8000 Do not build eBPF non CO-RE object during tracee-ebpf execution by rafaeldtinoco · Pull Request #1273 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Do not build eBPF non CO-RE object during tracee-ebpf execution #1273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Jan 17, 2022
Merged

Do not build eBPF non CO-RE object during tracee-ebpf execution #1273

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d3d867f
tracee-ebpf: remove run-time non CO-RE eBPF obj build logic
rafaeldtinoco Dec 16, 2021
d01edc4
builder: Dockerfile for tracee-{core,nocore}
rafaeldtinoco Dec 20, 2021
88f67e5
builder: Rename Makefile.docker to Makefile.tracee-make
rafaeldtinoco Dec 21, 2021
8449134
builder: fix Makefile.{mkdocs,tracee-make} help examples
rafaeldtinoco Dec 21, 2021
7292461
builder: create Makefile.tracee
rafaeldtinoco Dec 21, 2021
dc1e029
builder/Makefile.tracee-make: pass BTFHUB environment var through
rafaeldtinoco Jan 10, 2022
c238736
builder/Dockerfile.ubuntu-tracee-make: upgrade to impish
rafaeldtinoco Jan 14, 2022
04ce772
3rdparty/btfhub.sh: remove amzn2 kernels from btfhub build
rafaeldtinoco Jan 14, 2022
cdd0ecc
Makefile.tracee: to have official 3 container flavors
rafaeldtinoco Jan 14, 2022
faf2df0
Makefile.one: fix test-tracee-rules checkver dependency
rafaeldtinoco Jan 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
./dist/*
./tracee-ebpf/dist/*
./tracee-rules/dist/*
./tracee-rules/dist/*
./3rdparty/btfhub
./3rdparty/btfhub/*
./3rdparty/btfhub-archive
./3rdparty/btfhub-archive/*
2 changes: 2 additions & 0 deletions 3rdparty/btfhub.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ cd ${BTFHUB_DIR}
# remove BTFs for:
# - centos7 & v4.15 kernels: unsupported eBPF features
# - fedora 29 & 30 (from 5.3 and on) and newer: already have BTF embedded
# - amzn2: older than 4.19
#

rsync -avz \
Expand All @@ -91,6 +92,7 @@ rsync -avz \
--exclude="fedora/33*" \
--exclude="fedora/34*" \
--exclude="4.15*" \
--exclude="amzn*" \
./archive/

# cleanup unneeded architectures
Expand Down
30 changes: 27 additions & 3 deletions Makefile.one
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,11 @@ help:
@echo "$ make tracee-rules # build ./dist/tracee-rules"
@echo "$ make rules # build ./dist/rules"
@echo ""
@echo "# install"
@echo ""
@echo "$ make install-bpf-nocore # install BPF no CO-RE obj into /tmp/tracee"
@echo "$ make uninstall-bpf-nocore # uninstall BPF no CO-RE obj from /tmp/tracee"
@echo ""
@echo "# clean"
@echo ""
@echo "$ make clean # wipe ./dist/"
Expand Down Expand Up @@ -284,10 +289,9 @@ LIBBPF_LDLAGS =
LIBBPF_SRC = ./3rdparty/libbpf/src

$(OUTPUT_DIR)/libbpf/libbpf.a: \
.checkver_$(CMD_CLANG) \
$(LIBBPF_SRC) \
$(wildcard $(LIBBPF_SRC)/*.[ch]) \
| $(OUTPUT_DIR)
| .checkver_$(CMD_CLANG) $(OUTPUT_DIR)
#
CC="$(CMD_CLANG)" \
CFLAGS="$(LIBBPF_CFLAGS)" \
Expand Down Expand Up @@ -372,6 +376,26 @@ clean-bpf-nocore:
#
$(CMD_RM) -rf $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o

TMP_DIR = /tmp/tracee

.PHONY: install-bpf-nocore
.ONESHELL:
install-bpf-nocore: \
$(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o \
| .check_$(CMD_INSTALL) \
.check_$(CMD_RM) \
.check_$(CMD_MKDIR) \
#
@$(CMD_MKDIR) -p $(TMP_DIR)
$(CMD_RM) -f $(TMP_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o
$(CMD_INSTALL) -m 0640 $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o $(TMP_DIR)

.PHONY: uninstall-bpf-nocore
uninstall-bpf-nocore: \
| .check_$(CMD_RM)
#
$(CMD_RM) -f $(TMP_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o

