From 1ee629a33f283f9a9dd5fb9270c931a87e4ae964 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Thu, 23 Jun 2022 08:59:49 +0000 Subject: [PATCH 1/4] refactor(userspace/falco): support zlib and custom threadiness in webserver Signed-off-by: Jason Dellaluce --- userspace/falco/webserver.cpp | 5 +++++ userspace/falco/webserver.h | 1 + 2 files changed, 6 insertions(+) diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp index 46e0fa81be0..dba93973e27 100644 --- a/userspace/falco/webserver.cpp +++ b/userspace/falco/webserver.cpp @@ -15,6 +15,7 @@ limitations under the License. */ #include "webserver.h" +#include "falco_utils.h" #include falco_webserver::~falco_webserver() @@ -46,6 +47,10 @@ void falco_webserver::start( m_server = new httplib::Server(); } + // configure server + auto threadiness = std::min(2u, falco::utils::hardware_concurrency()); + m_server->new_task_queue = [&threadiness] { return new httplib::ThreadPool(threadiness); }; + // setup healthz endpoint m_server->Get(healthz_endpoint, [](const httplib::Request &, httplib::Response &res) { diff --git a/userspace/falco/webserver.h b/userspace/falco/webserver.h index 1da0d185112..7a022b0bb9e 100644 --- a/userspace/falco/webserver.h +++ b/userspace/falco/webserver.h @@ -16,6 +16,7 @@ limitations under the License. #pragma once #define CPPHTTPLIB_OPENSSL_SUPPORT +#define CPPHTTPLIB_ZLIB_SUPPORT #include #include #include "configuration.h" From 75130f3b186c815cce159505211efb89de5f0a71 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Thu, 23 Jun 2022 09:16:26 +0000 Subject: [PATCH 2/4] update(userspace/falco): add configuration entry for webserver threadiness Signed-off-by: Jason Dellaluce --- userspace/falco/app_actions/start_webserver.cpp | 8 +++++++- userspace/falco/configuration.cpp | 6 ++++++ userspace/falco/configuration.h | 1 + userspace/falco/webserver.cpp | 10 +++++----- userspace/falco/webserver.h | 1 + 5 files changed, 20 insertions(+), 6 deletions(-) diff --git a/userspace/falco/app_actions/start_webserver.cpp b/userspace/falco/app_actions/start_webserver.cpp index 3da117fed0d..8e2b0070f41 100644 --- a/userspace/falco/app_actions/start_webserver.cpp +++ b/userspace/falco/app_actions/start_webserver.cpp @@ -27,8 +27,14 @@ application::run_result application::start_webserver() if(!is_capture_mode() && m_state->config->m_webserver_enabled) { std::string ssl_option = (m_state->config->m_webserver_ssl_enabled ? " (SSL)" : ""); - falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(m_state->config->m_webserver_listen_port) + ssl_option + "\n"); + falco_logger::log(LOG_INFO, "Starting health webserver with threadiness " + + to_string(m_state->config->m_webserver_threadiness) + + ", listening on port " + + to_string(m_state->config->m_webserver_listen_port) + + ssl_option + "\n"); + m_state->webserver.start( + m_state->config->m_webserver_threadiness, m_state->config->m_webserver_listen_port, m_state->config->m_webserver_k8s_healthz_endpoint, m_state->config->m_webserver_ssl_certificate, diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index f35ea5341ec..b8bbe0621d3 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -35,6 +35,7 @@ falco_configuration::falco_configuration(): m_buffered_outputs(false), m_time_format_iso_8601(false), m_webserver_enabled(false), + m_webserver_threadiness(0), m_webserver_listen_port(8765), m_webserver_k8s_healthz_endpoint("/healthz"), m_webserver_ssl_enabled(false), @@ -207,10 +208,15 @@ void falco_configuration::init(string conf_filename, const vector &cmdli falco_logger::log_syslog = m_config->get_scalar("log_syslog", true); m_webserver_enabled = m_config->get_scalar("webserver.enabled", false); + m_webserver_threadiness = m_config->get_scalar("webserver.threadiness", 0); m_webserver_listen_port = m_config->get_scalar("webserver.listen_port", 8765); m_webserver_k8s_healthz_endpoint = m_config->get_scalar("webserver.k8s_healthz_endpoint", "/healthz"); m_webserver_ssl_enabled = m_config->get_scalar("webserver.ssl_enabled", false); m_webserver_ssl_certificate = m_config->get_scalar("webserver.ssl_certificate", "/etc/falco/falco.pem"); + if(m_webserver_threadiness == 0) + { + m_webserver_threadiness = falco::utils::hardware_concurrency(); + } std::list syscall_event_drop_acts; m_config->get_sequence(syscall_event_drop_acts, "syscall_event_drops.actions"); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 41fc1525ca7..e3b1c79a943 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -250,6 +250,7 @@ class falco_configuration std::string m_grpc_root_certs; bool m_webserver_enabled; + uint32_t m_webserver_threadiness; uint32_t m_webserver_listen_port; std::string m_webserver_k8s_healthz_endpoint; bool m_webserver_ssl_enabled; diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp index dba93973e27..c4567db91a5 100644 --- a/userspace/falco/webserver.cpp +++ b/userspace/falco/webserver.cpp @@ -24,10 +24,11 @@ falco_webserver::~falco_webserver() } void falco_webserver::start( - uint32_t listen_port, - std::string& healthz_endpoint, - std::string &ssl_certificate, - bool ssl_enabled) + uint32_t threadiness, + uint32_t listen_port, + std::string& healthz_endpoint, + std::string &ssl_certificate, + bool ssl_enabled) { if (m_running) { @@ -48,7 +49,6 @@ void falco_webserver::start( } // configure server - auto threadiness = std::min(2u, falco::utils::hardware_concurrency()); m_server->new_task_queue = [&threadiness] { return new httplib::ThreadPool(threadiness); }; // setup healthz endpoint diff --git a/userspace/falco/webserver.h b/userspace/falco/webserver.h index 7a022b0bb9e..e9c409672df 100644 --- a/userspace/falco/webserver.h +++ b/userspace/falco/webserver.h @@ -26,6 +26,7 @@ class falco_webserver public: virtual ~falco_webserver(); virtual void start( + uint32_t threadiness, uint32_t listen_port, std::string& healthz_endpoint, std::string &ssl_certificate, From 7780a7d67a71ccc32f8b93ea0504d003822d6bfd Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Thu, 23 Jun 2022 09:16:57 +0000 Subject: [PATCH 3/4] update(falco.yaml): update default configuration and its comments Signed-off-by: Jason Dellaluce --- falco.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/falco.yaml b/falco.yaml index 85862a1d478..4638c2c1b88 100644 --- a/falco.yaml +++ b/falco.yaml @@ -227,9 +227,10 @@ file_output: stdout_output: enabled: true -# Falco contains an embedded webserver that can be used to accept K8s -# Audit Events. These config options control the behavior of that -# webserver. (By default, the webserver is enabled). +# Falco contains an embedded webserver that is used to implement an health +# endpoint for checking if Falco is up and running. These config options control +# the behavior of that webserver. By default, the webserver is enabled and +# the endpoint is /healthz. # # The ssl_certificate is a combination SSL Certificate and corresponding # key contained in a single file. You can generate a key/cert as follows: @@ -237,11 +238,10 @@ stdout_output: # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem # $ cat certificate.pem key.pem > falco.pem # $ sudo cp falco.pem /etc/falco/falco.pem -# -# It also exposes a healthy endpoint that can be used to check if Falco is up and running -# By default the endpoint is /healthz webserver: enabled: true + # when threadiness is 0, Falco automatically guesses it depending on the number of online cores + threadiness: 0 listen_port: 8765 k8s_healthz_endpoint: /healthz ssl_enabled: false From 7997a88707007b4b1d88caefa3ba57fca043b6db Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Tue, 12 Jul 2022 09:41:00 +0000 Subject: [PATCH 4/4] update(userspace/falco): avoid using zlib in webserver Signed-off-by: Jason Dellaluce --- userspace/falco/webserver.h | 1 - 1 file changed, 1 deletion(-) diff --git a/userspace/falco/webserver.h b/userspace/falco/webserver.h index e9c409672df..be0b83729e8 100644 --- a/userspace/falco/webserver.h +++ b/userspace/falco/webserver.h @@ -16,7 +16,6 @@ limitations under the License. #pragma once #define CPPHTTPLIB_OPENSSL_SUPPORT -#define CPPHTTPLIB_ZLIB_SUPPORT #include #include #include "configuration.h"