Based on the Dockerfiles from the sysdig repository. The only change
from the sysdig versions is to use environment variable FALCO_REPOSITORY
and to install falco instead of sysdig.
Note that the entrypoint still uses sysdig-probe-loader and
SYSDIG_HOST_ROOT, as it's building the kernel module for sysdig.
I verified I could create and run an image using the dev version using
"docker build ." from docker/dev, and run it using:
docker run -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:r\o sysdig/falco falco -r /etc/falco_rules.conf
I still need to update jenkins to create a release build.
Instead of suggesting using a kernel module from an installed version of
sysdig, always recommend unloading any existing module and using the
locally built one.
While building falco from source, I found a couple of problems related
to use of kernel modules:
1. The falco build needs driver_config.h from the sysdig repo, but it
isn't created by default.
[ 50%] Building C object userspace/libscap/CMakeFiles/scap.dir/scap.c.o
/mnt/sf_stemm/work/src/sysdig/userspace/libscap/scap.c:34:40: fatal error: ../../driver/driver_config.h: No such file or directory
compilation terminated.c
Fixed by adding ${SYSDIG_DIR}/driver to CMakeLists.txt. I did notice
that after doing this the object files were in the sysdig/driver
directory, but I don't think this is related to the Makefiles/CMakeFiles
in the sysdig/driver directory?
2. Falco needs the sysdig kernel module, but it may not be loaded if no
other sysdig is installed.
Added notes to the README that discuss loading the kernel module by hand
if no binary sysdig is installed.
