mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-23 00:26:22 +00:00
feat(proposal): Adding artifacts scope and proposal
- Highlights scope of Falco - Highlights subprojects and groups evolution - Defines build artifacts - Defines artifact naming convention - Dictates that we take action to make these changes happen Signed-off-by: Kris Nova <kris@nivenly.com>
This commit is contained in:
Kris Nova
poiana
parent
8adcc95bac
commit
b9bf985fae
188
proposals/20200504-falco-artifacts-scope.md
Normal file
188
proposals/20200504-falco-artifacts-scope.md
Normal file
@ -0,0 +1,188 @@
|
||||
# Falco Scope
|
||||
|
||||
As a project we would like to support the following artifacts.
|
||||
|
||||
Everything else will be moved to [contrib](https://github.com/falcosecurity/contrib).
|
||||
|
||||
As a project we will build, change, rename, and move files, documents, scripts, configurations according to this new state of the world.
|
||||
|
||||
## Terms
|
||||
|
||||
**falco**
|
||||
|
||||
*Standalone Falco binary*
|
||||
|
||||
**driver**
|
||||
|
||||
*System call provider from the Linux kernel. Either (`bpf`, `module`, or `ptrace`)*
|
||||
|
||||
**falco-driver-loader-script**
|
||||
|
||||
|
||||
*The bash script found [here](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) that tries to compile else download the kernel module.*
|
||||
|
||||
**package**
|
||||
|
||||
*An installable artifact that is operating system specific. All packages MUST be hosted on bintray for X86_64.*
|
||||
|
||||
**image**
|
||||
|
||||
*OCI compliant container image hosted on dockerhub with tags for every release.*
|
||||
|
||||
|
||||
# Packages
|
||||
|
||||
Official packages for X86_64 only.
|
||||
|
||||
The following convention MUST be used for all packages.
|
||||
|
||||
_If a package installs Falco as a daemon (systemd, init) it MUST contain `daemon`._
|
||||
|
||||
_If a package installs the Falco kernel module it MUST contain `module`._
|
||||
|
||||
_If a package installs the Falco BPF probe it MUST contain `bpf`._
|
||||
|
||||
_If a package installs the Falco kernel module it MUST contain `module`._
|
||||
|
||||
---
|
||||
|
||||
### .deb
|
||||
|
||||
Falco running in debian like systems that will default to the kernel module.
|
||||
|
||||
- falco-x86.deb
|
||||
- `falco` only (default depends on `falco-module`)
|
||||
- falco-daemon-x86.deb
|
||||
- `falco` and script to configure as daemon (default depends on `falco-module`)
|
||||
- falco-module-x86.deb
|
||||
- `module` only
|
||||
- falco-bpf-x86.deb
|
||||
- `bpf` only
|
||||
- falco-ptrace-x86.deb
|
||||
- `ptrace` only
|
||||
|
||||
### .rpm
|
||||
|
||||
Falco running in rpm like systems that will default to the kernel module.
|
||||
|
||||
- falco-x86.deb
|
||||
- `falco` only (default depends on `falco-module`)
|
||||
- falco-daemon-x86.deb
|
||||
- `falco` and script to configure as daemon (default depends on `falco-module`)
|
||||
- falco-module-x86.deb
|
||||
- `module` only
|
||||
- falco-bpf-x86.deb
|
||||
- `bpf` only
|
||||
- falco-ptrace-x86.deb
|
||||
- `ptrace` only
|
||||
|
||||
|
||||
### .tar.gz
|
||||
|
||||
- falco-src-x86.tar.gz
|
||||
- No binaries
|
||||
-
|
||||
- falco-driver-src-x86.tar.gz
|
||||
- `falco` and `/driver` with `Makefile`
|
||||
- `INSTALL` file
|
||||
- falco-driver-download-x86.tar.gz
|
||||
- `falco` and script to download or fail
|
||||
- falco-driver-full-x86.tar.gz
|
||||
- `falco` and script to first try to download then `make install` or fail
|
||||
|
||||
|
||||
# Images
|
||||
|
||||
The following convention MUST be used for all container images.
