diff --git a/CMakeLists.txt b/CMakeLists.txt index dcf15370..0d7d838b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -70,17 +70,6 @@ elseif(EMSCRIPTEN) ) endif() -# gVisor is currently only supported on Linux x86_64 -if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" - AND CMAKE_SYSTEM_NAME MATCHES "Linux" - AND NOT MINIMAL_BUILD -) - option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON) - if(BUILD_FALCO_GVISOR) - add_definitions(-DHAS_GVISOR) - endif() -endif() - # Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD) option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" ON) diff --git a/README.md b/README.md index 11d211d8..71e7fb3c 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,6 @@ Here's an example of a `cmake` command that will enable everything you need for ```bash cmake \ -DUSE_BUNDLED_DEPS=ON \ --DBUILD_LIBSCAP_GVISOR=ON \ -DBUILD_DRIVER=ON \ -DBUILD_FALCO_MODERN_BPF=ON \ -DCREATE_TEST_TARGETS=ON \ diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 1ead76fd..4941587e 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -87,11 +87,8 @@ if(NOT LIBS_DIR) set(LIBS_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}") endif() -# configure gVisor support -set(BUILD_LIBSCAP_GVISOR - ${BUILD_FALCO_GVISOR} - CACHE BOOL "" -) +# todo(ekoops): remove this once we remove gvisor from libs +option(BUILD_LIBSCAP_GVISOR OFF) # configure modern BPF support set(BUILD_LIBSCAP_MODERN_BPF diff --git a/falco.yaml b/falco.yaml index 071f6e1e..c82c13cb 100644 --- a/falco.yaml +++ b/falco.yaml @@ -282,12 +282,10 @@ rules_files: # # -- Falco supports different engines to generate events. # Choose the appropriate engine kind based on your system's configuration and requirements. -# DEPRECATION NOTICE: the gVisor engine are currently deprecated. Consider using other engines. # # Available engines: # - `kmod`: Kernel Module # - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe) -# - `gvisor`: gVisor sandbox (deprecated) # - `replay`: Replay a scap trace file # - `nodriver`: No driver is injected into the system. # This is useful to debug and to run plugins with 'syscall' source. @@ -446,15 +444,6 @@ engine: replay: # -- Path to the capture file to replay (eg: /path/to/file.scap) capture_file: "" - # -- Engine-specific configuration for gVisor (gvisor) engine. DEPRECATION NOTICE: the gVisor engine is deprecated. - gvisor: - # -- A Falco-compatible configuration file can be generated with - # '--gvisor-generate-config' and utilized for both runsc and Falco. - config: "" - # -- Set gVisor root directory for storage of container state when used - # in conjunction with 'gvisor.config'. The 'gvisor.root' to be passed - # is the one usually passed to 'runsc --root' flag. - root: "" ################## # Falco captures # diff --git a/unit_tests/falco/app/actions/test_load_config.cpp b/unit_tests/falco/app/actions/test_load_config.cpp index 7cb7ad3e..7b6020aa 100644 --- a/unit_tests/falco/app/actions/test_load_config.cpp +++ b/unit_tests/falco/app/actions/test_load_config.cpp @@ -36,9 +36,6 @@ TEST(ActionLoadConfig, check_kmod_engine_config) { EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit); EXPECT_TRUE(s.config->m_replay.m_capture_file.empty()); - - EXPECT_TRUE(s.config->m_gvisor.m_config.empty()); - EXPECT_TRUE(s.config->m_gvisor.m_root.empty()); } TEST(ActionLoadConfig, check_modern_engine_config) { @@ -59,9 +56,6 @@ TEST(ActionLoadConfig, check_modern_engine_config) { EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit); EXPECT_TRUE(s.config->m_replay.m_capture_file.empty()); - - EXPECT_TRUE(s.config->m_gvisor.m_config.empty()); - EXPECT_TRUE(s.config->m_gvisor.m_root.empty()); } #endif diff --git a/unit_tests/falco/test_configs/engine_kmod_config.yaml b/unit_tests/falco/test_configs/engine_kmod_config.yaml index 77ad9430..42f51d2d 100644 --- a/unit_tests/falco/test_configs/engine_kmod_config.yaml +++ b/unit_tests/falco/test_configs/engine_kmod_config.yaml @@ -31,6 +31,3 @@ engine: drop_failed_exit: false replay: capture_file: /path/to/file.scap - gvisor: - config: /path/to/gvisor_config.yaml - root: "" diff --git a/unit_tests/falco/test_configs/engine_modern_config.yaml b/unit_tests/falco/test_configs/engine_modern_config.yaml index 4ea2f4f0..b1343c4d 100644 --- a/unit_tests/falco/test_configs/engine_modern_config.yaml +++ b/unit_tests/falco/test_configs/engine_modern_config.yaml @@ -31,6 +31,3 @@ engine: drop_failed_exit: true replay: capture_file: /path/to/file.scap - gvisor: - config: /path/to/gvisor_config.yaml - root: "" diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index 5ae5b836..e6afd96f 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -34,7 +34,6 @@ add_library( app/actions/load_plugins.cpp app/actions/load_rules_files.cpp app/actions/process_events.cpp - app/actions/print_generated_gvisor_config.cpp app/actions/print_help.cpp app/actions/print_ignored_events.cpp app/actions/print_kernel_version.cpp diff --git a/userspace/falco/app/actions/actions.h b/userspace/falco/app/actions/actions.h index d0376a13..0428be72 100644 --- a/userspace/falco/app/actions/actions.h +++ b/userspace/falco/app/actions/actions.h @@ -39,7 +39,6 @@ falco::app::run_result load_config(const falco::app::state& s); falco::app::run_result load_plugins(falco::app::state& s); falco::app::run_result load_rules_files(falco::app::state& s); falco::app::run_result print_config_schema(falco::app::state& s); -falco::app::run_result print_generated_gvisor_config(falco::app::state& s); falco::app::run_result print_help(falco::app::state& s); falco::app::run_result print_ignored_events(const falco::app::state& s); falco::app::run_result print_kernel_version(const falco::app::state& s); diff --git a/userspace/falco/app/actions/create_requested_paths.cpp b/userspace/falco/app/actions/create_requested_paths.cpp index b64168a1..089db388 100644 --- a/userspace/falco/app/actions/create_requested_paths.cpp +++ b/userspace/falco/app/actions/create_requested_paths.cpp @@ -26,36 +26,6 @@ using namespace falco::app::actions; static int create_dir(const std::string &path); falco::app::run_result falco::app::actions::create_requested_paths(falco::app::state &s) { - if(s.is_gvisor()) { - // This is bad: parsing gvisor config to get endpoint - // to be able to auto-create the path to the file for the user. - std::ifstream reader(s.config->m_gvisor.m_config); - if(reader.fail()) { - return run_result::fatal(s.config->m_gvisor.m_config + ": cannot open file"); - } - - nlohmann::json parsed_json; - std::string gvisor_socket; - try { - parsed_json = nlohmann::json::parse(reader); - } catch(const std::exception &e) { - return run_result::fatal(s.config->m_gvisor.m_config + - ": cannot parse JSON: " + e.what()); - } - - try { - gvisor_socket = parsed_json["trace_session"]["sinks"][0]["config"]["endpoint"]; - } catch(const std::exception &e) { - return run_result::fatal(s.config->m_gvisor.m_config + - ": failed to fetch config.endpoint: " + e.what()); - } - - int ret = create_dir(gvisor_socket); - if(ret != 0) { - return run_result::fatal(gvisor_socket + ": " + strerror(errno)); - } - } - if(s.config->m_grpc_enabled && !s.config->m_grpc_bind_address.empty()) { if(falco::utils::network::is_unix_scheme(s.config->m_grpc_bind_address)) { auto server_path = s.config->m_grpc_bind_address.substr( diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp index 1661f462..c809dcd8 100644 --- a/userspace/falco/app/actions/helpers_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -97,12 +97,6 @@ falco::app::run_result falco::app::actions::open_live_inspector(falco::app::stat falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with no driver\n"); inspector->open_nodriver(); - } else if(s.is_gvisor()) /* gvisor engine. */ - { - falco_logger::log(falco_logger::level::INFO, - "Opening '" + source + "' source with gVisor. Configuration path: " + - s.config->m_gvisor.m_config); - inspector->open_gvisor(s.config->m_gvisor.m_config, s.config->m_gvisor.m_root); } else if(s.is_modern_ebpf()) /* modern BPF engine. */ { falco_logger::log(falco_logger::level::INFO, diff --git a/userspace/falco/app/actions/init_falco_engine.cpp b/userspace/falco/app/actions/init_falco_engine.cpp index 96d6bfe8..4449cfef 100644 --- a/userspace/falco/app/actions/init_falco_engine.cpp +++ b/userspace/falco/app/actions/init_falco_engine.cpp @@ -88,9 +88,6 @@ void configure_output_format(falco::app::state& s) { } } - // See https://falco.org/docs/rules/style-guide/ - const std::string gvisor_info = "vpid=%proc.vpid vtid=%thread.vtid"; - if(!s.options.print_additional.empty()) { falco_logger::log(falco_logger::level::WARNING, "The -p/--print option is deprecated and will be removed. Use -o " @@ -100,11 +97,6 @@ void configure_output_format(falco::app::state& s) { s.options.print_additional == "k" || s.options.print_additional == "kubernetes") { // Don't do anything, we don't need these anymore // since container plugin takes care of suggesting the output format fields itself. - } else if(s.options.print_additional == "cg" || - s.options.print_additional == "container-gvisor" || - s.options.print_additional == "kg" || - s.options.print_additional == "kubernetes-gvisor") { - s.engine->add_extra_output_format(gvisor_info, falco_common::syscall_source, {}, ""); } else { s.engine->add_extra_output_format(s.options.print_additional, "", {}, ""); } diff --git a/userspace/falco/app/actions/print_generated_gvisor_config.cpp b/userspace/falco/app/actions/print_generated_gvisor_config.cpp index 6adb06bb..e69de29b 100644 --- a/userspace/falco/app/actions/print_generated_gvisor_config.cpp +++ b/userspace/falco/app/actions/print_generated_gvisor_config.cpp @@ -1,39 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -/* -Copyright (C) 2023 The Falco Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -#include "config_falco.h" -#include "actions.h" -#include "logger.h" - -using namespace falco::app; -using namespace falco::app::actions; - -falco::app::run_result falco::app::actions::print_generated_gvisor_config(falco::app::state& s) { - if(s.options.gvisor_generate_config_with_socket.empty()) { - return run_result::ok(); - } - - falco_logger::log(falco_logger::level::WARNING, - "Using feature for deprecated gVisor engine. Please consider switching to " - "another engine."); - - sinsp i; - std::string gvisor_config = - i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket); - printf("%s\n", gvisor_config.c_str()); - return run_result::exit(); -} diff --git a/userspace/falco/app/actions/process_events.cpp b/userspace/falco/app/actions/process_events.cpp index 5cc2dfe6..e69b6b62 100644 --- a/userspace/falco/app/actions/process_events.cpp +++ b/userspace/falco/app/actions/process_events.cpp @@ -379,8 +379,7 @@ static void process_inspector_events( uint64_t num_evts = 0; syscall_evt_drop_mgr sdropmgr; bool is_capture_mode = source.empty(); - bool check_drops_timeouts = - is_capture_mode || (source == falco_common::syscall_source && !s.is_gvisor()); + bool check_drops_timeouts = is_capture_mode || source == falco_common::syscall_source; duration = ((double)clock()) / CLOCKS_PER_SEC; diff --git a/userspace/falco/app/app.cpp b/userspace/falco/app/app.cpp index 77035370..6d710291 100644 --- a/userspace/falco/app/app.cpp +++ b/userspace/falco/app/app.cpp @@ -57,7 +57,6 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr) { falco::app::actions::print_help, falco::app::actions::print_config_schema, falco::app::actions::print_rule_schema, - falco::app::actions::print_generated_gvisor_config, falco::app::actions::print_ignored_events, falco::app::actions::print_syscall_events, falco::app::actions::load_config, diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index 25b29d48..d5a35190 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -103,9 +103,6 @@ void options::define(cxxopts::Options& opts) ("disable-source", "Turn off a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "") ("dry-run", "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false")) ("enable-source", "Enable a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "") -#ifdef HAS_GVISOR - ("gvisor-generate-config", "DEPRECATED: Generate a configuration file that can be used for gVisor and exit.", cxxopts::value(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "") -#endif ("i", "Print those events that are ignored by default for performance reasons and exit.", cxxopts::value(print_ignored_events)->default_value("false")) ("L", "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false")) ("l", "Show the name and description of the rule specified and exit. If json_output is set to true, it prints details about the rule in JSON format.", cxxopts::value(describe_rule), "") diff --git a/userspace/falco/app/options.h b/userspace/falco/app/options.h index 35430f22..dd5b95db 100644 --- a/userspace/falco/app/options.h +++ b/userspace/falco/app/options.h @@ -48,7 +48,6 @@ public: sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL; std::vector disable_sources; std::vector enable_sources; - std::string gvisor_generate_config_with_socket; bool describe_all_rules = false; std::string describe_rule; bool print_ignored_events = false; diff --git a/userspace/falco/app/state.h b/userspace/falco/app/state.h index 