From 0e2a053151401e623dc49d95041fbb160e644c49 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Wed, 22 Jun 2022 14:46:47 +0000 Subject: [PATCH] new(userspace/falco): add new cli option to selectively enable event sources Signed-off-by: Jason Dellaluce --- userspace/falco/app_cmdline_options.cpp | 5 +++-- userspace/falco/app_cmdline_options.h | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index 2833ebbd..64ee6768 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -160,9 +160,10 @@ void cmdline_options::define() ("cri", "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") ("d,daemon", "Run as a daemon.", cxxopts::value(daemon)->default_value("false")) ("disable-cri-async", "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false")) - ("disable-source", "Disable a specific event source. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "") + ("disable-source", "Disable a specific event source. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not disable all event sources. Can not be mixed with enable-source.", cxxopts::value(disable_sources), "") ("D", "Disable any rules with names having the substring . Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "") - ("e", "Read the events from in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "") + ("e", "Read the events from a trace file in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "") + ("enable-source", "Enable a specific event source. If used, only event sources passed with this options get enabled. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not be mixed with disable-source.", cxxopts::value(enable_sources), "") #ifdef HAS_GVISOR ("g,gvisor-config", "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "") ("gvisor-generate-config", "Generate a configuration file that can be used for gVisor.", cxxopts::value(gvisor_generate_config_with_socket)->implicit_value("/tmp/gvisor.sock"), "") diff --git a/userspace/falco/app_cmdline_options.h b/userspace/falco/app_cmdline_options.h index 427c52f1..6543194b 100644 --- a/userspace/falco/app_cmdline_options.h +++ b/userspace/falco/app_cmdline_options.h @@ -42,6 +42,7 @@ public: bool disable_cri_async; std::vector disable_sources; std::vector disabled_rule_substrings; + std::vector enable_sources; std::string trace_filename; std::string gvisor_config; std::string gvisor_generate_config_with_socket;