cleanup(docs): update release.md #2599
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -5,18 +5,22 @@ | |||||
|
|
||||||
| This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components: | ||||||
|
|
||||||
| - Falco binary (userspace), includes `modern_bpf` driver object code (kernel space) starting with Falco 0.35.x releases | ||||||
| - Falco kernel driver object files, separate artifacts for `kmod` and `bpf` drivers, not applicable for `modern_bpf` driver (kernel space) | ||||||
| - Option 1: Kernel module (`.ko` files) | ||||||
| - Option 2: eBPF (`.o` files) | ||||||
| - Falco config and rules `.yaml` files (userspace) | ||||||
| - Falco plugins (userspace - optional) | ||||||
|
|
||||||
| > Note: Starting with Falco 0.35.x releases, the Falco userspace binary includes the `modern_bpf` driver object code during the linking process. This integration is made possible by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to function on kernels that have backported BTF (BPF Type Format) support or have a kernel version >= 5.8. For the older `kmod` and `bpf` drivers, separate artifacts are released for the kernel space. This is because these drivers need to be explicitly compiled for the specific kernel release, using the exact kernel headers. This approach ensures that Falco can support a wide range of environments, including multiple kernel versions, distributions, and architectures. (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)). | ||||||
|
There was a problem hiding this comment. @Andreagit97 would you have additional preferences or ok? There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| The Falco Project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo. | ||||||
|
|
||||||
| The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere. | ||||||
|
|
||||||
| Falco publishes all sources, enabling users to audit the project's integrity and build kernel drivers for custom or unsupported kernels/distributions, specifically for non-modern BPF drivers (see [driverkit](https://github.com/falcosecurity/driverkit) for more information). | ||||||
|
|
||||||
| Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco guide and documentation](https://falco.org/) provide rich information around building, installing and using Falco. | ||||||
|
|
||||||
|
|
||||||
| ### Falco Binaries, Rules and Sources Artifacts - Quick Links | ||||||
|
|
@@ -42,8 +46,9 @@ Alternatively Falco binaries or plugins can be downloaded from the Falco Artifac | |||||
|
|
||||||
| ### Falco Drivers Artifacts Repo - Quick Links | ||||||
|
|
||||||
| > Note: This section specifically applies to non-modern BPF drivers. | ||||||
|
|
||||||
| The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with. | ||||||
|
There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. (no need to specify eBPF verifier since it is not involved during the build process. |
||||||
|
|
||||||
| - [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/) | ||||||
| - Option 1: Kernel module (`.ko` files) - all under same driver version directory | ||||||
|
|
@@ -52,28 +57,30 @@ The Falco project publishes all drivers for each release for all popular kernel | |||||
|
|
||||||
| ### Timeline | ||||||
|
|
||||||
| Falco follows a release schedule of three times per year, with releases expected at the end of January, May, and September. Hotfix releases are issued as needed. | ||||||
|
|
||||||
| Changes and new features are organized into [milestones](https://github.com/falcosecurity/falco/milestones). The milestone corresponding to the next version represents the content that will be included in the upcoming release. | ||||||
|
|
||||||
|
|
||||||
| ### Procedures | ||||||
|
|
||||||
| The release process is mostly automated, requiring only a few manual steps to initiate and complete. | ||||||
|
|
||||||
| Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [weekly community call](https://github.com/falcosecurity/community). | ||||||
|
|
||||||
| At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order: | ||||||
|
|
||||||
| - [1 - 3] `libs` (+ `driver`) and `plugins` components releases | ||||||
| - [4] Falco driver pre-compiled object files push to Falco's Artifacts repo | ||||||
| - [5] Falco userspace binary release | ||||||
|
|
||||||
| Assignees are responsible for creating a Falco GitHub issue to track the release tasks and monitor the progress of the release. This issue serves as a central point for communication and provides updates on the release dates. You can refer to the [Falco v0.35 release](https://github.com/falcosecurity/falco/issues/2554) or [Libs Release (0.11.0+5.0.1+driver)](https://github.com/falcosecurity/libs/issues/1092) issues as examples/templates for creating the release issue. | ||||||
|
|
||||||
|
|
||||||
| Finally, on the proposed due date, the assignees for the upcoming release proceed with the processes described below. | ||||||
|
|
||||||
| ## Pre-Release Checklist | ||||||
|
|
||||||
| Before proceeding with the release, make sure to complete the following preparatory steps, which can be easily done using the GitHub UI: | ||||||
|
|
||||||
| ### 1. Release notes | ||||||
| - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases) | ||||||
|
|
@@ -205,13 +212,13 @@ Announce the new release to the world! | |||||
|
|
||||||
| ## Falco Components Versioning | ||||||
|
|
||||||
| This section provides more details around the versioning of the components that make up Falco's core. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because `libs` makes up the greater portion of the source code of the Falco binary and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages. | ||||||
|
|
||||||
|
|
||||||
| ### Falco repo (this repo) | ||||||
| - Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver. | ||||||
| - [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and/or `FALCO_FIELDS_CHECKSUM` computed via `falco --list -N | sha256sum` has changed. The primary idea is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced, a version change indicates that these fields were not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. Lastly, `FALCO_ENGINE_VERSION` is typically incremented once during a Falco release cycle, while `FALCO_FIELDS_CHECKSUM` is bumped whenever necessary during the development and testing phases of the release cycle. | ||||||
| - During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below). | ||||||
| - Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release. | ||||||
| - At release time Plugin, Libs and Driver versions are compatible with Falco. | ||||||
| - If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs). | ||||||
|
|
@@ -231,7 +238,7 @@ Driver: | |||||
|
|
||||||
| ### Libs repo | ||||||
| - Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above). | ||||||
| - The driver version is not directly linked to the userspace components of the Falco binary. This is because of the clear separation between userspace and kernel space, which adds an additional layer of complexity. To address this, the concept of a `Default driver` has been introduced, allowing for implicit declaration of compatible driver versions. For example, if the default driver version is `5.0.1+driver`, Falco works with all driver versions >= 5.0.1 and < 6.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver. | ||||||
| - See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information. | ||||||
|
|
||||||
| ### Plugins repo | ||||||
|
|
||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -903,7 +903,7 @@ base_syscalls: | |
| custom_set: [] | ||
| repair: false | ||
|
|
||
| # [Stable] `modern_bpf.cpus_for_each_syscall_buffer`, modern_bpf only | ||
|
There was a problem hiding this comment. @Andreagit97 correcting mistake of wrong maturity level when I adjusted falco.yaml style and formatting. |
||
| # | ||
| # --- [Description] | ||
| # | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.