Updates Falco to upstream 0.15.0 tag (#1608)

Some minor changes are included in Collector, where APIs or type have changed between versions.
stackrox · Apr 16, 2024 · ddcf390 · ddcf390
1 parent f14877b
commit ddcf390
Show file tree

Hide file tree

Showing 22 changed files with 236 additions and 119 deletions.
diff --git a/.github/workflows/collector-builder.yml b/.github/workflows/collector-builder.yml
@@ -126,7 +126,6 @@ jobs:
             echo "rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}"
             echo "rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}"
             echo "collector_git_ref: ${{ github.ref }}"
-            echo "collector_git_sha: ${{ github.sha }}"
             echo "collector_builder_tag: ${{ env.COLLECTOR_BUILDER_TAG }}"
           } > ${{ github.workspace }}/ansible/secrets.yml
 

diff --git a/.github/workflows/collector-slim.yml b/.github/workflows/collector-slim.yml
@@ -60,7 +60,6 @@ jobs:
           rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
           rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
           collector_git_ref: ${{ github.ref }}
-          collector_git_sha: ${{ github.sha }}
           collector_builder_tag: ${{ env.COLLECTOR_BUILDER_TAG }}
           disable_profiling: ${{ matrix.arch != 'amd64' && matrix.arch != 'arm64' }}
           rhacs_eng_image: ${{ env.RHACS_ENG_IMAGE }}

diff --git a/.gitmodules b/.gitmodules
@@ -56,7 +56,7 @@
 [submodule "third_party/libbpf"]
 	path = builder/third_party/libbpf
 	url = https://github.com/libbpf/libbpf
-	branch = v1.1.0
+	branch = v1.3.0
 [submodule "builder/third_party/gperftools"]
 	path = builder/third_party/gperftools
 	url = https://github.com/gperftools/gperftools.git

diff --git a/Makefile b/Makefile
@@ -34,8 +34,6 @@ ifneq ($(BUILD_BUILDER_IMAGE), false)
 		-t quay.io/stackrox-io/collector-builder:$(COLLECTOR_BUILDER_TAG) \
 		-f "$(CURDIR)/builder/Dockerfile" \
 		"$(CURDIR)/builder"
-else
-	docker pull --platform ${PLATFORM} quay.io/stackrox-io/collector-builder:$(COLLECTOR_BUILDER_TAG)
 endif
 
 collector: check-builder
@@ -111,6 +109,8 @@ endif
 start-builder: builder teardown-builder
 	docker run -d \
 		--name $(COLLECTOR_BUILDER_NAME) \
+		--pull missing \
+		--platform ${PLATFORM} \
 		-v $(CURDIR):$(CURDIR) \
 		$(if $(LOCAL_SSH_PORT),-p $(LOCAL_SSH_PORT):22 )\
 		-w $(CURDIR) \

diff --git a/ansible/ci-build-builder.yml b/ansible/ci-build-builder.yml
@@ -9,14 +9,18 @@
 
   vars:
     collector_root: "{{ ansible_env.HOME }}/collector"
+    local_branch: local
 
   tasks:
     - name: Clone repository
       ansible.builtin.git:
         repo: https://github.com/stackrox/collector
         dest: "{{ collector_root }}"
-        version: "{{ collector_git_sha }}"
-        refspec: "+{{ collector_git_ref | replace('refs/', '') }}"
+        # We fetch the ref (either master, or pull/<ID>/merge) and then
+        # create a local branch based on that. Doing it this way, rather
+        # than with commit hashes, prevents "reference is not a tree" errors
+        version: "{{ local_branch }}"
+        refspec: "+{{ collector_git_ref | replace('refs/', '') }}:{{ local_branch }}"
         recursive: true
       when: arch == "s390x"
 

diff --git a/ansible/ci-build-collector.yml b/ansible/ci-build-collector.yml
@@ -11,15 +11,19 @@
 
   vars:
     collector_root: "{{ ansible_env.HOME }}/collector"
+    local_branch: local
 
   tasks:
     - debug: var=collector_root
     - name: Clone repository
       ansible.builtin.git:
         repo: https://github.com/stackrox/collector
         dest: "{{ collector_root }}"
-        version: "{{ collector_git_sha }}"
-        refspec: "+{{ collector_git_ref | replace('refs/', '') }}"
+        # We fetch the ref (either master, or pull/<ID>/merge) and then
+        # create a local branch based on that. Doing it this way, rather
+        # than with commit hashes, prevents "reference is not a tree" errors
+        version: "{{ local_branch }}"
+        refspec: "+{{ collector_git_ref | replace('refs/', '') }}:{{ local_branch }}"
         recursive: true
       when: arch == "s390x"
 

diff --git a/builder/third_party/libbpf b/builder/third_party/libbpf
diff --git a/collector/lib/ContainerMetadata.h b/collector/lib/ContainerMetadata.h
@@ -21,7 +21,7 @@ class ContainerMetadata {
   }
 
   inline std::string GetContainerLabel(const std::string& container_id, const std::string& label) {
-    const auto containers = inspector_->m_container_manager.get_containers();
+    auto containers = inspector_->m_container_manager.get_containers();
     const auto& container = containers->find(container_id);
     if (container == containers->end()) {
       return "";

diff --git a/collector/lib/system-inspector/EventExtractor.cpp b/collector/lib/system-inspector/EventExtractor.cpp
@@ -4,9 +4,9 @@ namespace collector::system_inspector {
 
 void EventExtractor::Init(sinsp* inspector) {
   for (auto* wrapper : wrappers_) {
-    sinsp_filter_check* check = g_filterlist.new_filter_check_from_fldname(wrapper->event_name, inspector, true);
+    std::unique_ptr<sinsp_filter_check> check = FilterList().new_filter_check_from_fldname(wrapper->event_name, inspector, true);
     check->parse_field_name(wrapper->event_name, true, false);
-    wrapper->filter_check.reset(check);
+    wrapper->filter_check.reset(check.release());
   }
 }
 

diff --git a/collector/lib/system-inspector/EventExtractor.h b/collector/lib/system-inspector/EventExtractor.h
@@ -17,6 +17,11 @@ class EventExtractor {
   void Init(sinsp* inspector);
   void ClearWrappers();
 
+  static sinsp_filter_check_list& FilterList() {
+    static sinsp_filter_check_list filterlist;
+    return filterlist;
+  }
+
  private:
   struct FilterCheckWrapper {
     FilterCheckWrapper(EventExtractor* extractor, const char* event_name) : event_name(event_name) {

diff --git a/collector/lib/system-inspector/Service.cpp b/collector/lib/system-inspector/Service.cpp
@@ -80,7 +80,7 @@ bool Service::InitKernel(const CollectorConfig& config, const DriverCandidate& c
 
     inspector_->set_import_users(config.ImportUsers());
     inspector_->set_thread_timeout_s(30);
-    inspector_->set_thread_purge_interval_s(60);
+    inspector_->set_auto_threads_purging_interval_s(60);
     inspector_->m_thread_manager->set_max_thread_table_size(config.GetSinspThreadCacheSize());
 
     // Connection status tracking is used in NetworkSignalHandler,
@@ -119,7 +119,8 @@ bool Service::InitKernel(const CollectorConfig& config, const DriverCandidate& c
     inspector_->set_filter("container.id != 'host'");
 
     default_formatter_.reset(new sinsp_evt_formatter(inspector_.get(),
-                                                     DEFAULT_OUTPUT_STR));
+                                                     DEFAULT_OUTPUT_STR,
+                                                     EventExtractor::FilterList()));
   }
 
   std::unique_ptr<IKernelDriver> driver;