From 69b3df1fd5f472c07cb998b6eae50779176e5d72 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 30 Sep 2024 15:58:26 +0000 Subject: [PATCH 1/2] new(falco): add buffer_format_base64 Signed-off-by: Luca Guerra --- falco.yaml | 7 +++++++ userspace/falco/app/actions/init_inspectors.cpp | 7 ++++++- userspace/falco/app/options.cpp | 2 +- userspace/falco/app/options.h | 2 +- userspace/falco/config_json_schema.h | 3 +++ userspace/falco/configuration.cpp | 2 ++ userspace/falco/configuration.h | 1 + 7 files changed, 21 insertions(+), 3 deletions(-) diff --git a/falco.yaml b/falco.yaml index e052a441109..9ab4a9dd17f 100644 --- a/falco.yaml +++ b/falco.yaml @@ -492,6 +492,13 @@ plugins: # the /etc/localtime configuration. time_format_iso_8601: false +# [Incubating] `buffer_format_base64` +# +# When enabled, Falco will output data buffer with base64 encoding. This is useful +# for encoding binary data that needs to be used over media designed to consume +# this format. +buffer_format_base64: false + # [Stable] `priority` # # Any rule with a priority level more severe than or equal to the specified diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp index cf3e3849d6c..0365817fba9 100644 --- a/userspace/falco/app/actions/init_inspectors.cpp +++ b/userspace/falco/app/actions/init_inspectors.cpp @@ -26,7 +26,12 @@ using namespace falco::app; using namespace falco::app::actions; static void init_syscall_inspector(falco::app::state& s, std::shared_ptr inspector) { - inspector->set_buffer_format(s.options.event_buffer_format); + sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL; + if(s.options.print_base64 || s.config->m_buffer_format_base64) { + event_buffer_format = sinsp_evt::PF_BASE64; + } + + inspector->set_buffer_format(event_buffer_format); // // Container engines diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index cf651ff27f9..8925b7672cf 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -71,7 +71,7 @@ bool options::parse(int argc, char **argv, std::string &errstr) { } if(m_cmdline_parsed.count("b") > 0) { - event_buffer_format = sinsp_evt::PF_BASE64; + print_base64 = true; } if(m_cmdline_parsed.count("r") > 0) { diff --git a/userspace/falco/app/options.h b/userspace/falco/app/options.h index da35d76ed74..d71f90b6e39 100644 --- a/userspace/falco/app/options.h +++ b/userspace/falco/app/options.h @@ -46,7 +46,7 @@ class options { bool print_rule_schema = false; std::string conf_filename; bool all_events = false; - sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL; + bool print_base64 = false; std::vector cri_socket_paths; bool disable_cri_async = false; std::vector disable_sources; diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h index ba6419e72b3..35357e43bfc 100644 --- a/userspace/falco/config_json_schema.h +++ b/userspace/falco/config_json_schema.h @@ -80,6 +80,9 @@ const char config_schema_string[] = LONG_STRING_CONST( "time_format_iso_8601": { "type": "boolean" }, + "buffer_format_base64": { + "type": "boolean" + }, "priority": { "type": "string" }, diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 8673f37924a..7e44253298b 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -74,6 +74,7 @@ falco_configuration::falco_configuration(): m_buffered_outputs(false), m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE), m_time_format_iso_8601(false), + m_buffer_format_base64(false), m_output_timeout(2000), m_grpc_enabled(false), m_grpc_threadiness(0), @@ -489,6 +490,7 @@ void falco_configuration::load_yaml(const std::string &config_name) { } m_time_format_iso_8601 = m_config.get_scalar("time_format_iso_8601", false); + m_buffer_format_base64 = m_config.get_scalar("buffer_format_base64", false); m_webserver_enabled = m_config.get_scalar("webserver.enabled", false); m_webserver_config.m_threadiness = m_config.get_scalar("webserver.threadiness", 0); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index d0b9e4a6018..88c9c5e562b 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -153,6 +153,7 @@ class falco_configuration { bool m_buffered_outputs; size_t m_outputs_queue_capacity; bool m_time_format_iso_8601; + bool m_buffer_format_base64; uint32_t m_output_timeout; bool m_grpc_enabled; From 3f0e1bcf67174c7463e1edbc0d67f15460085830 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 30 Sep 2024 16:03:33 +0000 Subject: [PATCH 2/2] cleanup(falco): deprecate -b --print-base64 Signed-off-by: Luca Guerra --- userspace/falco/app/actions/init_inspectors.cpp | 8 +++++++- userspace/falco/app/options.cpp | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp index 0365817fba9..41fca8415c6 100644 --- a/userspace/falco/app/actions/init_inspectors.cpp +++ b/userspace/falco/app/actions/init_inspectors.cpp @@ -27,7 +27,13 @@ using namespace falco::app::actions; static void init_syscall_inspector(falco::app::state& s, std::shared_ptr inspector) { sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL; - if(s.options.print_base64 || s.config->m_buffer_format_base64) { + if(s.options.print_base64) { + falco_logger::log(falco_logger::level::WARNING, + "The -b/--print-base64 option is deprecated and will be removed. Use -o " + "buffer_format_base64=true instead."); + event_buffer_format = sinsp_evt::PF_BASE64; + } + if(s.config->m_buffer_format_base64) { event_buffer_format = sinsp_evt::PF_BASE64; } diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index 8925b7672cf..acf015a5b01 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -114,7 +114,7 @@ void options::define(cxxopts::Options& opts) ("config-schema", "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false")) ("rule-schema", "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false")) ("A", "Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false")) - ("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") + ("b,print-base64", "DEPRECATED: use -o buffer_format_base64=true. Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD) ("cri", "DEPRECATED: use -o container_engines.cri.sockets[]= instead. Path to CRI socket for container metadata. Use the specified to fetch data from a CRI-compatible runtime. If not specified, built-in defaults for commonly known paths are used. This option can be passed multiple times to specify a list of sockets to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") ("disable-cri-async", "DEPRECATED: use -o container_engines.cri.disable_async=true instead. Turn off asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false"))