpoint, + std::string &ssl_certificate, + bool ssl_enabled) { if (m_running) { @@ -46,6 +48,9 @@ void falco_webserver::start( m_server = new httplib::Server(); } + // configure server + m_server->new_task_queue = [&threadiness] { return new httplib::ThreadPool(threadiness); }; + // setup healthz endpoint m_server->Get(healthz_endpoint, [](const httplib::Request &, httplib::Response &res) { diff --git a/userspace/falco/webserver.h b/userspace/falco/webserver.h index 1da0d185112..be0b83729e8 100644 --- a/userspace/falco/webserver.h +++ b/userspace/falco/webserver.h @@ -25,6 +25,7 @@ class falco_webserver public: virtual ~falco_webserver(); virtual void start( + uint32_t threadiness, uint32_t listen_port, std::string& healthz_endpoint, std::string &ssl_certificate,