#
# co-re ebpf
#
Expand Down Expand Up @@ -540,7 +564,7 @@ clean-tracee-rules:
$(CMD_RM) -rf $(OUTPUT_DIR)/tracee-rules

.PHONY: test-tracee-rules
test-tracee-rules:
test-tracee-rules: \
.checkver_$(CMD_GO)
#
$(GO_ENV_RULES) $(CMD_GO) test \
Expand Down
145 changes: 145 additions & 0 deletions builder/Dockerfile.alpine-tracee
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
################################################################################
# INSTRUCTIONS
################################################################################
#
# This Dockerfile is meant to build the official tracee containers.
#
# 1. BUILDING tracee container:
#
# $ docker build -f builder/Dockerfile.alpine-tracee \
# --build-arg=BTFHUB=[0|1] \
# --build-arg=FLAVOR=[tracee-core|tracee-nocore] \
# -t alpine-tracee:latest \
# .
#
# 2. RUNNING tracee container:
#
# 2.1 tracee-core:
#
# $ docker run --privileged --pid=host \
# -v /etc/os-release:/etc/os-release-host:ro \
# -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
# -e TRACEE_EBPF_ONLY=0 \
# --rm -it alpine-tracee [arguments | --help]
#
# 2.2 tracee-nocore:
#
# $ docker run --privileged --pid=host \
# -v /etc/os-release:/etc/os-release-host:ro \
# -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
# -v /usr/src:/usr/src:ro \
# -v /lib/modules:/lib/modules:ro \
# -e TRACEE_EBPF_ONLY=0 \
# -e FORCE_CORE=0 \
# --rm -it alpine-tracee [arguments | --help]
#
# Notes:
#
# - TRACEE_EBPF_ONLY=1 will execute "tracee-ebpf" instead of "tracee".
# - FORCE_CORE=1 will force CORE obj loading in a tracee-nocore container.
#
################################################################################

# FLAVOR(s):
#
# tracee-core entrypoint: tracee-ebpf + tracee-rules
# tracee-nocore entrypoint: install-bpf-nocore + tracee-ebpf + tracee-rules

ARG BTFHUB=0
ARG FLAVOR=tracee-ebpf-core

#
# tracee-base
#

FROM alpine:3.15 as tracee-base
USER root

# install base environment

RUN apk --no-cache update && \
apk --no-cache add sudo curl && \
apk --no-cache add libelf zlib && \
apk --no-cache add libc6-compat && \
curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.33.1/opa_linux_amd64_static && \
chmod 755 /usr/bin/opa

#
# tracee-make-base
#

FROM tracee-base as tracee-make-base
USER root

# install needed environment

RUN apk --no-cache update && \
apk --no-cache add bash git rsync && \
apk --no-cache add coreutils findutils && \
apk --no-cache add llvm clang go make gcc && \
apk --no-cache add musl-dev && \
apk --no-cache add linux-headers && \
apk --no-cache add elfutils-dev && \
apk --no-cache add libelf-static && \
apk --no-cache add zlib-static

#
# tracee-make
#

FROM tracee-make-base as tracee-make
ARG BTFHUB
USER root
ENV HOME /tracee
WORKDIR /tracee

COPY . /tracee

RUN make -f Makefile.one clean && \
BTFHUB=$BTFHUB make -f Makefile.one tracee-ebpf && \
make -f Makefile.one tracee-rules && \
make -f Makefile.one rules

#
# tracee-core (tracee-base as base)
#

FROM tracee-base as tracee-core
USER root
ENV HOME /tracee
WORKDIR /tracee

COPY --from=tracee-make /tracee/dist/tracee-ebpf /tracee
COPY --from=tracee-make /tracee/dist/tracee-rules /tracee
COPY --from=tracee-make /tracee/dist/rules/ /tracee/rules/
COPY --from=tracee-make /tracee/builder/tracee.sh /tracee/entrypoint.sh

ENTRYPOINT ["/tracee/entrypoint.sh"]

#
# tracee-nocore (tracee-make as base)
#

FROM tracee-make-base as tracee-nocore
USER root
ENV HOME /tracee
WORKDIR /tracee

COPY --from=tracee-make /tracee /tracee/src
COPY --from=tracee-make /tracee/dist/tracee-ebpf /tracee
COPY --from=tracee-make /tracee/dist/tracee-rules /tracee
COPY --from=tracee-make /tracee/dist/rules/ /tracee/rules
COPY --from=tracee-make /tracee/builder/tracee.sh /tracee/entrypoint.sh

ENTRYPOINT ["/tracee/entrypoint.sh"]

#
# tracee
#

FROM $FLAVOR
USER root
ENV HOME /tracee
WORKDIR /tracee

# vi:syntax=dockerfile:expandtab:tabstop=4:shiftwidth=4:softtabstop=4
8 changes: 8 additions & 0 deletions builder/Dockerfile.alpine-tracee-make
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
################################################################################
# INSTRUCTIONS
################################################################################
#
# This Dockerfile is meant to create a building/exec environment for tracee.
#
################################################################################

FROM alpine:3.15

ARG uid=1000
Expand Down
10 changes: 9 additions & 1 deletion builder/Dockerfile.ubuntu-tracee-make
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
FROM ubuntu:hirsute
################################################################################
# INSTRUCTIONS
################################################################################
#
# This Dockerfile is meant to create a building/exec environment for tracee.
#
################################################################################

FROM ubuntu:impish

ARG uid=1000
ARG gid=1000
Expand Down
6 changes: 3 additions & 3 deletions builder/Makefile.mkdocs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,15 @@ help:
@echo ""
@echo "To build the mkdocs docker container:"
@echo ""
@echo " $ make -f builder/Makefile.mkdocs mkdocs-build"
@echo " $$ make -f builder/Makefile.mkdocs mkdocs-build"
@echo ""
@echo "To serve mkdocs through mkdocks container:"
@echo ""
@echo " $ make -f builder/Makefile.mkdocs mkdocs-serve"
@echo " $$ make -f builder/Makefile.mkdocs mkdocs-serve"
@echo ""
@echo "Or simply:"
@echo ""
@echo " $ make -f builder/Makefile.mkdocs"
@echo " $$ make -f builder/Makefile.mkdocs"
@echo ""

#
Expand Down
Loading
0