The Falco Artifact Scope proposal is divided in two parts:
- the Part 1: the State of Art of Falco artifacts
- the Part 2 - this document: the intended state moving forward
See Part 1.
See Part 1.
Official packages for x86 64bits only.
The following convention MUST be used for all packages.
All package names MUST contain a version.
If a package installs the Falco kernel module it MUST contain module.
If a package installs the Falco BPF probe it MUST contain bpf.
In general, if a package installs a Falco driver it MUST contain the driver name.
Falco running in debian like systems that will default to the kernel module.
- falco-x.y.z-amd64.deb
- alias to
falco-*x.y.z*-module-amd64.deb
- alias to
- falco-x.y.z-module-amd64.deb
falcoandmodule
- falco-x.y.z-bpf-amd64.deb
falcoandbpf
We reserve the right to change the naming convention of deb packages accordingly to deb conventions.
Falco running in rpm like systems that will default to the kernel module.
- falco-x.y.z-x86_64.rpm
- alias to
falco-*x.y.z*-module-x86_64.rpm
- alias to
- falco-x.y.z-module-x86_64.rpm
falcoandmodule
- falco-x.y.z-bpf-x86_64.rpm
falcoandbpf
We reserve the right to change the naming convention of rpm packages accordingly to rpm conventions.
- falco-bin-x86.tar.gz
falcobinary,falco-loader-script, drivers source, and related dependenciesINSTALLfileMakefilefile
- falco-src-x86.tar.gz
- No binaries
INSTALLfile
- falco-module-src-x86.tar.gz
modulesources withMakefileINSTALLfile
- falco-bpf-src-x86.tar.gz
bpfsources withMakefileINSTALLfile
The following convention MUST be used for all container images.
- falcosecurity/falco:TAG
- First runs
falco-driver-loaderand then runsfalco - Can be run with
--privileged - Can be run with
-e SKIP_DRIVER_LOADER=trueto skip the execution offalco-driver-loader - TAG can be
latestto refer to the latest release - TAG can be
masterto refer to the latest master - TAG can be
x.y.zto refer to a specific release
- First runs
- falcosecurity/falco-driver-loader:TAG
- Runs
falco-driver-loaderand exit - Needs to be run with
--privileged
- Runs
- falcosecurity/falco-no-driver
- Runs
falco(only userspace)
- Runs
- falcosecurity/falco-tester:TAG
- Runs the Falco integration test suite
- falcosecurity/falco-builder:TAG
- Contains the Falco tool chain for development
The image usage MUST be documented in the Dockerfile and in the website. If an image does not take any action by default, a command usage MUST printed out. We reserve the right to add image aliases if it was needed.
These artifacts will be amended to the ones listed above, and will become a part of the official Falco release process.
For each item, ask if this already exists. If so we need to rename, and update it to match this new convention. If does not exist, add it.
Here are SOME of the items that would need to be done for example:
- Rename package accordingly
- Rename docker images accordingly
- Evaluate how to call what's currently called
falcosecurity/falco:latest-slim
- Evaluate how to call what's currently called
- Documentation in all packages with
INSTALLfile - Add
Makefilewhere needed - Implement missing packages
- Rename
SKIP_MODULE_LOADenvironment variable of docker images toSKIP_DRIVER_LOADER - Create
usagecommands for every docker image
- Rename
Update documentation in falco-website
This could break the current helm chart, and maybe other dependencies.
We owe existing users of the Falco project some courtesy if we will break their usage of how Falco has traditionally been advertised.
Some things we owe the community.
- Announcement on Falco mailing list
- Issues/Pull Request to Helm chart
- Note: At the very least open an issue and document how to make the existing helm chart work with the new changes if needed. [Nova Volunteers]
- We should at least open a PR and update the helm chart with these new expectations if needed. [Nova Volunteers]
- We should revisit the helm chart OWNERS
- Documentation