github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 14:52:20 +00:00
Code Issues Projects Releases Wiki Activity

new(ci): build with sanitizers in CI

Browse Source 
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra 2024-03-25 16:34:26 +00:00 committed by poiana
parent f895f8fc78
commit b01ef55f6b
4 changed files with 37 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/ci.yml vendored
View File

@ -22,6 +22,8 @@ jobs:
with: with:
arch: x86_64 arch: x86_64
version: ${{ needs.fetch-version.outputs.version }} version: ${{ needs.fetch-version.outputs.version }}
build_type: Debug
sanitizers: true
build-dev-packages-arm64: build-dev-packages-arm64:
needs: [fetch-version] needs: [fetch-version]
@ -29,6 +31,8 @@ jobs:
with: with:
arch: aarch64 arch: aarch64
version: ${{ needs.fetch-version.outputs.version }} version: ${{ needs.fetch-version.outputs.version }}
build_type: Debug
sanitizers: true
test-dev-packages: test-dev-packages:
needs: [fetch-version, build-dev-packages] needs: [fetch-version, build-dev-packages]
@ -82,6 +86,7 @@ jobs:
arch: x86_64 arch: x86_64
git_ref: ${{ github.event.pull_request.head.sha }} git_ref: ${{ github.event.pull_request.head.sha }}
minimal: false minimal: false
sanitizers: true
build_type: Debug build_type: Debug
cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)" cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"

7
.github/workflows/reusable_build_dev.yaml vendored
View File

@ -14,6 +14,11 @@ on:
description: Minimal build description: Minimal build
required: true required: true
type: boolean type: boolean
sanitizers:
description: Enable sanitizer support
required: false
default: false
type: boolean
build_type: build_type:
description: One of 'Debug' or 'Release' description: One of 'Debug' or 'Release'
required: true required: true
@ -59,6 +64,8 @@ jobs:
-DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \ -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
-DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
-DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
-DUSE_BUNDLED_DEPS=Off \ -DUSE_BUNDLED_DEPS=Off \
-DUSE_BUNDLED_NLOHMANN_JSON=On \ -DUSE_BUNDLED_NLOHMANN_JSON=On \
-DUSE_BUNDLED_CXXOPTS=On \ -DUSE_BUNDLED_CXXOPTS=On \

27
.github/workflows/reusable_build_packages.yaml vendored
View File

@ -10,6 +10,16 @@ on:
description: The Falco version to use when building packages description: The Falco version to use when building packages
required: true required: true
type: string type: string
build_type:
description: The build type
required: false
type: string
default: 'Release'
sanitizers:
description: enable sanitizer support
required: false
type: boolean
default: false
jobs: jobs:
build-modern-bpf-skeleton: build-modern-bpf-skeleton:
@ -50,7 +60,7 @@ jobs:
yum -y install centos-release-scl yum -y install centos-release-scl
yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
source /opt/rh/devtoolset-9/enable source /opt/rh/devtoolset-9/enable
yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
- name: Checkout - name: Checkout
# It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc. # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
@ -71,13 +81,14 @@ jobs:
run: | run: |
source /opt/rh/devtoolset-9/enable source /opt/rh/devtoolset-9/enable
cmake -B build -S . \ cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \ -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DUSE_BUNDLED_DEPS=On \ -DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \ -DFALCO_ETC_DIR=/etc/falco \
-DBUILD_FALCO_MODERN_BPF=ON \ -DBUILD_FALCO_MODERN_BPF=ON \
-DMODERN_BPF_SKEL_DIR=/tmp \ -DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \ -DBUILD_DRIVER=Off \
-DBUILD_BPF=Off \ -DBUILD_BPF=Off \
-DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
-DFALCO_VERSION=${{ inputs.version }} -DFALCO_VERSION=${{ inputs.version }}
- name: Build project - name: Build project
@ -133,7 +144,7 @@ jobs:
- name: Prepare project - name: Prepare project
run: | run: |
cmake -B build -S . \ cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \ -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DCPACK_GENERATOR=TGZ \ -DCPACK_GENERATOR=TGZ \
-DBUILD_BPF=Off -DBUILD_DRIVER=Off \ -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
-DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }} -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
@ -184,7 +195,7 @@ jobs:
-DBUILD_BPF=Off \ -DBUILD_BPF=Off \
-DBUILD_DRIVER=Off \ -DBUILD_DRIVER=Off \
-DBUILD_LIBSCAP_MODERN_BPF=OFF \ -DBUILD_LIBSCAP_MODERN_BPF=OFF \
-DCMAKE_BUILD_TYPE=Release \ -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DUSE_BUNDLED_DEPS=On \ -DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \ -DFALCO_ETC_DIR=/etc/falco \
-DBUILD_FALCO_UNIT_TESTS=On \ -DBUILD_FALCO_UNIT_TESTS=On \
@ -224,15 +235,15 @@ jobs:
# NOTE: Backslash doesn't work as line continuation on Windows. # NOTE: Backslash doesn't work as line continuation on Windows.
- name: Prepare project - name: Prepare project
run: | run: |
cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
- name: Build project - name: Build project
run: | run: |
cmake --build build --target package --config Release cmake --build build --target package --config ${{ inputs.build_type }}
- name: Run unit Tests - name: Run unit Tests
run: | run: |
build/unit_tests/Release/falco_unit_tests.exe build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe
- name: Upload Falco win32 installer - name: Upload Falco win32 installer
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
@ -245,7 +256,7 @@ jobs:
with: with:
name: falco-${{ inputs.version }}-win32.exe name: falco-${{ inputs.version }}-win32.exe
path: | path: |
${{ github.workspace }}/build/userspace/falco/Release/falco.exe ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe
build-macos-package: build-macos-package:
if: ${{ inputs.arch == 'x86_64' }} if: ${{ inputs.arch == 'x86_64' }}

6
.github/workflows/reusable_test_packages.yaml vendored
View File

@ -39,6 +39,12 @@ jobs:
run: | run: |
sudo apt update -y sudo apt update -y
sudo apt install -y --no-install-recommends linux-headers-$(uname -r) sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
# Some builds use sanitizers, we always install support for them so they can run
- name: Install sanitizer support
run: |
sudo apt update -y
sudo apt install -y libasan5 libubsan1
- name: Run tests - name: Run tests
uses: falcosecurity/testing@main uses: falcosecurity/testing@main