From 2e35c2c6197a47c237858ea3f6a16bb76ef605fc Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Mon, 20 May 2024 14:21:38 +0200 Subject: [PATCH 01/11] new(docker): initial work towards new docker images. Signed-off-by: Federico Di Pierro --- docker/driver-loader-legacy/Dockerfile | 3 + .../driver-loader-legacy/docker-entrypoint.sh | 2 + docker/driver-loader/Dockerfile | 38 ++++- docker/driver-loader/docker-entrypoint.sh | 2 + docker/falco-debian/Dockerfile | 34 +++++ docker/falco/Dockerfile | 82 ++++------- docker/falco/docker-entrypoint.sh | 136 ------------------ docker/no-driver/Dockerfile | 39 ----- docker/no-driver/Dockerfile.distroless | 40 ------ 9 files changed, 107 insertions(+), 269 deletions(-) create mode 100644 docker/falco-debian/Dockerfile delete mode 100755 docker/falco/docker-entrypoint.sh delete mode 100644 docker/no-driver/Dockerfile delete mode 100644 docker/no-driver/Dockerfile.distroless diff --git a/docker/driver-loader-legacy/Dockerfile b/docker/driver-loader-legacy/Dockerfile index 83acaefe18e..156d9522e96 100644 --- a/docker/driver-loader-legacy/Dockerfile +++ b/docker/driver-loader-legacy/Dockerfile @@ -123,6 +123,9 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep && curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \ && dpkg -i *binutils*.deb \ && rm -f *binutils*.deb + +# Install latest falcoctl +RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin COPY ./docker-entrypoint.sh / diff --git a/docker/driver-loader-legacy/docker-entrypoint.sh b/docker/driver-loader-legacy/docker-entrypoint.sh index 3b47f75cc86..6ac26b7616f 100755 --- a/docker/driver-loader-legacy/docker-entrypoint.sh +++ b/docker/driver-loader-legacy/docker-entrypoint.sh @@ -124,3 +124,5 @@ else fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" + +exec /usr/bin/falco diff --git a/docker/driver-loader/Dockerfile b/docker/driver-loader/Dockerfile index 0e45726f4b6..f986f5a9f7e 100644 --- a/docker/driver-loader/Dockerfile +++ b/docker/driver-loader/Dockerfile @@ -1,5 +1,5 @@ ARG FALCO_IMAGE_TAG=latest -FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG} +FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" @@ -9,6 +9,42 @@ LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc ENV HOST_ROOT /host ENV HOME /root +RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + bc \ + bison \ + ca-certificates \ + clang \ + curl \ + dkms \ + dwarves \ + flex \ + gcc \ + gcc-11 \ + gnupg2 \ + jq \ + libc6-dev \ + libelf-dev \ + libssl-dev \ + llvm \ + make \ + netcat-openbsd \ + patchelf \ + xz-utils \ + zstd \ + && rm -rf /var/lib/apt/lists/* + +# Install latest falcoctl +RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin + +# Some base images have an empty /lib/modules by default +# If it's not empty, docker build will fail instead of +# silently overwriting the existing directory +RUN rm -df /lib/modules \ + && ln -s $HOST_ROOT/lib/modules /lib/modules + COPY ./docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh index 52df15f3111..3002361b59d 100755 --- a/docker/driver-loader/docker-entrypoint.sh +++ b/docker/driver-loader/docker-entrypoint.sh @@ -136,3 +136,5 @@ else fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args + +exec /usr/bin/falco diff --git a/docker/falco-debian/Dockerfile b/docker/falco-debian/Dockerfile new file mode 100644 index 00000000000..1f7c2e3a23e --- /dev/null +++ b/docker/falco-debian/Dockerfile @@ -0,0 +1,34 @@ +FROM debian:12-slim + +LABEL maintainer="cncf-falco-dev@lists.cncf.io" +LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian" + +LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" + +ARG FALCO_VERSION +ARG VERSION_BUCKET=deb + +ENV FALCO_VERSION=${FALCO_VERSION} +ENV VERSION_BUCKET=${VERSION_BUCKET} + +ENV HOST_ROOT /host +ENV HOME /root + +RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 ca-certificates \ + && apt clean -y && rm -rf /var/lib/apt/lists/* + +WORKDIR / + +RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \ + && echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \ + && apt-get update -y \ + && if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Falcoctl is not included here. +RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/ + +RUN sed -e -i 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml + +CMD ["/usr/bin/falco"] diff --git a/docker/falco/Dockerfile b/docker/falco/Dockerfile index 7bf509d6bdc..d50968da7ba 100644 --- a/docker/falco/Dockerfile +++ b/docker/falco/Dockerfile @@ -1,67 +1,43 @@ -FROM debian:bookworm +FROM cgr.dev/chainguard/wolfi-base as builder -LABEL maintainer="cncf-falco-dev@lists.cncf.io" -LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" +ARG FALCO_VERSION +ARG VERSION_BUCKET=bin -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE" +ENV FALCO_VERSION=${FALCO_VERSION} +ENV VERSION_BUCKET=${VERSION_BUCKET} -ARG TARGETARCH +RUN apk update && apk add curl ca-certificates jq libelf -ARG FALCO_VERSION=latest -ARG VERSION_BUCKET=deb -ENV VERSION_BUCKET=${VERSION_BUCKET} +WORKDIR / -ENV FALCO_VERSION=${FALCO_VERSION} -ENV HOST_ROOT /host -ENV HOME /root +RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \ + curl -L -o falco.tar.gz \ + https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \ + tar -xvf falco.tar.gz && \ + rm -f falco.tar.gz && \ + mv falco-${FALCO_VERSION}-$(uname -m) falco && \ + rm -rf /falco/usr/src/falco-* + +RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ + && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml -RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root +# Falcoctl is not included here. +RUN rm -rf /falco/usr/bin/falcoctl /falco/etc/falcoctl/ -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - bc \ - bison \ - ca-certificates \ - clang \ - curl \ - dkms \ - dwarves \ - flex \ - gcc \ - gcc-11 \ - gnupg2 \ - jq \ - libc6-dev \ - libelf-dev \ - libssl-dev \ - llvm \ - make \ - netcat-openbsd \ - patchelf \ - xz-utils \ - zstd \ - && rm -rf /var/lib/apt/lists/* +FROM cgr.dev/chainguard/wolfi-base -RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \ - && echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \ - && apt-get update -y \ - && if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +LABEL maintainer="cncf-falco-dev@lists.cncf.io" +LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" -# Change the falco config within the container to enable ISO 8601 -# output. -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \ - && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml +LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" +# NOTE: for the "least privileged" use case, please refer to the official documentation -# Some base images have an empty /lib/modules by default -# If it's not empty, docker build will fail instead of -# silently overwriting the existing directory -RUN rm -df /lib/modules \ - && ln -s $HOST_ROOT/lib/modules /lib/modules +RUN apk update && apk add curl ca-certificates jq libelf -COPY ./docker-entrypoint.sh / +ENV HOST_ROOT /host +ENV HOME /root -ENTRYPOINT ["/docker-entrypoint.sh"] +USER root +COPY --from=builder /falco / CMD ["/usr/bin/falco"] diff --git a/docker/falco/docker-entrypoint.sh b/docker/falco/docker-entrypoint.sh deleted file mode 100755 index 809069a9cf9..00000000000 --- a/docker/falco/docker-entrypoint.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/usr/bin/env bash -# SPDX-License-Identifier: Apache-2.0 -# -# Copyright (C) 2023 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - - -print_usage() { - echo "" - echo "Usage:" - echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest" - echo "" - echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:" - echo " auto leverage automatic driver selection logic (default)" - echo " modern_ebpf modern eBPF CORE probe" - echo " kmod kernel module" - echo " ebpf eBPF probe" - echo "" - echo "FALCO_DRIVER_LOADER_OPTIONS options:" - echo " --help show this help message" - echo " --clean try to remove an already present driver installation" - echo " --compile try to compile the driver locally (default true)" - echo " --download try to download a prebuilt driver (default true)" - echo " --http-insecure enable insecure downloads" - echo " --print-env skip execution and print env variables for other tools to consume" - echo "" - echo "Environment variables:" - echo " FALCOCTL_DRIVER_REPOS specify different URL(s) where to look for prebuilt Falco drivers (comma separated)" - echo " FALCOCTL_DRIVER_NAME specify a different name for the driver" - echo " FALCOCTL_DRIVER_HTTP_HEADERS specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')" - echo "" -} - -# Set the SKIP_DRIVER_LOADER variable to skip loading the driver - -if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then - echo "* Setting up /usr/src links from host" - - for i in "$HOST_ROOT/usr/src"/* - do - base=$(basename "$i") - ln -s "$i" "/usr/src/$base" - done - - # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent - # shell expansion and use it as argument list for falcoctl - read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS - - ENABLE_COMPILE="false" - ENABLE_DOWNLOAD="false" - HTTP_INSECURE="false" - driver= - has_opts= - for opt in "${falco_driver_loader_option_arr[@]}" - do - case "$opt" in - auto|kmod|ebpf|modern_ebpf) - if [ -n "$driver" ]; then - >&2 echo "Only one driver per invocation" - print_usage - exit 1 - else - driver=$opt - fi - ;; - -h|--help) - print_usage - exit 0 - ;; - --clean) - /usr/bin/falcoctl driver cleanup - exit 0 - ;; - --compile) - ENABLE_COMPILE="true" - has_opts="true" - ;; - --download) - ENABLE_DOWNLOAD="true" - has_opts="true" - ;; - --http-insecure) - HTTP_INSECURE="true" - ;; - --print-env) - /usr/bin/falcoctl driver printenv - exit 0 - ;; - --*) - >&2 echo "Unknown option: $opt" - print_usage - exit 1 - ;; - *) - >&2 echo "Unknown driver: $opt" - print_usage - exit 1 - ;; - esac - done - - # No opts passed, enable both compile and download - if [ -z "$has_opts" ]; then - ENABLE_COMPILE="true" - ENABLE_DOWNLOAD="true" - fi - - # Default value: auto - if [ -z "$driver" ]; then - driver="auto" - fi - - if [ "$driver" != "auto" ]; then - /usr/bin/falcoctl driver config --type $driver - else - # Needed because we need to configure Falco to start with correct driver - /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf - fi - /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" - -fi - -exec "$@" diff --git a/docker/no-driver/Dockerfile b/docker/no-driver/Dockerfile deleted file mode 100644 index e3fa571b92a..00000000000 --- a/docker/no-driver/Dockerfile +++ /dev/null @@ -1,39 +0,0 @@ -FROM debian:12 as builder - -ARG FALCO_VERSION -ARG VERSION_BUCKET=bin - -ENV FALCO_VERSION=${FALCO_VERSION} -ENV VERSION_BUCKET=${VERSION_BUCKET} - -RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates - -WORKDIR / - -RUN curl -L -o falco.tar.gz \ - https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \ - tar -xvf falco.tar.gz && \ - rm -f falco.tar.gz && \ - mv falco-${FALCO_VERSION}-$(uname -m) falco && \ - rm -rf /falco/usr/src/falco-* - -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ - && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml - -FROM debian:12-slim - -LABEL maintainer="cncf-falco-dev@lists.cncf.io" -LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" - -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" -# NOTE: for the "least privileged" use case, please refer to the official documentation - -RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \ - && apt clean -y && rm -rf /var/lib/apt/lists/* - -ENV