1b01bec9..14be3e87 100644 --- a/userspace/falco/app/state.h +++ b/userspace/falco/app/state.h @@ -122,8 +122,6 @@ struct state { inline bool is_capture_mode() const { return config->m_engine_mode == engine_kind_t::REPLAY; } - inline bool is_gvisor() const { return config->m_engine_mode == engine_kind_t::GVISOR; } - inline bool is_kmod() const { return config->m_engine_mode == engine_kind_t::KMOD; } inline bool is_modern_ebpf() const { diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h index 946d6f5d..d241f025 100644 --- a/userspace/falco/config_json_schema.h +++ b/userspace/falco/config_json_schema.h @@ -372,9 +372,6 @@ const char config_schema_string[] = LONG_STRING_CONST( }, "replay": { "$ref": "#/definitions/Replay" - }, - "gvisor": { - "$ref": "#/definitions/Gvisor" } }, "required": [ @@ -382,23 +379,6 @@ const char config_schema_string[] = LONG_STRING_CONST( ], "title": "Engine" }, - "Gvisor": { - "type": "object", - "additionalProperties": false, - "properties": { - "config": { - "type": "string" - }, - "root": { - "type": "string" - } - }, - "required": [ - "config", - "root" - ], - "title": "Gvisor" - }, "Kmod": { "type": "object", "additionalProperties": false, diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 21a6b7a7..157c2d8f 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -238,7 +238,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) { {"kmod", engine_kind_t::KMOD}, {"modern_ebpf", engine_kind_t::MODERN_EBPF}, {"replay", engine_kind_t::REPLAY}, - {"gvisor", engine_kind_t::GVISOR}, {"nodriver", engine_kind_t::NODRIVER}, }; @@ -250,12 +249,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) { driver_mode_str + "' is not a valid kind."); } - if(m_engine_mode == engine_kind_t::GVISOR) { - falco_logger::log(falco_logger::level::WARNING, - "Using deprecated engine '" + driver_mode_str + - "'. Please consider switching to another engine."); - } - switch(m_engine_mode) { case engine_kind_t::KMOD: m_kmod.m_buf_size_preset = m_config.get_scalar("engine.kmod.buf_size_preset", @@ -283,15 +276,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) { "): engine.kind is 'replay' but no engine.replay.capture_file specified."); } break; - case engine_kind_t::GVISOR: - m_gvisor.m_config = m_config.get_scalar("engine.gvisor.config", ""); - if(m_gvisor.m_config.empty()) { - throw std::logic_error( - "Error reading config file (" + config_name + - "): engine.kind is 'gvisor' but no engine.gvisor.config specified."); - } - m_gvisor.m_root = m_config.get_scalar("engine.gvisor.root", ""); - break; case engine_kind_t::NODRIVER: default: break; diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index f4839ff7..a723f8f9 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -40,7 +40,7 @@ limitations under the License. // Falco only metric #define METRICS_V2_JEMALLOC_STATS 1 << 31 -enum class engine_kind_t : uint8_t { KMOD, MODERN_EBPF, REPLAY, GVISOR, NODRIVER }; +enum class engine_kind_t : uint8_t { KMOD, MODERN_EBPF, REPLAY, NODRIVER }; enum class capture_mode_t : uint8_t { RULES, ALL_RULES }; @@ -76,11 +76,6 @@ public: std::string m_capture_file; }; - struct gvisor_config { - std::string m_config; - std::string m_root; - }; - struct webserver_config { uint32_t m_threadiness = 0; uint32_t m_listen_port = 8765; @@ -216,7 +211,6 @@ public: kmod_config m_kmod = {}; modern_ebpf_config m_modern_ebpf = {}; replay_config m_replay = {}; - gvisor_config m_gvisor = {}; yaml_helper m_config; diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index e73f2d27..6e55fcb5 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -261,8 +261,7 @@ std::string falco_metrics::sources_to_text_prometheus( static const char* all_driver_engines[] = {KMOD_ENGINE, MODERN_BPF_ENGINE, SOURCE_PLUGIN_ENGINE, - NODRIVER_ENGINE, - GVISOR_ENGINE}; + NODRIVER_ENGINE}; static re2::RE2 drops_buffer_pattern("n_drops_buffer_([^_]+(?:_[^_]+)*)_exit$"); static re2::RE2 cpu_pattern("(\\d+)"); diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 452712df..871cee3e 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -338,8 +338,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper( static const char* all_driver_engines[] = {KMOD_ENGINE, MODERN_BPF_ENGINE, SOURCE_PLUGIN_ENGINE, - NODRIVER_ENGINE, - GVISOR_ENGINE}; + NODRIVER_ENGINE}; const scap_agent_info* agent_info = inspector->get_agent_info(); const scap_machine_info* machine_info = inspector->get_machine_info();