chore!: drop gVisor engine support

Falco 0.43.0 deprecated the gVisor engine support. Drop its support as
well as any reference to it.

BREAKING CHANGE: drop gVisor engine support

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

CMakeLists.txt

@@ -70,17 +70,6 @@ elseif(EMSCRIPTEN)
 	)
 endif()
 
-# gVisor is currently only supported on Linux x86_64
-if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
-   AND CMAKE_SYSTEM_NAME MATCHES "Linux"
-   AND NOT MINIMAL_BUILD
-)
-	option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
-	if(BUILD_FALCO_GVISOR)
-		add_definitions(-DHAS_GVISOR)
-	endif()
-endif()
-
 # Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
 if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
 	option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" ON)

README.md

@@ -74,7 +74,6 @@ Here's an example of a `cmake` command that will enable everything you need for
 ```bash
 cmake \
 -DUSE_BUNDLED_DEPS=ON \
--DBUILD_LIBSCAP_GVISOR=ON \
 -DBUILD_DRIVER=ON \
 -DBUILD_FALCO_MODERN_BPF=ON \
 -DCREATE_TEST_TARGETS=ON \

cmake/modules/falcosecurity-libs.cmake

@@ -87,11 +87,8 @@ if(NOT LIBS_DIR)
 	set(LIBS_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 endif()
 
-# configure gVisor support
-set(BUILD_LIBSCAP_GVISOR
-	${BUILD_FALCO_GVISOR}
-	CACHE BOOL ""
-)
+# todo(ekoops): remove this once we remove gvisor from libs
+option(BUILD_LIBSCAP_GVISOR OFF)
 
 # configure modern BPF support
 set(BUILD_LIBSCAP_MODERN_BPF

falco.yaml

@@ -282,12 +282,10 @@ rules_files:
 #
 # -- Falco supports different engines to generate events.
 # Choose the appropriate engine kind based on your system's configuration and requirements.
-# DEPRECATION NOTICE: the gVisor engine are currently deprecated. Consider using other engines.
 #
 # Available engines:
 # - `kmod`: Kernel Module
 # - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe)
-# - `gvisor`: gVisor sandbox (deprecated)
 # - `replay`: Replay a scap trace file
 # - `nodriver`: No driver is injected into the system.
 #   This is useful to debug and to run plugins with 'syscall' source.
@@ -446,15 +444,6 @@ engine:
   replay:
     # -- Path to the capture file to replay (eg: /path/to/file.scap)
     capture_file: ""
-  # -- Engine-specific configuration for gVisor (gvisor) engine. DEPRECATION NOTICE: the gVisor engine is deprecated.
-  gvisor:
-    # -- A Falco-compatible configuration file can be generated with
-    # '--gvisor-generate-config' and utilized for both runsc and Falco.
-    config: ""
-    # -- Set gVisor root directory for storage of container state when used
-    # in conjunction with 'gvisor.config'. The 'gvisor.root' to be passed
-    # is the one usually passed to 'runsc --root' flag.
-    root: ""
 
 ##################
 # Falco captures #

unit_tests/falco/app/actions/test_load_config.cpp

@@ -36,9 +36,6 @@ TEST(ActionLoadConfig, check_kmod_engine_config) {
 	EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit);
 
 	EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
-
-	EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
-	EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
 }
 
 TEST(ActionLoadConfig, check_modern_engine_config) {
@@ -59,9 +56,6 @@ TEST(ActionLoadConfig, check_modern_engine_config) {
 	EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit);
 
 	EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
-
-	EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
-	EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
 }
 
 #endif

unit_tests/falco/test_configs/engine_kmod_config.yaml

@@ -31,6 +31,3 @@ engine:
     drop_failed_exit: false
   replay:
     capture_file: /path/to/file.scap
-  gvisor:
-    config: /path/to/gvisor_config.yaml
-    root: ""

unit_tests/falco/test_configs/engine_modern_config.yaml

@@ -31,6 +31,3 @@ engine:
     drop_failed_exit: true
   replay:
     capture_file: /path/to/file.scap
-  gvisor:
-    config: /path/to/gvisor_config.yaml
-    root: ""

userspace/falco/CMakeLists.txt

@@ -34,7 +34,6 @@ add_library(
 	app/actions/load_plugins.cpp
 	app/actions/load_rules_files.cpp
 	app/actions/process_events.cpp