HOST_ROOT /host -ENV HOME /root - -COPY --from=builder /falco / - -CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"] diff --git a/docker/no-driver/Dockerfile.distroless b/docker/no-driver/Dockerfile.distroless deleted file mode 100644 index b6ee2042f84..00000000000 --- a/docker/no-driver/Dockerfile.distroless +++ /dev/null @@ -1,40 +0,0 @@ -FROM cgr.dev/chainguard/wolfi-base as builder - -ARG FALCO_VERSION -ARG VERSION_BUCKET=bin - -ENV FALCO_VERSION=${FALCO_VERSION} -ENV VERSION_BUCKET=${VERSION_BUCKET} - -RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils - -WORKDIR / - -RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \ - curl -L -o falco.tar.gz \ - https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \ - tar -xvf falco.tar.gz && \ - rm -f falco.tar.gz && \ - mv falco-${FALCO_VERSION}-$(uname -m) falco && \ - rm -rf /falco/usr/src/falco-* - -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ - && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml - -FROM cgr.dev/chainguard/wolfi-base - -LABEL maintainer="cncf-falco-dev@lists.cncf.io" -LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" - -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" -# NOTE: for the "least privileged" use case, please refer to the official documentation - -RUN apk update && apk add libelf libstdc++ - -ENV HOST_ROOT /host -ENV HOME /root - -USER root -COPY --from=builder /falco / - -CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"] From 310d2775782c6930d5c3ceee06bd5575c59cde19 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 21 May 2024 09:05:54 +0200 Subject: [PATCH 02/11] chore(docker): updated README. Signed-off-by: Federico Di Pierro --- docker/README.md | 18 ++++++------------ docker/falco-debian/Dockerfile | 2 +- docker/falco/Dockerfile | 2 +- 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/docker/README.md b/docker/README.md index cd51039c89f..c34f09bb628 100644 --- a/docker/README.md +++ b/docker/README.md @@ -4,15 +4,9 @@ This directory contains various ways to package Falco as a container and related ## Currently Supported Images -| Name | Directory | Description | -|---|---|---| -| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | -| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | -| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | -| [falcosecurity/falco-driver-loader-legacy:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy), [falcosecurity/falco-driver-loader-legacy:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy) | docker/driver-loader-legacy | `falco-driver-loader` as entrypoint with the legacy building toolchain. Recommended for kernels < 4.0 | - -## Experimental Images - -| Name | Directory | Description | -|---|---|---| -| [falcosecurity/falco-distroless:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless), [falcosecurity/falco-distroless:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless),[falcosecurity/falco-distroless:master](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless) | docker/no-driver/Dockerfile.distroless | Falco without the building toolchain built from a distroless base image. This results in a smaller image that has less potentially vulnerable components. | +| Name | Directory | Description | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Distroless image without driver building toolchain support, based on the latest released tar.gz of Falco. No tools or falcoctl not included. | +| [falcosecurity/falco:latest-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco-debian | Debian-based image without driver building toolchain support, based on the latest released Deb of Falco (similar to the old falcosecurity/falco-no-driver image). May include some tools (ie. jq, curl), but not falcoctl. | +| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | Based on falcosecurity/falco:x.y.z-debian (see above) plus the driver building toolchain support and also shipping the latest version of falcoctl. Recommended only when modern eBPF is not supported. | +| [falcosecurity/falco-driver-loader:latest-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader-buster | Similar to falcosecurity/falco-driver-loader (see above) but based on a legacy Debian image (i.e. buster ). Recommended only for old kernel versions. | \ No newline at end of file diff --git a/docker/falco-debian/Dockerfile b/docker/falco-debian/Dockerfile index 1f7c2e3a23e..b1f7cd63134 100644 --- a/docker/falco-debian/Dockerfile +++ b/docker/falco-debian/Dockerfile @@ -31,4 +31,4 @@ RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/ RUN sed -e -i 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml -CMD ["/usr/bin/falco"] +CMD ["/usr/bin/falco"] \ No newline at end of file diff --git a/docker/falco/Dockerfile b/docker/falco/Dockerfile index d50968da7ba..d08d76a4dbe 100644 --- a/docker/falco/Dockerfile +++ b/docker/falco/Dockerfile @@ -40,4 +40,4 @@ ENV HOME /root USER root COPY --from=builder /falco / -CMD ["/usr/bin/falco"] +CMD ["/usr/bin/falco"] \ No newline at end of file From 2cfb331c25c8584ef201158d3bd2b231d1b68814 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 21 May 2024 09:17:46 +0200 Subject: [PATCH 03/11] new(ci,docker): renamed driver-loader-legacy to driver-loader-buster. Moreover, ported docker images CI to new images. Signed-off-by: Federico Di Pierro --- .github/release_template.md | 15 ++-- .github/workflows/reusable_build_docker.yaml | 34 +++------ .../workflows/reusable_publish_docker.yaml | 76 ++++++++----------- .../Dockerfile | 0 .../docker-entrypoint.sh | 2 +- 5 files changed, 50 insertions(+), 77 deletions(-) rename docker/{driver-loader-legacy => driver-loader-buster}/Dockerfile (100%) rename docker/{driver-loader-legacy => driver-loader-buster}/docker-entrypoint.sh (98%) diff --git a/.github/release_template.md b/.github/release_template.md index e4dc3e43cb5..b69c6c7b5ed 100644 --- a/.github/release_template.md +++ b/.github/release_template.md @@ -10,12 +10,11 @@ | deb-aarch64 | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) | | tgz-aarch64 | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) | -| Images | -| --------------------------------------------------------------------------- | -| `docker pull docker.io/falcosecurity/falco:FALCOVER` | -| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER` | +| Images | +|---------------------------------------------------------------------------| +| `docker pull docker.io/falcosecurity/falco:FALCOVER` | +| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER` | +| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER` | +| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER-buster` | +| `docker pull docker.io/falcosecurity/falco:FALCOVER-debian` | diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index ff7c4736481..df153f2b2fe 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -41,35 +41,25 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - name: Build no-driver image + - name: Build falco image run: | - cd ${{ github.workspace }}/docker/no-driver/ - docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \ + cd ${{ github.workspace }}/docker/falco/ + docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \ --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \ --build-arg FALCO_VERSION=${{ inputs.version }} \ --build-arg TARGETARCH=${TARGETARCH} \ . - docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar + docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar - - name: Build distroless image + - name: Build falco-debian image run: | - cd ${{ github.workspace }}/docker/no-driver/ - docker build -f Dockerfile.distroless -t docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} \ - --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \ - --build-arg FALCO_VERSION=${{ inputs.version }} \ - --build-arg TARGETARCH=${TARGETARCH} \ - . - docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar - - - name: Build falco image - run: | - cd ${{ github.workspace }}/docker/falco/ - docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \ + cd ${{ github.workspace }}/docker/falco-debian/ + docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \ --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \ --build-arg FALCO_VERSION=${{ inputs.version }} \ --build-arg TARGETARCH=${TARGETARCH} \ . - docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar + docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar - name: Build falco-driver-loader image run: | @@ -80,15 +70,15 @@ jobs: . docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar - - name: Build falco-driver-loader-legacy image + - name: Build falco-driver-loader-buster image run: | - cd ${{ github.workspace }}/docker/driver-loader-legacy/ - docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \ + cd ${{ github.workspace }}/docker/driver-loader-buster/ + docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \ --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \ --build-arg FALCO_VERSION=${{ inputs.version }} \ --build-arg TARGETARCH=${TARGETARCH} \ . - docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar + docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar - name: Upload images tarballs uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 47418527417..1ba7767b2f1 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -64,40 +64,31 @@ jobs: # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later - name: Push arch-specific images to Docker Hub run: | - docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }} docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }} docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }} + docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian + docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }} docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }} + docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster + docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster - - name: Create no-driver manifest on Docker Hub + - name: Create Falco manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: - inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} - images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} - push: true - - - name: Create distroless manifest on Docker Hub - uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 - with: - inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} - images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }} + inputs: docker.io/falcosecurity/falco:${{ inputs.tag }} + images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }} push: true - name: Tag slim manifest on Docker Hub run: | - crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim + crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim - - name: Create falco manifest on Docker Hub + - name: Create falco-debian manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: - inputs: docker.io/falcosecurity/falco:${{ inputs.tag }} - images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }} + inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian + images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian push: true - name: Create falco-driver-loader manifest on Docker Hub @@ -107,47 +98,42 @@ jobs: images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} push: true - - name: Create falco-driver-loader-legacy manifest on Docker Hub + - name: Create falco-driver-loader-buster manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: - inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} - images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }} + inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster + images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster push: true - name: Get Digests for images id: digests # We could probably use the docker-manifest-action output instead of recomputing those with crane run: | - echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT - echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT + echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT - echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT + echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT - name: Publish images to ECR run: | - crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} - crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} + crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} - crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} - crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim + crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster - name: Tag latest on Docker Hub and ECR if: inputs.is_latest run: | - crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest - crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest + crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest - crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest + crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim - crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest - crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest + crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest - crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest + crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim - name: Setup Cosign @@ -160,14 +146,12 @@ jobs: COSIGN_EXPERIMENTAL: "true" COSIGN_YES: "true" run: | - cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }} - cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }} - cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }} - cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }} - cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }} + cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }} + cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }} + cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }} + cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }} - cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }} - cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }} - cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }} - cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }} - cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }} + cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }} + cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }} + cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }} + cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }} diff --git a/docker/driver-loader-legacy/Dockerfile b/docker/driver-loader-buster/Dockerfile similarity index 100% rename from docker/driver-loader-legacy/Dockerfile rename to docker/driver-loader-buster/Dockerfile diff --git a/docker/driver-loader-legacy/docker-entrypoint.sh b/docker/driver-loader-buster/docker-entrypoint.sh similarity index 98% rename from docker/driver-loader-legacy/docker-entrypoint.sh rename to docker/driver-loader-buster/docker-entrypoint.sh index 6ac26b7616f..72502b66cfb 100755 --- a/docker/driver-loader-legacy/docker-entrypoint.sh +++ b/docker/driver-loader-buster/docker-entrypoint.sh @@ -21,7 +21,7 @@ print_usage() { echo "" echo "Usage:" - echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]" + echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]" echo "" echo "Available drivers:" echo " auto leverage automatic driver selection logic (default)" From bdabae3ff18ab47aa75c5ee7c825c6ed91639e1c Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 21 May 2024 11:46:57 +0200 Subject: [PATCH 04/11] cleanup(ci): drop `-slim` tag. Signed-off-by: Federico Di Pierro --- .github/workflows/reusable_publish_docker.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 1ba7767b2f1..85ff441c2fb 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -79,10 +79,6 @@ jobs: inputs: docker.io/falcosecurity/falco:${{ inputs.tag }} images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }} push: true - - - name: Tag slim manifest on Docker Hub - run: | - crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim - name: Create falco-debian manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 @@ -128,13 +124,11 @@ jobs: crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster - crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster - crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim - name: Setup Cosign if: inputs.sign From a5af8f575ab9de593b8cc57bdcec0bba15f83df1 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Thu, 4 Jul 2024 09:18:31 +0200 Subject: [PATCH 05/11] fix(docker): fixed small issues in the new images. Signed-off-by: Federico Di Pierro --- docker/falco-debian/Dockerfile | 6 +++--- docker/falco/Dockerfile | 39 ++++++++++++++-------------------- 2 files changed, 19 insertions(+), 26 deletions(-) diff --git a/docker/falco-debian/Dockerfile b/docker/falco-debian/Dockerfile index b1f7cd63134..ffa92604911 100644 --- a/docker/falco-debian/Dockerfile +++ b/docker/falco-debian/Dockerfile @@ -14,7 +14,7 @@ ENV VERSION_BUCKET=${VERSION_BUCKET} ENV HOST_ROOT /host ENV HOME /root -RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 ca-certificates \ +RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 ca-certificates gnupg2 \ && apt clean -y && rm -rf /var/lib/apt/lists/* WORKDIR / @@ -29,6 +29,6 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \ # Falcoctl is not included here. RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/ -RUN sed -e -i 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml +RUN sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' /etc/falco/falco.yaml -CMD ["/usr/bin/falco"] \ No newline at end of file +CMD ["/usr/bin/falco"] diff --git a/docker/falco/Dockerfile b/docker/falco/Dockerfile index d08d76a4dbe..0e292f94c36 100644 --- a/docker/falco/Dockerfile +++ b/docker/falco/Dockerfile @@ -1,12 +1,20 @@ -FROM cgr.dev/chainguard/wolfi-base as builder +FROM cgr.dev/chainguard/wolfi-base + +LABEL maintainer="cncf-falco-dev@lists.cncf.io" +LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" + +LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" +# NOTE: for the "least privileged" use case, please refer to the official documentation ARG FALCO_VERSION ARG VERSION_BUCKET=bin ENV FALCO_VERSION=${FALCO_VERSION} ENV VERSION_BUCKET=${VERSION_BUCKET} +ENV HOST_ROOT /host +ENV HOME /root -RUN apk update && apk add curl ca-certificates jq libelf +RUN apk update && apk add curl ca-certificates jq libelf libstdc++ WORKDIR / @@ -16,28 +24,13 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \ tar -xvf falco.tar.gz && \ rm -f falco.tar.gz && \ mv falco-${FALCO_VERSION}-$(uname -m) falco && \ - rm -rf /falco/usr/src/falco-* + rm -rf /falco/usr/src/falco-* && \ + cp -r /falco/* / && \ + rm -rf /falco -RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \ - && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml +RUN sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' /etc/falco/falco.yaml # Falcoctl is not included here. -RUN rm -rf /falco/usr/bin/falcoctl /falco/etc/falcoctl/ - -FROM cgr.dev/chainguard/wolfi-base - -LABEL maintainer="cncf-falco-dev@lists.cncf.io" -LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" - -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" -# NOTE: for the "least privileged" use case, please refer to the official documentation - -RUN apk update && apk add curl ca-certificates jq libelf - -ENV HOST_ROOT /host -ENV HOME /root - -USER root -COPY --from=builder /falco / +RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/ -CMD ["/usr/bin/falco"] \ No newline at end of file +CMD ["/usr/bin/falco"] From 29a5bea0ed3242ca737bce5a7569ccb76f4b3f0e Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Thu, 29 Aug 2024 10:34:37 +0200 Subject: [PATCH 06/11] chore(docker): apply some review suggestions. Signed-off-by: Federico Di Pierro Co-authored-by: Leonardo Grasso --- docker/driver-loader-buster/Dockerfile | 4 +++- docker/driver-loader-buster/docker-entrypoint.sh | 2 +- docker/driver-loader/Dockerfile | 4 +++- docker/driver-loader/docker-entrypoint.sh | 2 +- docker/falco-debian/Dockerfile | 2 +- docker/falco/Dockerfile | 2 +- 6 files changed, 10 insertions(+), 6 deletions(-) diff --git a/docker/driver-loader-buster/Dockerfile b/docker/driver-loader-buster/Dockerfile index 156d9522e96..679ef9c4ebf 100644 --- a/docker/driver-loader-buster/Dockerfile +++ b/docker/driver-loader-buster/Dockerfile @@ -3,7 +3,7 @@ FROM debian:buster LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE" +LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc falcosecurity/falco-driver-loader:latest-buster" ARG TARGETARCH @@ -130,3 +130,5 @@ RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecur COPY ./docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] + +CMD ["/usr/bin/falco"] \ No newline at end of file diff --git a/docker/driver-loader-buster/docker-entrypoint.sh b/docker/driver-loader-buster/docker-entrypoint.sh index 72502b66cfb..bf17c700152 100755 --- a/docker/driver-loader-buster/docker-entrypoint.sh +++ b/docker/driver-loader-buster/docker-entrypoint.sh @@ -125,4 +125,4 @@ fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" -exec /usr/bin/falco +exec "$@" diff --git a/docker/driver-loader/Dockerfile b/docker/driver-loader/Dockerfile index f986f5a9f7e..ed333b0fe5b 100644 --- a/docker/driver-loader/Dockerfile +++ b/docker/driver-loader/Dockerfile @@ -4,7 +4,7 @@ FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" -LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE" +LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest" ENV HOST_ROOT /host ENV HOME /root @@ -48,3 +48,5 @@ RUN rm -df /lib/modules \ COPY ./docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] + +CMD ["/usr/bin/falco"] diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh index 3002361b59d..acd6e0a2475 100755 --- a/docker/driver-loader/docker-entrypoint.sh +++ b/docker/driver-loader/docker-entrypoint.sh @@ -137,4 +137,4 @@ fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args -exec /usr/bin/falco +exec "$@" diff --git a/docker/falco-debian/Dockerfile b/docker/falco-debian/Dockerfile index ffa92604911..53d41821099 100644 --- a/docker/falco-debian/Dockerfile +++ b/docker/falco-debian/Dockerfile @@ -3,7 +3,7 @@ FROM debian:12-slim LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian" -LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" +LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro falcosecurity/falco:latest-debian" ARG FALCO_VERSION ARG VERSION_BUCKET=deb diff --git a/docker/falco/Dockerfile b/docker/falco/Dockerfile index 0e292f94c36..48a16c0fc50 100644 --- a/docker/falco/Dockerfile +++ b/docker/falco/Dockerfile @@ -3,7 +3,7 @@ FROM cgr.dev/chainguard/wolfi-base LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE" +LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest" # NOTE: for the "least privileged" use case, please refer to the official documentation ARG FALCO_VERSION From 3d8b427a2c3163bf11391d3bc7fdd062470002ed Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Wed, 30 Oct 2024 10:17:20 +0100 Subject: [PATCH 07/11] chore(ci,docker): more fixes. Signed-off-by: Federico Di Pierro Co-authored-by: Leonardo Grasso --- .github/workflows/reusable_build_docker.yaml | 2 +- docker/driver-loader-buster/Dockerfile | 3 --- docker/driver-loader/Dockerfile | 3 --- docker/falco-debian/Dockerfile | 3 --- 4 files changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index df153f2b2fe..d15382af791 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -49,7 +49,7 @@ jobs: --build-arg FALCO_VERSION=${{ inputs.version }} \ --build-arg TARGETARCH=${TARGETARCH} \ . - docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar + docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar - name: Build falco-debian image run: | diff --git a/docker/driver-loader-buster/Dockerfile b/docker/driver-loader-buster/Dockerfile index 679ef9c4ebf..60b76acd990 100644 --- a/docker/driver-loader-buster/Dockerfile +++ b/docker/driver-loader-buster/Dockerfile @@ -123,9 +123,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep && curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \ && dpkg -i *binutils*.deb \ && rm -f *binutils*.deb - -# Install latest falcoctl -RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin COPY ./docker-entrypoint.sh / diff --git a/docker/driver-loader/Dockerfile b/docker/driver-loader/Dockerfile index ed333b0fe5b..f746a9ef26d 100644 --- a/docker/driver-loader/Dockerfile +++ b/docker/driver-loader/Dockerfile @@ -35,9 +35,6 @@ RUN apt-get update \ xz-utils \ zstd \ && rm -rf /var/lib/apt/lists/* - -# Install latest falcoctl -RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin # Some base images have an empty /lib/modules by default # If it's not empty, docker build will fail instead of diff --git a/docker/falco-debian/Dockerfile b/docker/falco-debian/Dockerfile index 53d41821099..115d8db2368 100644 --- a/docker/falco-debian/Dockerfile +++ b/docker/falco-debian/Dockerfile @@ -25,9 +25,6 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \ && if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* - -# Falcoctl is not included here. -RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/ RUN sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' /etc/falco/falco.yaml From f6f9e5907ad6f5d819868e7a169e996c69c1c1c5 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Wed, 30 Oct 2024 10:18:58 +0100 Subject: [PATCH 08/11] fix(docker): fix docker-compose with correct image name for Falco. Signed-off-by: Federico Di Pierro --- docker/docker-compose/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/docker-compose/docker-compose.yaml b/docker/docker-compose/docker-compose.yaml index 1b6329626dd..fef6f9be5b0 100644 --- a/docker/docker-compose/docker-compose.yaml +++ b/docker/docker-compose/docker-compose.yaml @@ -13,7 +13,7 @@ services: - /proc:/host/proc:ro - /etc:/host/etc:ro - ./config/http_output.yml:/etc/falco/config.d/http_output.yml - image: falcosecurity/falco-no-driver:latest + image: falcosecurity/falco:latest sidekick: container_name: falco-sidekick From 25b800bbf96dfd03ae072ebd9cfa8ca5ad0f4ae7 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Wed, 30 Oct 2024 17:07:53 +0100 Subject: [PATCH 09/11] update(docker): no CMD for falco-driver-loader images Co-authored-by: Federico Di Pierro Signed-off-by: Leonardo Grasso --- docker/driver-loader-buster/Dockerfile | 28 +++++++++---------- .../driver-loader-buster/docker-entrypoint.sh | 2 -- docker/driver-loader/Dockerfile | 4 +-- docker/driver-loader/docker-entrypoint.sh | 2 -- 4 files changed, 14 insertions(+), 22 deletions(-) diff --git a/docker/driver-loader-buster/Dockerfile b/docker/driver-loader-buster/Dockerfile index 60b76acd990..fb14f7f4407 100644 --- a/docker/driver-loader-buster/Dockerfile +++ b/docker/driver-loader-buster/Dockerfile @@ -3,7 +3,7 @@ FROM debian:buster LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" -LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc falcosecurity/falco-driver-loader:latest-buster" +LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]" ARG TARGETARCH @@ -41,8 +41,8 @@ RUN apt-get update \ && rm -rf /var/lib/apt/lists/* RUN if [ "$TARGETARCH" = "amd64" ]; \ - then apt-get install -y --no-install-recommends libmpx2; \ - fi + then apt-get install -y --no-install-recommends libmpx2; \ + fi # gcc 6 is no longer included in debian stable, but we need it to # build kernel modules on the default debian-based ami used by @@ -51,7 +51,7 @@ RUN if [ "$TARGETARCH" = "amd64" ]; \ # or so. RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \ - curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \ + curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \ && curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \ && curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \ && curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \ @@ -60,8 +60,8 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE && curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \ && curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \ && dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \ - if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \ - dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \ + if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \ + dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \ && rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb # gcc 5 is no longer included in debian stable, but we need it to @@ -70,15 +70,15 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z. RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \ - curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \ + curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \ && curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \ && curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \ && curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \ && curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \ && curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \ && dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \ - if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \ - dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \ + if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \ + dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \ && rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the @@ -113,10 +113,10 @@ RUN rm -df /lib/modules \ # forcibly install binutils 2.30-22 instead. RUN if [ "$TARGETARCH" = "amd64" ] ; then \ - curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \ - else \ - curl -L -o binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \ - fi + curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \ + else \ + curl -L -o binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \ + fi RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \ && curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \ @@ -127,5 +127,3 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep COPY ./docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] - -CMD ["/usr/bin/falco"] \ No newline at end of file diff --git a/docker/driver-loader-buster/docker-entrypoint.sh b/docker/driver-loader-buster/docker-entrypoint.sh index bf17c700152..185e4e1f1d1 100755 --- a/docker/driver-loader-buster/docker-entrypoint.sh +++ b/docker/driver-loader-buster/docker-entrypoint.sh @@ -124,5 +124,3 @@ else fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" - -exec "$@" diff --git a/docker/driver-loader/Dockerfile b/docker/driver-loader/Dockerfile index f746a9ef26d..75eb18f1a7d 100644 --- a/docker/driver-loader/Dockerfile +++ b/docker/driver-loader/Dockerfile @@ -4,7 +4,7 @@ FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco" -LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest" +LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]" ENV HOST_ROOT /host ENV HOME /root @@ -45,5 +45,3 @@ RUN rm -df /lib/modules \ COPY ./docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] - -CMD ["/usr/bin/falco"] diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh index acd6e0a2475..52df15f3111 100755 --- a/docker/driver-loader/docker-entrypoint.sh +++ b/docker/driver-loader/docker-entrypoint.sh @@ -136,5 +136,3 @@ else fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args - -exec "$@" From 245aa2e01a60a19ebb86df9d457554ff7c3d44ea Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Wed, 30 Oct 2024 17:09:30 +0100 Subject: [PATCH 10/11] docs(docker): update images description Co-authored-by: Leonardo Di Giovanna Signed-off-by: Leonardo Grasso --- docker/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/README.md b/docker/README.md index c34f09bb628..5e01163ee6f 100644 --- a/docker/README.md +++ b/docker/README.md @@ -6,7 +6,7 @@ This directory contains various ways to package Falco as a container and related | Name | Directory | Description | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Distroless image without driver building toolchain support, based on the latest released tar.gz of Falco. No tools or falcoctl not included. | -| [falcosecurity/falco:latest-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco-debian | Debian-based image without driver building toolchain support, based on the latest released Deb of Falco (similar to the old falcosecurity/falco-no-driver image). May include some tools (ie. jq, curl), but not falcoctl. | -| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | Based on falcosecurity/falco:x.y.z-debian (see above) plus the driver building toolchain support and also shipping the latest version of falcoctl. Recommended only when modern eBPF is not supported. | +| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Distroless image based on the latest released tar.gz of Falco. No tools are included in the image. | +| [falcosecurity/falco:latest-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco-debian | Debian-based image. Include some tools (i.e. jq, curl). No driver-building toolchain support. | +| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | Based on falcosecurity/falco:x.y.z-debian (see above) plus the driver building toolchain support and falcoctl. This is intended to be used as an installer or an init container when modern eBPF cannot be used. | | [falcosecurity/falco-driver-loader:latest-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader-buster | Similar to falcosecurity/falco-driver-loader (see above) but based on a legacy Debian image (i.e. buster ). Recommended only for old kernel versions. | \ No newline at end of file From 583f50e039a921b1fdb6494c9faa0fc3c0ec7ba5 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Tue, 5 Nov 2024 17:03:13 +0100 Subject: [PATCH 11/11] fix(docker/falco-debian): usage label Co-authored-by: Leonardo Di Giovanna Signed-off-by: Leonardo Grasso --- docker/falco-debian/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/falco-debian/Dockerfile b/docker/falco-debian/Dockerfile index 115d8db2368..82397f6319b 100644 --- a/docker/falco-debian/Dockerfile +++ b/docker/falco-debian/Dockerfile @@ -3,7 +3,7 @@ FROM debian:12-slim LABEL maintainer="cncf-falco-dev@lists.cncf.io" LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian" -LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro falcosecurity/falco:latest-debian" +LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian" ARG FALCO_VERSION ARG VERSION_BUCKET=deb @@ -15,7 +15,7 @@ ENV HOST_ROOT /host ENV HOME /root RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 ca-certificates gnupg2 \ - && apt clean -y && rm -rf /var/lib/apt/lists/* + && apt clean -y && rm -rf /var/lib/apt/lists/* WORKDIR /