From 478514940f7d711024d09f8f7f80733d3d5dc6df Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Tue, 1 Oct 2024 10:41:33 +0000 Subject: [PATCH] update(falco): deprecated -S --snaplen option Signed-off-by: Luca Guerra --- userspace/falco/app/actions/init_inspectors.cpp | 3 +++ userspace/falco/app/options.cpp | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp index 04562e8b..2aca8fc2 100644 --- a/userspace/falco/app/actions/init_inspectors.cpp +++ b/userspace/falco/app/actions/init_inspectors.cpp @@ -82,6 +82,9 @@ static void init_syscall_inspector(falco::app::state& s, std::shared_ptr } if(s.options.snaplen != 0) { inspector->set_snaplen(s.options.snaplen); + falco_logger::log(falco_logger::level::WARNING, + "The -S/--snaplen option is deprecated and will be removed. Use -o " + "falco_libs.snaplen= instead."); } if(s.is_driver_drop_failed_exit_enabled()) { diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index 5572bf34..99b69656 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -123,7 +123,7 @@ void options::define(cxxopts::Options& opts) ("p,print", "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p for a custom format. In this case, the given will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "") ("P,pidfile", "Write PID to specified path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "") ("r", "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value>(), "") - ("S,snaplen", "Collect only the first bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "") + ("S,snaplen", "DEPRECATED: use -o falco_libs.snaplen= instead. Collect only the first bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "") ("support", "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false")) ("U,unbuffered", "Turn off output buffering for configured outputs. This causes every single line emitted by Falco to be flushed, which generates higher CPU usage but is useful when piping those outputs into another process or a script.", cxxopts::value(unbuffered_outputs)->default_value("false")) ("V,validate", "Read the contents of the specified file(s), validate the loaded rules, and exit. This option can be passed multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "")