new(falco): add buffer_format_base64 option, deprecate -b

falco.yaml

@@ -492,6 +492,13 @@ plugins:
 # the /etc/localtime configuration.
 time_format_iso_8601: false
 
+# [Incubating] `buffer_format_base64`
+#
+# When enabled, Falco will output data buffer with base64 encoding. This is useful
+# for encoding binary data that needs to be used over media designed to consume
+# this format.
+buffer_format_base64: false
+
 # [Stable] `priority`
 #
 # Any rule with a priority level more severe than or equal to the specified

userspace/falco/app/actions/init_inspectors.cpp

@@ -26,7 +26,18 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp> inspector) {
- inspector->set_buffer_format(s.options.event_buffer_format);
+ sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+ if(s.options.print_base64) {
+ falco_logger::log(falco_logger::level::WARNING,
+ "The -b/--print-base64 option is deprecated and will be removed. Use -o "
+ "buffer_format_base64=true instead.");
+ event_buffer_format = sinsp_evt::PF_BASE64;
+ }
+ if(s.config->m_buffer_format_base64) {
+ event_buffer_format = sinsp_evt::PF_BASE64;
+ }
+
+ inspector->set_buffer_format(event_buffer_format);
 
  //
  // Container engines

userspace/falco/app/options.cpp

@@ -71,7 +71,7 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
  }
 
  if(m_cmdline_parsed.count("b") > 0) {
- event_buffer_format = sinsp_evt::PF_BASE64;
+ print_base64 = true;
  }
 
  if(m_cmdline_parsed.count("r") > 0) {
@@ -114,7 +114,7 @@ void options::define(cxxopts::Options& opts)
  ("config-schema", "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false"))
  ("rule-schema", "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false"))
  ("A", "Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
- ("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
+ ("b,print-base64", "DEPRECATED: use -o buffer_format_base64=true. Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
  ("cri", "DEPRECATED: use -o container_engines.cri.sockets[]=<socket_path> instead. Path to CRI socket for container metadata. Use the specified <path> to fetch data from a CRI-compatible runtime. If not specified, built-in defaults for commonly known paths are used. This option can be passed multiple times to specify a list of sockets to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
  ("disable-cri-async", "DEPRECATED: use -o container_engines.cri.disable_async=true instead. Turn off asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false"))

userspace/falco/app/options.h

@@ -46,7 +46,7 @@ class options {
  bool print_rule_schema = false;
  std::string conf_filename;
  bool all_events = false;
- sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+ bool print_base64 = false;
  std::vector<std::string> cri_socket_paths;
  bool disable_cri_async = false;
  std::vector<std::string> disable_sources;

userspace/falco/config_json_schema.h

@@ -80,6 +80,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
  "time_format_iso_8601": {
  "type": "boolean"
  },
+ "buffer_format_base64": {
+ "type": "boolean"
+ },
  "priority": {
  "type": "string"
  },

userspace/falco/configuration.cpp

@@ -74,6 +74,7 @@ falco_configuration::falco_configuration():
  m_buffered_outputs(false),
  m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
  m_time_format_iso_8601(false),
+ m_buffer_format_base64(false),
  m_output_timeout(2000),
  m_grpc_enabled(false),
  m_grpc_threadiness(0),
@@ -489,6 +490,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
  }
 
  m_time_format_iso_8601 = m_config.get_scalar<bool>("time_format_iso_8601", false);
+ m_buffer_format_base64 = m_config.get_scalar<bool>("buffer_format_base64", false);
 
  m_webserver_enabled = m_config.get_scalar<bool>("webserver.enabled", false);
  m_webserver_config.m_threadiness = m_config.get_scalar<uint32_t>("webserver.threadiness", 0);

userspace/falco/configuration.h

@@ -153,6 +153,7 @@ class falco_configuration {
  bool m_buffered_outputs;
  size_t m_outputs_queue_capacity;
  bool m_time_format_iso_8601;
+ bool m_buffer_format_base64;
  uint32_t m_output_timeout;
 
  bool m_grpc_enabled;