Build and package standalone falco kernel module

Start packaging (and building when necessary) a falco-specific kernel module in falco releases. Previously, falco would depend on sysdig and use its kernel module instead. The kernel module was already templated to some degree in various places, so we just had to change the templated name from sysdig/sysdig-probe to falco/falco-probe. In containers, run falco-probe-loader instead of sysdig-probe-loader. This is actually a script in the sysdig repository which is modified in https://github.com/draios/sysdig/pull/789, and uses the filename to indicate what kernel module to build and/or load. For the falco package itself, don't depend on sysdig any longer but instead depend on dkms and its dependencies, using sysdig as a guide on the set of required packages. Additionally, for the package pre-install/post-install scripts start running falco-probe-loader. Finally, add a --version argument to falco so it can pass the desired version string to falco-probe-loader.
2025-05-31 02:35:10 +00:00 · 2017-03-20 15:36:03 -07:00 · 2017-03-20 15:36:03 -07:00 · ec5adfe892
commit ec5adfe892
parent 18900089f3
14 changed files with 100 additions and 34 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -41,8 +41,8 @@ endif()

 set(PACKAGE_NAME "falco")
 set(PROBE_VERSION "${FALCO_VERSION}")
-set(PROBE_NAME "sysdig-probe")
-set(PROBE_DEVICE_NAME "sysdig")
+set(PROBE_NAME "falco-probe")
+set(PROBE_DEVICE_NAME "falco")
 set(CMAKE_INSTALL_PREFIX /usr)

 set(CMD_MAKE make)
@ -415,12 +415,12 @@ set(CPACK_GENERATOR DEB RPM TGZ)
 set(CPACK_DEBIAN_PACKAGE_MAINTAINER "Sysdig <support@sysdig.com>")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "http://www.sysdig.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "sysdig")
-set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${PROJECT_SOURCE_DIR}/scripts/debian/postinst;${PROJECT_SOURCE_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm")

 set(CPACK_RPM_PACKAGE_LICENSE "GPLv2")
 set(CPACK_RPM_PACKAGE_URL "http://www.sysdig.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "sysdig")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, gcc, make, kernel-devel, perl")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
--- a/docker/dev/docker-entrypoint.sh
+++ b/docker/dev/docker-entrypoint.sh
@ -11,7 +11,7 @@ if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
    done

-    /usr/bin/sysdig-probe-loader
+    /usr/bin/falco-probe-loader
 fi

 exec "$@"
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@ -25,7 +25,7 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	gcc \
 	gcc-5 \
 	gcc-4.9 \
-	sysdig && rm -rf /var/lib/apt/lists/*
+	dkms && rm -rf /var/lib/apt/lists/*

 # Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
 # default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@ -11,7 +11,7 @@ if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
    done

-    /usr/bin/sysdig-probe-loader
+    /usr/bin/falco-probe-loader
 fi

 exec "$@"
--- a/docker/stable/docker-entrypoint.sh
+++ b/docker/stable/docker-entrypoint.sh
@ -11,7 +11,7 @@ if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
    done

-    /usr/bin/sysdig-probe-loader
+    /usr/bin/falco-probe-loader
 fi

 exec "$@"
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@ -1,5 +1,12 @@
+configure_file(debian/postinst.in debian/postinst)
+configure_file(debian/prerm.in debian/prerm)
+
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")

 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
+install(PROGRAMS ${SYSDIG_DIR}/scripts/sysdig-probe-loader
+	DESTINATION bin
+	RENAME falco-probe-loader)
--- a/scripts/debian/postinst
+++ b/scripts/debian/postinst
@ -1,9 +0,0 @@
-#!/bin/sh
-set -e
-
-NAME=falco
-
-if [ -x "/etc/init.d/$NAME" ]; then
-        update-rc.d $NAME defaults >/dev/null
-fi
-
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@ -0,0 +1,32 @@
+#!/bin/sh
+set -e
+
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@PROBE_VERSION@"
+NAME="@PACKAGE_NAME@"
+
+postinst_found=0
+
+case "$1" in
+	configure)
+		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
+			if [ -f $DKMS_POSTINST ]; then
+				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
+				postinst_found=1
+				break
+			fi
+		done
+		if [ "$postinst_found" -eq 0 ]; then
+			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
+			echo "built with legacy DKMS support."
+			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
+			echo "support or upgrade DKMS to a more current version."
+			exit 1
+		fi
+	;;
+esac
+
+if [ -x "/etc/init.d/$NAME" ]; then
+        update-rc.d $NAME defaults >/dev/null
+fi
+
--- a/scripts/debian/prerm
+++ b/scripts/debian/prerm
@ -1,13 +0,0 @@
-#!/bin/sh
-set -e
-
-NAME=falco
-
-if [ -x "/etc/init.d/$NAME" ]; then
-		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
-				invoke-rc.d $NAME stop || exit $?
-		else
-				/etc/init.d/$NAME stop || exit $?
-		fi
-fi
-
--- a/scripts/debian/prerm.in
+++ b/scripts/debian/prerm.in
@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+NAME="@PACKAGE_NAME@"
+
+if [ -x "/etc/init.d/$NAME" ]; then
+		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+				invoke-rc.d $NAME stop || exit $?
+		else
+				/etc/init.d/$NAME stop || exit $?
+		fi
+fi
+
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@PROBE_VERSION@"
+
+case "$1" in
+	remove|upgrade|deconfigure)
+		if [  "$(dkms status -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION)" ]; then
+			dkms remove -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION --all
+		fi
+	;;
+esac
--- a/scripts/rpm/postinstall
+++ b/scripts/rpm/postinstall
@ -1 +1,15 @@
+dkms add -m falco -v %{version} --rpm_safe_upgrade
+if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
+	dkms build -m falco -v %{version}
+	dkms install --force -m falco -v %{version}
+elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since you"
+	echo -e "are running a BOOT variant of the kernel."
+else
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since the"
+	echo -e "kernel source for this kernel does not seem to be installed."
+fi
+
 /sbin/chkconfig --add falco
--- a/scripts/rpm/preuninstall
+++ b/scripts/rpm/preuninstall
@ -2,3 +2,5 @@ if [ $1 = 0 ]; then
 	/sbin/service falco stop > /dev/null 2>&1
 	/sbin/chkconfig --del falco
 fi
+
+dkms remove -m falco -v %{version} --all --rpm_safe_upgrade
--- a/test/falco_test.py
+++ b/test/falco_test.py
@ -93,9 +93,9 @@ class FalcoTest(Test):
        # module_is_loaded to avoid logging lsmod output to the log.
        lsmod_output = process.system_output("lsmod", verbose=False)

-        if linux_modules.parse_lsmod_for_module(lsmod_output, 'sysdig_probe') == {}:
-            self.log.debug("Loading sysdig kernel module")
-            process.run('sudo insmod {}/driver/sysdig-probe.ko'.format(self.falcodir))
+        if linux_modules.parse_lsmod_for_module(lsmod_output, 'falco_probe') == {}:
+            self.log.debug("Loading falco kernel module")
+            process.run('sudo insmod {}/driver/falco-probe.ko'.format(self.falcodir))

        self.str_variant = self.trace_file

--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@ -53,6 +53,7 @@ static void signal_callback(int signal)
 static void usage()
 {
    printf(
+	   "falco version " FALCO_VERSION "\n"
 	   "Usage: falco [options]\n\n"
 	   "Options:\n"
 	   " -h, --help                    Print this page\n"
@ -106,6 +107,7 @@ static void usage()
 	   " -t <tag>                      Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
 	   "                               Can not be specified with -T/-D.\n"
 	   " -v                            Verbose output.\n"
+           " --version                     Print version number.\n"
 	   "\n"
    );
 }
@ -255,6 +257,7 @@ int falco_init(int argc, char **argv)
 		{"option", required_argument, 0, 'o'},
 		{"print", required_argument, 0, 'p' },
 		{"pidfile", required_argument, 0, 'P' },
+		{"version", no_argument, 0, 0 },
 		{"writefile", required_argument, 0, 'w' },

 		{0, 0, 0, 0}
@ -368,6 +371,13 @@ int falco_init(int argc, char **argv)

 		}

+		if(string(long_options[long_index].name) == "version")
+		{
+			printf("falco version %s\n", FALCO_VERSION);
+			return EXIT_SUCCESS;
+		}
+
+
 		inspector = new sinsp();
 		engine = new falco_engine();
 		engine->set_inspector(inspector);