diff --git a/docker/driver-loader-legacy/Dockerfile b/docker/driver-loader-legacy/Dockerfile index 83acaefe..156d9522 100644 --- a/docker/driver-loader-legacy/Dockerfile +++ b/docker/driver-loader-legacy/Dockerfile @@ -123,6 +123,9 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep && curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \ && dpkg -i *binutils*.deb \ && rm -f *binutils*.deb + +# Install latest falcoctl +RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin COPY ./docker-entrypoint.sh / diff --git a/docker/driver-loader-legacy/docker-entrypoint.sh b/docker/driver-loader-legacy/docker-entrypoint.sh index 3b47f75c..6ac26b76 100755 --- a/docker/driver-loader-legacy/docker-entrypoint.sh +++ b/docker/driver-loader-legacy/docker-entrypoint.sh @@ -124,3 +124,5 @@ else fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" + +exec /usr/bin/falco diff --git a/docker/driver-loader/Dockerfile b/docker/driver-loader/Dockerfile index 0e45726f..f986f5a9 100644 --- a/docker/driver-loader/Dockerfile +++ b/docker/driver-loader/Dockerfile @@ -1,5 +1,5 @@ ARG FALCO_IMAGE_TAG=latest -FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG} +FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" @@ -9,6 +9,42 @@ LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc ENV HOST_ROOT /host ENV HOME /root +RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + bc \ + bison \ + ca-certificates \ + clang \ + curl \ + dkms \ + dwarves \ + flex \ + gcc \ + gcc-11 \ + gnupg2 \ + jq \ + libc6-dev \ + libelf-dev \ + libssl-dev \ + llvm \ + make \ + netcat-openbsd \ + patchelf \ + xz-utils \ + zstd \ + && rm -rf /var/lib/apt/lists/* + +# Install latest falcoctl +RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin + +# Some base images have an empty /lib/modules by default +# If it's not empty, docker build will fail instead of +# silently overwriting the existing directory +RUN rm -df /lib/modules \ + && ln -s $HOST_ROOT/lib/modules /lib/modules + COPY ./docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh index 52df15f3..3002361b 100755 --- a/docker/driver-loader/docker-entrypoint.sh +++ b/docker/driver-loader/docker-entrypoint.sh @@ -136,3 +136,5 @@ else fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args + +exec /usr/bin/falco diff --git a/docker/falco-debian/Dockerfile b/docker/falco-debian/Dockerfile new file mode 100644 index 00000000..1f7c2e3a --- /dev/null +++ b/docker/falco-debian/Dockerfile @@ -0,0 +1,34 @@ +FROM debian:12-slim + +LABEL maintainer="cncf-falco-dev@lists.cncf.io" +LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian" + +LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" + +ARG FALCO_VERSION +ARG VERSION_BUCKET=deb + +ENV FALCO_VERSION=${FALCO_VERSION} +ENV VERSION_BUCKET=${VERSION_BUCKET} + +ENV HOST_ROOT /host +ENV HOME /root + +RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 ca-certificates \ + && apt clean -y && rm -rf /var/lib/apt/lists/* + +WORKDIR / + +RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \ + && echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \ + && apt-get update -y \ + && if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Falcoctl is not included here. +RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/ + +RUN sed -e -i 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml + +CMD ["/usr/bin/falco"] diff --git a/docker/falco/Dockerfile b/docker/falco/Dockerfile index 7bf509d6..d50968da 100644 --- a/docker/falco/Dockerfile +++ b/docker/falco/Dockerfile @@ -1,67 +1,43 @@ -FROM debian:bookworm +FROM cgr.dev/chainguard/wolfi-base as builder + +ARG FALCO_VERSION +ARG VERSION_BUCKET=bin + +ENV FALCO_VERSION=${FALCO_VERSION} +ENV VERSION_BUCKET=${VERSION_BUCKET} + +RUN apk update && apk add curl ca-certificates jq libelf + +WORKDIR / + +RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \ + curl -L -o falco.tar.gz \ + https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \ + tar -xvf falco.tar.gz && \ + rm -f falco.tar.gz && \ + mv falco-${FALCO_VERSION}-$(uname -m) falco && \ + rm -rf /falco/usr/src/falco-* + +RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ + && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml + +# Falcoctl is not included here. +RUN rm -rf /falco/usr/bin/falcoctl /falco/etc/falcoctl/ + +FROM cgr.dev/chainguard/wolfi-base LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE" +LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" +# NOTE: for the "least privileged" use case, please refer to the official documentation -ARG TARGETARCH +RUN apk update && apk add curl ca-certificates jq libelf -ARG FALCO_VERSION=latest -ARG VERSION_BUCKET=deb -ENV VERSION_BUCKET=${VERSION_BUCKET} - -ENV FALCO_VERSION=${FALCO_VERSION} ENV HOST_ROOT /host ENV HOME /root -RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root - -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - bc \ - bison \ - ca-certificates \ - clang \ - curl \ - dkms \ - dwarves \ - flex \ - gcc \ - gcc-11 \ - gnupg2 \ - jq \ - libc6-dev \ - libelf-dev \ - libssl-dev \ - llvm \ - make \ - netcat-openbsd \ - patchelf \ - xz-utils \ - zstd \ - && rm -rf /var/lib/apt/lists/* - -RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \ - && echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \ - && apt-get update -y \ - && if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Change the falco config within the container to enable ISO 8601 -# output. -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \ - && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml - -# Some base images have an empty /lib/modules by default -# If it's not empty, docker build will fail instead of -# silently overwriting the existing directory -RUN rm -df /lib/modules \ - && ln -s $HOST_ROOT/lib/modules /lib/modules - -COPY ./docker-entrypoint.sh / - -ENTRYPOINT ["/docker-entrypoint.sh"] +USER root +COPY --from=builder /falco / CMD ["/usr/bin/falco"] diff --git a/docker/falco/docker-entrypoint.sh b/docker/falco/docker-entrypoint.sh deleted file mode 100755 index 809069a9..00000000 --- a/docker/falco/docker-entrypoint.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/usr/bin/env bash -# SPDX-License-Identifier: Apache-2.0 -# -# Copyright (C) 2023 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - - -print_usage() { - echo "" - echo "Usage:" - echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest" - echo "" - echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:" - echo " auto leverage automatic driver selection logic (default)" - echo " modern_ebpf modern eBPF CORE probe" - echo " kmod kernel module" - echo " ebpf eBPF probe" - echo "" - echo "FALCO_DRIVER_LOADER_OPTIONS options:" - echo " --help show this help message" - echo " --clean try to remove an already present driver installation" - echo " --compile try to compile the driver locally (default true)" - echo " --download try to download a prebuilt driver (default true)" - echo " --http-insecure enable insecure downloads" - echo " --print-env skip execution and print env variables for other tools to consume" - echo "" - echo "Environment variables:" - echo " FALCOCTL_DRIVER_REPOS specify different URL(s) where to look for prebuilt Falco drivers (comma separated)" - echo " FALCOCTL_DRIVER_NAME specify a different name for the driver" - echo " FALCOCTL_DRIVER_HTTP_HEADERS specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')" - echo "" -} - -# Set the SKIP_DRIVER_LOADER variable to skip loading the driver - -if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then - echo "* Setting up /usr/src links from host" - - for i in "$HOST_ROOT/usr/src"/* - do - base=$(basename "$i") - ln -s "$i" "/usr/src/$base" - done - - # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent - # shell expansion and use it as argument list for falcoctl - read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS - - ENABLE_COMPILE="false" - ENABLE_DOWNLOAD="false" - HTTP_INSECURE="false" - driver= - has_opts= - for opt in "${falco_driver_loader_option_arr[@]}" - do - case "$opt" in - auto|kmod|ebpf|modern_ebpf) - if [ -n "$driver" ]; then - >&2 echo "Only one driver per invocation" - print_usage - exit 1 - else - driver=$opt - fi - ;; - -h|--help) - print_usage - exit 0 - ;; - --clean) - /usr/bin/falcoctl driver cleanup - exit 0 - ;; - --compile) - ENABLE_COMPILE="true" - has_opts="true" - ;; - --download) - ENABLE_DOWNLOAD="true" - has_opts="true" - ;; - --http-insecure) - HTTP_INSECURE="true" - ;; - --print-env) - /usr/bin/falcoctl driver printenv - exit 0 - ;; - --*) - >&2 echo "Unknown option: $opt" - print_usage - exit 1 - ;; - *) - >&2 echo "Unknown driver: $opt" - print_usage - exit 1 - ;; - esac - done - - # No opts passed, enable both compile and download - if [ -z "$has_opts" ]; then - ENABLE_COMPILE="true" - ENABLE_DOWNLOAD="true" - fi - - # Default value: auto - if [ -z "$driver" ]; then - driver="auto" - fi - - if [ "$driver" != "auto" ]; then - /usr/bin/falcoctl driver config --type $driver - else - # Needed because we need to configure Falco to start with correct driver - /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf - fi - /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" - -fi - -exec "$@" diff --git a/docker/no-driver/Dockerfile b/docker/no-driver/Dockerfile deleted file mode 100644 index e3fa571b..00000000 --- a/docker/no-driver/Dockerfile +++ /dev/null @@ -1,39 +0,0 @@ -FROM debian:12 as builder - -ARG FALCO_VERSION -ARG VERSION_BUCKET=bin - -ENV FALCO_VERSION=${FALCO_VERSION} -ENV VERSION_BUCKET=${VERSION_BUCKET} - -RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates - -WORKDIR / - -RUN curl -L -o falco.tar.gz \ - https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \ - tar -xvf falco.tar.gz && \ - rm -f falco.tar.gz && \ - mv falco-${FALCO_VERSION}-$(uname -m) falco && \ - rm -rf /falco/usr/src/falco-* - -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ - && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml - -FROM debian:12-slim - -LABEL maintainer="cncf-falco-dev@lists.cncf.io" -LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" - -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" -# NOTE: for the "least privileged" use case, please refer to the official documentation - -RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \ - && apt clean -y && rm -rf /var/lib/apt/lists/* - -ENV HOST_ROOT /host -ENV HOME /root - -COPY --from=builder /falco / - -CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"] diff --git a/docker/no-driver/Dockerfile.distroless b/docker/no-driver/Dockerfile.distroless deleted file mode 100644 index b6ee2042..00000000 --- a/docker/no-driver/Dockerfile.distroless +++ /dev/null @@ -1,40 +0,0 @@ -FROM cgr.dev/chainguard/wolfi-base as builder - -ARG FALCO_VERSION -ARG VERSION_BUCKET=bin - -ENV FALCO_VERSION=${FALCO_VERSION} -ENV VERSION_BUCKET=${VERSION_BUCKET} - -RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils - -WORKDIR / - -RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \ - curl -L -o falco.tar.gz \ - https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \ - tar -xvf falco.tar.gz && \ - rm -f falco.tar.gz && \ - mv falco-${FALCO_VERSION}-$(uname -m) falco && \ - rm -rf /falco/usr/src/falco-* - -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ - && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml - -FROM cgr.dev/chainguard/wolfi-base - -LABEL maintainer="cncf-falco-dev@lists.cncf.io" -LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" - -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" -# NOTE: for the "least privileged" use case, please refer to the official documentation - -RUN apk update && apk add libelf libstdc++ - -ENV HOST_ROOT /host -ENV HOME /root - -USER root -COPY --from=builder /falco / - -CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]