-	app/actions/print_generated_gvisor_config.cpp
 	app/actions/print_help.cpp
 	app/actions/print_ignored_events.cpp
 	app/actions/print_kernel_version.cpp

userspace/falco/app/actions/actions.h

@@ -39,7 +39,6 @@ falco::app::run_result load_config(const falco::app::state& s);
 falco::app::run_result load_plugins(falco::app::state& s);
 falco::app::run_result load_rules_files(falco::app::state& s);
 falco::app::run_result print_config_schema(falco::app::state& s);
-falco::app::run_result print_generated_gvisor_config(falco::app::state& s);
 falco::app::run_result print_help(falco::app::state& s);
 falco::app::run_result print_ignored_events(const falco::app::state& s);
 falco::app::run_result print_kernel_version(const falco::app::state& s);

userspace/falco/app/actions/create_requested_paths.cpp

@@ -26,36 +26,6 @@ using namespace falco::app::actions;
 static int create_dir(const std::string &path);
 
 falco::app::run_result falco::app::actions::create_requested_paths(falco::app::state &s) {
-	if(s.is_gvisor()) {
-		// This is bad: parsing gvisor config to get endpoint
-		// to be able to auto-create the path to the file for the user.
-		std::ifstream reader(s.config->m_gvisor.m_config);
-		if(reader.fail()) {
-			return run_result::fatal(s.config->m_gvisor.m_config + ": cannot open file");
-		}
-
-		nlohmann::json parsed_json;
-		std::string gvisor_socket;
-		try {
-			parsed_json = nlohmann::json::parse(reader);
-		} catch(const std::exception &e) {
-			return run_result::fatal(s.config->m_gvisor.m_config +
-			                         ": cannot parse JSON: " + e.what());
-		}
-
-		try {
-			gvisor_socket = parsed_json["trace_session"]["sinks"][0]["config"]["endpoint"];
-		} catch(const std::exception &e) {
-			return run_result::fatal(s.config->m_gvisor.m_config +
-			                         ": failed to fetch config.endpoint: " + e.what());
-		}
-
-		int ret = create_dir(gvisor_socket);
-		if(ret != 0) {
-			return run_result::fatal(gvisor_socket + ": " + strerror(errno));
-		}
-	}
-
 	if(s.config->m_grpc_enabled && !s.config->m_grpc_bind_address.empty()) {
 		if(falco::utils::network::is_unix_scheme(s.config->m_grpc_bind_address)) {
 			auto server_path = s.config->m_grpc_bind_address.substr(

userspace/falco/app/actions/helpers_inspector.cpp

@@ -97,12 +97,6 @@ falco::app::run_result falco::app::actions::open_live_inspector(falco::app::stat
 			falco_logger::log(falco_logger::level::INFO,
 			                  "Opening '" + source + "' source with no driver\n");
 			inspector->open_nodriver();
-		} else if(s.is_gvisor()) /* gvisor engine. */
-		{
-			falco_logger::log(falco_logger::level::INFO,
-			                  "Opening '" + source + "' source with gVisor. Configuration path: " +
-			                          s.config->m_gvisor.m_config);
-			inspector->open_gvisor(s.config->m_gvisor.m_config, s.config->m_gvisor.m_root);
 		} else if(s.is_modern_ebpf()) /* modern BPF engine. */
 		{
 			falco_logger::log(falco_logger::level::INFO,

userspace/falco/app/actions/init_falco_engine.cpp

@@ -88,9 +88,6 @@ void configure_output_format(falco::app::state& s) {
 		}
 	}
 
-	// See https://falco.org/docs/rules/style-guide/
-	const std::string gvisor_info = "vpid=%proc.vpid vtid=%thread.vtid";
-
 	if(!s.options.print_additional.empty()) {
 		falco_logger::log(falco_logger::level::WARNING,
 		                  "The -p/--print option is deprecated and will be removed. Use -o "
@@ -100,11 +97,6 @@ void configure_output_format(falco::app::state& s) {
 		   s.options.print_additional == "k" || s.options.print_additional == "kubernetes") {
 			// Don't do anything, we don't need these anymore
 			// since container plugin takes care of suggesting the output format fields itself.
-		} else if(s.options.print_additional == "cg" ||
-		          s.options.print_additional == "container-gvisor" ||
-		          s.options.print_additional == "kg" ||
-		          s.options.print_additional == "kubernetes-gvisor") {
-			s.engine->add_extra_output_format(gvisor_info, falco_common::syscall_source, {}, "");
 		} else {
 			s.engine->add_extra_output_format(s.options.print_additional, "", {}, "");