|
||||
|
||||
_If a container image requires `--privileged` the name MUST have the `priviliged-` prefix._
|
||||
|
||||
_If a container image is for development purproses it MUST have the `dev-` prefix._
|
||||
|
||||
_If a container image is used to install something, then exit it MUST have the `-install` suffix.*_
|
||||
|
||||
---
|
||||
|
||||
- falcosecurity/falco:TAG
|
||||
- Runs `falco` userspace only
|
||||
- falcosecurity/privileged-driver-install:TAG
|
||||
- Runs `falco-driver-loader` and exit
|
||||
- falcosecurity/priviliged-driver-install-falco
|
||||
- first runs `privileged-driver-install` then runs `falco`
|
||||
- falcosecurity/priviliged-host-systemd-driver-falco:TAG
|
||||
- Detects arch and runs new bash script:
|
||||
- Installs Falco with packages (deb, rpm, src)
|
||||
- Configures with systemd and Unix Domain Socket [#858](https://github.com/falcosecurity/falco/issues/858)
|
||||
- falcosecurity/dev-tester:TAG
|
||||
- Runs the falco test suite
|
||||
- falcosecurity/dev-builder:TAG
|
||||
- Contains falco tool chain
|
||||
|
||||
|
||||
# Falco Project Evolution
|
||||
|
||||
We will modeling a loosely defined adoption of the Kubernetes and CNCF incubator efforts.
|
||||
|
||||
The criteria will remain loose, and tighten as needed at the discretion of the Falco open source community.
|
||||
|
||||
### contrib
|
||||
|
||||
Sandbox level
|
||||
|
||||
This new [contrib](https://github.com/falcosecurity/contrib) repository will be equivalent to the `Falco Sandbox` and serves as a place for the community to `test-drive` ideas/projects/code.
|
||||
|
||||
### repository
|
||||
|
||||
Incubating level projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.
|
||||
|
||||
This is done as needed, and can best be measured by the need to cut a release and use the github release features. Again, this is at the discretion of the Falco open source community.
|
||||
|
||||
### official support
|
||||
|
||||
As the need for a project grows, it can ultimately achieve the highest and most coveted status. Offical support.
|
||||
|
||||
These artifacts will be ammended to the ones listed above, and will become a part of the official Falco release process.
|
||||
|
||||
# Action
|
||||
|
||||
For each item, ask if this already exists. If so we need to rename, and update it to match this new convention.
|
||||
|
||||
|
||||
### Action Items
|
||||
|
||||
Here are SOME of the items that would need to be done for example:
|
||||
|
||||
- Rename `stable` image to `privileged-driver-falco`
|
||||
- Rename `bin` package to `bin-driver-loader`
|
||||
- Rename `slim` image to `falco`
|
||||
- Documentation in `bin-driver-loader` package as INSTALL
|
||||
- Documentation in `src` package as INSTALL
|
||||
- Move everything else to contrib
|
||||
- Move [/integrations](https://github.com/falcosecurity/falco/tree/master/integrations) to contrib
|
||||
- Move [/examples](https://github.com/falcosecurity/falco/tree/master/examples) to contrib
|
||||
|
||||
### Documentation
|
||||
|
||||
Update documentation in [falco-website#184](https://github.com/falcosecurity/falco-website/pull/184)
|
||||
|
||||
### Adjusting projects
|
||||
|
||||
- Helm chart documentation to be moved to `contrib`
|
||||
- YAML manifest documentation to be moved to `contrib`
|
||||
- Minkube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`
|
||||
|
||||
#### Note:
|
||||
|
||||
This could break the current helm chart, and maybe other dependencies.
|
||||
|
||||
We owe existing users of the Falco project some courtesy if we will break their usage of how Falco has traditionally been advertised.
|
||||
|
||||
Some things we owe the community.
|
||||
|
||||
- Announcement on Falco mailing list
|
||||
- Issues/Pull Request to Helm chart
|
||||
- Note: At the very least open an issue and document how to make the existing helm chart work with the new changes if needed. [Nova Volunteers]
|
||||
- We should at least open a PR and update the helm chart with these new expectations if needed. [Nova Volunteers]
|
||||
- We should revisit the helm chart OWNERS
|
||||
- Twitter
|
||||
- Documentation
|
||||
Loading…
Reference in New Issue
Block a user