Bake Sysdig/CNCF Falco

README.md

@@ -85,6 +85,7 @@ For extensions that are not part of the GitHub Release or which you want to cust
 | `kubernetes` | released |
 | `docker` | released (includes containerd) |
 | `docker_compose` | released |
+| `falco`          | released |
 | `nvidia-runtime` | released |
 | `wasmtime` | released |
 | `wasmcloud` | released |
@@ -200,6 +201,28 @@ In the [Flatcar docs](https://www.flatcar.org/docs/latest/provisioning/sysext/)
 
 The updates works by [`systemd-sysupdate`](https://www.freedesktop.org/software/systemd/man/sysupdate.d.html) fetching the `SHA256SUMS` file of the generated artifacts, which holds the list of built images with their respective SHA256 digest.
 
+#### Falco
+
+To setup [Falco](https://falco.org/docs/getting-started/) we need the sysext plus the configuration files and the systemd unit.
+
+By default, the falcon daemon systemd unit shipped is the [Falco Modern EBPF](https://github.com/falcosecurity/falco/blob/master/scripts/systemd/falco-modern-bpf.service). Create systemd drop-ins or replace the service to suit your needs if necessary. 
+
+The default falco config and rules files are shipped, but you can overwrite it. The example bellow shows how to override the default files:
+
+```yaml
+storage:
+  files:
+    - path: /etc/falco/falco_rules.local.yaml
+      contents:
+        source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/refs/heads/master/falco_rules.local.yaml"
+    - path: /etc/extensions/falco.raw
+      contents:
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/falco-0.39.1-x86-64.raw
+```
+
+Of course its also possible to use the 
+[artifact-follower](https://falco.org/blog/falcoctl-install-manage-rules-plugins/#follow-artifacts) to download falco artifacts automatically.
+
 #### Kubernetes
 
 The [Flatcar Kubernetes docs](https://www.flatcar.org/docs/latest/container-runtimes/getting-started-with-kubernetes/) show how to use the extension provided here for controllers and workers.

create_falco_sysext.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export ARCH="${ARCH-x86-64}"
+SCRIPTFOLDER="$(dirname "$(readlink -f "$0")")"
+
+if [ $# -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  echo "Usage: $0 VERSION SYSEXTNAME"
+  echo "The script will download the sysdig falco binary (e.g., for 0.38.0) and create a sysext squashfs image with the name falco.raw in the current folder."
+  echo "A temporary directory named SYSEXTNAME in the current folder will be created and deleted again."
+  echo "All files in the sysext image will be owned by root."
+  echo "To use arm64 pass 'ARCH=arm64' as environment variable (current value is '${ARCH}')."
+  "${SCRIPTFOLDER}"/bake.sh --help
+  exit 1
+fi
+
+VERSION="$1"
+SYSEXTNAME="$2"
+
+# The github release uses different arch identifiers, we map them here
+# and rely on bake.sh to map them back to what systemd expects
+if [ "${ARCH}" = "amd64" ] || [ "${ARCH}" = "x86-64" ]; then
+  URL="https://download.falco.org/packages/bin/x86_64/falco-${VERSION}-x86_64.tar.gz"
+elif [ "${ARCH}" = "arm64" ] || [ "${ARCH}" = "aarch64" ]; then
+  URL="https://download.falco.org/packages/bin/aarch64/falco-${VERSION}-aarch64.tar.gz"
+fi
+
+rm -rf "${SYSEXTNAME}"
+mkdir -p "${SYSEXTNAME}"{/usr/share/falco/etc/,/usr/lib/tmpfiles.d,/usr/local/lib/systemd/system/}
+
+cat <<EOF >"${SYSEXTNAME}"/usr/lib/tmpfiles.d/10-falco.conf
+C+ /etc/falco - - - - /usr/share/falco/etc/falco
+EOF
+
+curl -o - -fsSL "${URL}" | tar --strip-components 1 -xzvf - -C "${SYSEXTNAME}/"
+mv "${SYSEXTNAME}"{/etc/{falco,falcoctl},/usr/share/falco/etc/}
+
+cat > "${SYSEXTNAME}"/usr/local/lib/systemd/system/falco-modern-bpf.service <<'EOF'
+[Unit]
+Description=Falco: Container Native Runtime Security with modern ebpf
+Documentation=https://falco.org/docs/
+Before=falcoctl-artifact-follow.service
+Wants=falcoctl-artifact-follow.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falco -o engine.kind=modern_ebpf
+ExecReload=kill -1 $MAINPID
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > "${SYSEXTNAME}"/usr/local/lib/systemd/system/falcoctl-artifact-follow.service << EOF
+[Unit]
+Description=Falcoctl Artifact Follow: automatic artifacts update service
+Documentation=https://falco.org/docs/
+PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custom.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falcoctl artifact follow --allowed-types=rulesfile
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectSystem=true
+ReadWriteDirectories=/usr/share/falco
+ProtectKernelTunables=true
+RestrictRealtime=true
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+RELOAD=1 "${SCRIPTFOLDER}"/bake.sh "${SYSEXTNAME}"
+rm -rf "${SYSEXTNAME}"

release_build_versions.txt

@@ -13,6 +13,8 @@ docker-25.0.3
 docker_compose-2.22.0
 docker_compose-2.24.5
 
+falco-0.39.1
+
 wasmtime-12.0.0
 wasmtime-13.0.0 # Used in Flatcar wasm OS demo
 wasmtime-24.0.0 # Used in README.md. Update readme when version changes.