 		}

userspace/falco/app/actions/print_generated_gvisor_config.cpp

@@ -1,39 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-/*
-Copyright (C) 2023 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include "config_falco.h"
-#include "actions.h"
-#include "logger.h"
-
-using namespace falco::app;
-using namespace falco::app::actions;
-
-falco::app::run_result falco::app::actions::print_generated_gvisor_config(falco::app::state& s) {
-	if(s.options.gvisor_generate_config_with_socket.empty()) {
-		return run_result::ok();
-	}
-
-	falco_logger::log(falco_logger::level::WARNING,
-	                  "Using feature for deprecated gVisor engine. Please consider switching to "
-	                  "another engine.");
-
-	sinsp i;
-	std::string gvisor_config =
-	        i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket);
-	printf("%s\n", gvisor_config.c_str());
-	return run_result::exit();
-}

userspace/falco/app/actions/process_events.cpp

@@ -379,8 +379,7 @@ static void process_inspector_events(
 		uint64_t num_evts = 0;
 		syscall_evt_drop_mgr sdropmgr;
 		bool is_capture_mode = source.empty();
-		bool check_drops_timeouts =
-		        is_capture_mode || (source == falco_common::syscall_source && !s.is_gvisor());
+		bool check_drops_timeouts = is_capture_mode || source == falco_common::syscall_source;
 
 		duration = ((double)clock()) / CLOCKS_PER_SEC;
 

userspace/falco/app/app.cpp

@@ -57,7 +57,6 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr) {
 	        falco::app::actions::print_help,
 	        falco::app::actions::print_config_schema,
 	        falco::app::actions::print_rule_schema,
-	        falco::app::actions::print_generated_gvisor_config,
 	        falco::app::actions::print_ignored_events,
 	        falco::app::actions::print_syscall_events,
 	        falco::app::actions::load_config,

userspace/falco/app/options.cpp

@@ -103,9 +103,6 @@ void options::define(cxxopts::Options& opts)
 		("disable-source",           "Turn off a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "<event_source>")
 		("dry-run",                  "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))
 		("enable-source",            "Enable a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "<event_source>")
-#ifdef HAS_GVISOR
-		("gvisor-generate-config",   "DEPRECATED: Generate a configuration file that can be used for gVisor and exit.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
-#endif
 		("i",                        "Print those events that are ignored by default for performance reasons and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
 		("L",                        "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false"))
 		("l",                        "Show the name and description of the rule specified <rule> and exit. If json_output is set to true, it prints details about the rule in JSON format.", cxxopts::value(describe_rule), "<rule>")

userspace/falco/app/options.h

@@ -48,7 +48,6 @@ public:
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
 	std::vector<std::string> disable_sources;
 	std::vector<std::string> enable_sources;
-	std::string gvisor_generate_config_with_socket;
 	bool describe_all_rules = false;
 	std::string describe_rule;
 	bool print_ignored_events = false;

userspace/falco/app/state.h

@@ -122,8 +122,6 @@ struct state {
 
 	inline bool is_capture_mode() const { return config->m_engine_mode == engine_kind_t::REPLAY; }
 
-	inline bool is_gvisor() const { return config->m_engine_mode == engine_kind_t::GVISOR; }
-
 	inline bool is_kmod() const { return config->m_engine_mode == engine_kind_t::KMOD; }
 
 	inline bool is_modern_ebpf() const {

userspace/falco/config_json_schema.h

@@ -372,9 +372,6 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 },
                 "replay": {
                     "$ref": "#/definitions/Replay"
-                },
-                "gvisor": {
-                    "$ref": "#/definitions/Gvisor"
                 }
             },
             "required": [
@@ -382,23 +379,6 @@ const char config_schema_string[] = LONG_STRING_CONST(
