This fixes a segmentation fault that occurs when /metrics endpoint is accessed during Falco shutdown. The crash happens as the webserver continues serving /metrics requests after outputs and inspectors have been destroyed.
Changes:
- Create cleanup_outputs action to handle outputs destruction
- Create print_stats action for stats printing
- Reorder teardown steps to stop webserver before destorying outputs
- Move outputs.reset() from process_events to cleanup_outputs()
This eliminates the race condition by ensuring the webserver stops accepting requests before any subsystems are destroyed. The synchronisation behaviour of output.reset() block till queue flushed is preserved.
Signed-off-by: Adnan Ali <adduali1310@hotmail.com>
The watchdog thread and stop() consume the timeout pointer with
m_timeout.exchange(nullptr, ...). That exchange was using
memory_order_release. The load part of the RMW needs acquire
semantics so it synchronizes-with the release store in
set_timeout()/cancel_timeout(); otherwise the consumer can see
the pointer value without seeing the writes that initialized
the timeout_data and payload (data race).
Use memory_order_acq_rel on the consumer exchanges so the load
synchronizes-with the producer and the pointed-to memory is
visible before use.
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
- Bump default falcosecurity/libs to latest main (8f6b914) with
transformer_list_expr and field_transformer_expr (values) support
- Add visit(transformer_list_expr*) to filter_details_resolver and
filter_macro_resolver visitors
- Fix field_transformer_expr handling to use e->values instead of e->value
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
Add comprehensive support for gperftools CPU profiler to enable performance
profiling of Falco. This commit introduces:
- New CMake options:
* USE_GPERFTOOLS: Enable gperftools CPU profiler support (default: OFF)
* USE_FRAME_POINTER: Enable frame pointers for accurate profiling (default: OFF)
- Automatic frame pointer enabling: When USE_GPERFTOOLS is enabled, frame
pointers are automatically enabled to ensure accurate stack traces in
profiling output.
- Support for both system and bundled gperftools:
* System gperftools: Automatically detected via find_path/find_library
* Bundled gperftools: Built from source (version 2.15) when
USE_BUNDLED_GPERFTOOLS is enabled
- Enhanced stack trace support: Automatically detects and enables libunwind
when available for better stack traces, falling back to frame pointers
otherwise.
- Proper library linking: Uses --whole-archive linker flags to ensure
profiler initialization code is linked even when ProfilerStart() is not
called directly, enabling CPUPROFILE environment variable support.
- Compile-time detection: Adds HAS_GPERFTOOLS preprocessor definition
for conditional compilation.
The profiler can be activated at runtime by setting the CPUPROFILE
environment variable to a file path where profiling data should be written.
Usage:
cmake -DUSE_GPERFTOOLS=ON ..
make
CPUPROFILE=/tmp/falco.prof ./falco
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
Falco 0.43.0 deprecated the gRPC output and server supports. Drop
their supports as well as any reference to them.
BREAKING CHANGE: drop gRPC output and server support
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Falco 0.43.0 deprecated the gVisor engine support. Drop its support as
well as any reference to it.
BREAKING CHANGE: drop gVisor engine support
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Falco 0.43.0 deprecated the legacy eBPF probe. Drop it as well as any
reference to it.
BREAKING CHANGE: drop legacy eBPF probe
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Starting from Falco 0.40, the `falco --help` output incorrectly showed
the source config path (e.g., /home/runner/work/falco/falco/falco.yaml)
in release packages. This path was intended only for local development.
The issue was introduced when RelWithDebInfo build type support was
added (commit 6bf33ffd). The existing code checked for BUILD_TYPE_RELEASE
to determine release behavior, but RelWithDebInfo builds defined
BUILD_TYPE_RELWITHDEBINFO instead, causing them to fall into the
debug code path.
This fix introduces BUILD_TYPE_DEBUG and changes the conditionals to
enable dev features only when CMAKE_BUILD_TYPE is explicitly "debug".
Both Release and RelWithDebInfo builds now correctly show only
/etc/falco/falco.yaml.
Fixes the regression introduced in 0.40.0
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This change adds a defensive null check before accessing state.outputs->get_outputs_queue_num_drops() to prevent segfaults if outputs is destroyed while metrics are being collected.
Signed-off-by: Adnan Ali <adduali1310@hotmail.com>
Emit a warning when a rule with a condition using "evt.dir" field is
encountered.
The direction have been deprecated in the scope of enter event
suppression initiative.
Signed-off-by: Iacopo Rozzo <iacopo.rozzo@iacopo.rozzo>
User can configure a list of actions that are taken when Falco
detects a threshold exceeding value in drop statistics.
However, the logic that handles the list of configured actions
is designed to process only a single action; it takes only the
first action of the list. This approach has the problem that the
order of the actions comes as the deciding factor in choosing
which action is taken in case there are more than one action.
This fix enables Falco to process all actions on the list.
Signed-off-by: Tero Kauppinen <tero.kauppinen@est.tech>
Enter events are no longer tracked by the Falco libs, this change
deprecates the Prometheus metrics related to enter event drops.
Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
Make Falco's libs internal auto thread purging interval and timeout
configurable and set their default values to 5 minutes. This helps
controlling the memory impact of process exit events dropping and
events re-ordering.
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