             ],
             "title": "Engine"
         },
-        "Gvisor": {
-            "type": "object",
-            "additionalProperties": false,
-            "properties": {
-                "config": {
-                    "type": "string"
-                },
-                "root": {
-                    "type": "string"
-                }
-            },
-            "required": [
-                "config",
-                "root"
-            ],
-            "title": "Gvisor"
-        },
         "Kmod": {
             "type": "object",
             "additionalProperties": false,

userspace/falco/configuration.cpp

@@ -238,7 +238,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
 	        {"kmod", engine_kind_t::KMOD},
 	        {"modern_ebpf", engine_kind_t::MODERN_EBPF},
 	        {"replay", engine_kind_t::REPLAY},
-	        {"gvisor", engine_kind_t::GVISOR},
 	        {"nodriver", engine_kind_t::NODRIVER},
 	};
 
@@ -250,12 +249,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
 		                       driver_mode_str + "' is not a valid kind.");
 	}
 
-	if(m_engine_mode == engine_kind_t::GVISOR) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "Using deprecated engine '" + driver_mode_str +
-		                          "'. Please consider switching to another engine.");
-	}
-
 	switch(m_engine_mode) {
 	case engine_kind_t::KMOD:
 		m_kmod.m_buf_size_preset = m_config.get_scalar<int16_t>("engine.kmod.buf_size_preset",
@@ -283,15 +276,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
 			        "): engine.kind is 'replay' but no engine.replay.capture_file specified.");
 		}
 		break;
-	case engine_kind_t::GVISOR:
-		m_gvisor.m_config = m_config.get_scalar<std::string>("engine.gvisor.config", "");
-		if(m_gvisor.m_config.empty()) {
-			throw std::logic_error(
-			        "Error reading config file (" + config_name +
-			        "): engine.kind is 'gvisor' but no engine.gvisor.config specified.");
-		}
-		m_gvisor.m_root = m_config.get_scalar<std::string>("engine.gvisor.root", "");
-		break;
 	case engine_kind_t::NODRIVER:
 	default:
 		break;

userspace/falco/configuration.h

@@ -40,7 +40,7 @@ limitations under the License.
 // Falco only metric
 #define METRICS_V2_JEMALLOC_STATS 1 << 31
 
-enum class engine_kind_t : uint8_t { KMOD, MODERN_EBPF, REPLAY, GVISOR, NODRIVER };
+enum class engine_kind_t : uint8_t { KMOD, MODERN_EBPF, REPLAY, NODRIVER };
 
 enum class capture_mode_t : uint8_t { RULES, ALL_RULES };
 
@@ -76,11 +76,6 @@ public:
 		std::string m_capture_file;
 	};
 
-	struct gvisor_config {
-		std::string m_config;
-		std::string m_root;
-	};
-
 	struct webserver_config {
 		uint32_t m_threadiness = 0;
 		uint32_t m_listen_port = 8765;
@@ -216,7 +211,6 @@ public:
 	kmod_config m_kmod = {};
 	modern_ebpf_config m_modern_ebpf = {};
 	replay_config m_replay = {};
-	gvisor_config m_gvisor = {};
 
 	yaml_helper m_config;
 

userspace/falco/falco_metrics.cpp

@@ -261,8 +261,7 @@ std::string falco_metrics::sources_to_text_prometheus(
 	static const char* all_driver_engines[] = {KMOD_ENGINE,
 	                                           MODERN_BPF_ENGINE,
 	                                           SOURCE_PLUGIN_ENGINE,
-	                                           NODRIVER_ENGINE,
-	                                           GVISOR_ENGINE};
+	                                           NODRIVER_ENGINE};
 	static re2::RE2 drops_buffer_pattern("n_drops_buffer_([^_]+(?:_[^_]+)*)_exit$");
 	static re2::RE2 cpu_pattern("(\\d+)");
 

userspace/falco/stats_writer.cpp

@@ -338,8 +338,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	static const char* all_driver_engines[] = {KMOD_ENGINE,
 	                                           MODERN_BPF_ENGINE,
 	                                           SOURCE_PLUGIN_ENGINE,
-	                                           NODRIVER_ENGINE,
-	                                           GVISOR_ENGINE};
+	                                           NODRIVER_ENGINE};
 	const scap_agent_info* agent_info = inspector->get_agent_info();
 	const scap_machine_info* machine_info = inspector->get_machine_info();