同步操作将从 Gitee 极速下载/falco 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:
.ko
files).o
files).yaml
files (userspace)One nice trait about releasing separate artifacts for userspace and kernel space is that Falco is amenable to supporting a large array of environments, that is, multiple kernel versions, distros and architectures (see libs
driver - kernel version support matrix). The Falco project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the test-infra repo. The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
The Falco project also publishes all sources for each component. In fact, sources are included in the Falco release in the same way as some plugins (k8saudit and cloudtrail) as well as the rules that are shipped together with Falco. This empowers the end user to audit the integrity of the project as well as build kernel drivers for custom kernels or not officially supported kernels / distros (see driverkit for more information). While the Falco project is deeply embedded into an ecosystem of supporting Falco sub-projects that aim to make the deployment of Falco easy, user-friendly, extendible and cloud-native, core Falco is split across two repos, falco (this repo) and libs. The libs
repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines. More details are provided in the Falco Components Versioning section.
Finally, the release process follows a transparent process described in more detail in the following sections and the official Falco docs contain rich information around building, installing and using Falco.
The Falco project publishes all sources and the Falco userspace binaries as GitHub releases.
tgz
, rpm
and deb
Falco binary packages (contains sources, including driver sources, Falco rules as well as k8saudit and cloudtrail plugins)tgz
, zip
source codetgz
, zip
source code+driver
build metadata.
tgz
, zip
source codetgz
, zip
source code, each ruleset is tagged separately in a mono-repo fashion, see the rules release guidelines
Alternatively Falco binaries or plugins can be downloaded from the Falco Artifacts repo.
The Falco project publishes all drivers for each release for all popular kernel versions / distros and x86_64
and aarch64
architectures to the Falco project managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - $(uname -r)
. Pre-compiled drivers are released with a best effort notice. This is because gcc (kmod
) and clang (bpf
) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the Falco Components Versioning section. Short preview: If you use the standard Falco setup leveraging driver-loader, driver-loader script will fetch the kernel space artifact (object file) corresponding to the default DRIVER_VERSION
Falco was shipped with.
.ko
files) - all under same driver version directory.o
files) - all under same driver version directoryFalco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.
Changes and new features are grouped in milestones, the milestone with the next version represents what is going to be released.
The release process is mostly automated requiring only a few manual steps to initiate and complete it.
Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the weekly community call.
At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
libs
(+ driver
) and plugins
components releasesFinally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
Prior to cutting a release the following preparatory steps should take 5 minutes using the GitHub UI.
YYYY-MM-DD
) by looking at the Falco releases
is:pr is:merged closed:>YYYY-MM-DD
filter
is:pr is:merged no:milestone closed:>YYYY-MM-DD
filter ) and add them to the milestone currently undergoing releaseis:pr is:merged no:milestone closed:>YYYY-MM-DD
filter, if any, update those missingAssuming we are releasing a non-patch version (like: Falco 0.34.0), a new release branch needs to be created.
Its naming will be release/M.m.x
; for example: release/0.34.x
.
The same branch will then be used for any eventual cherry pick for patch releases.
For patch releases, instead, the release/M.m.x
branch should already be in place; no more steps are needed.
Double check that any PR that should be part of the tag has been cherry-picked from master!
The release PR is meant to be made against the respective release/M.m.x
branch, then cherry-picked on master.
README.md
updates itself automaticallyrn2md -o falcosecurity -m <version> -r falco
rn2md
emits error try to generate an GitHub OAuth access token and provide it with the -t
flagCHANGELOG.md
Assume M.m.p
is the new version.
Once the release PR has got merged both on the release branch and on master, and the master CI has done its job, git tag the new release on the release branch:
git pull
git checkout release/M.m.x
git tag M.m.p
git push origin M.m.p
N.B.: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging
Use M.m.p
both as tag version and release title
Use the following template to fill the release description:
<!-- Substitute M.m.p with the current release version -->
| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm-x86_64 | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm) |
| deb-x86_64 | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
| tgz-x86_64 | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
| rpm-aarch64 | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm) |
| deb-aarch64 | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
| tgz-aarch64 | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |
| Images |
| --------------------------------------------------------------------------- |
| `docker pull docker.io/falcosecurity/falco:M.m.p` |
| `docker pull public.ecr.aws/falcosecurity/falco:M.m.p` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p` |
| `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p` |
<changelog>
<!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
### Statistics
| Merged PRs | Number |
| --------------- | ------ |
| Not user-facing | x |
| Release note | x |
| Total | x |
<!-- Calculate stats and fill the above table -->
#### Release Manager <github handle>
<!-- Substitute GitHub handle with the release manager's one -->
Finally, publish the release!
For each release we archive the meeting notes in git for historical purposes.
release-M.m.p.md
Announce the new release to the world!
This section provides more details around the versioning of all components that make up core Falco. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because the libs
repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines, the libs release doc is an excellent additional resource. In addition, the plugins release doc provides similar details around Falco's plugins. SHA256
checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
x.y.z
), see Procedures section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.falco --list -N | sha256sum
has changed. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The primary idea behind the hash is that when new filter / display fields (see currently supported Falco fields) are introduced a version bump indicates that this field was not available in previous engine versions. See the rules release guidelines to understand how this affects the versioning of Falco rules.libs
commit. However, for the official Falco build FALCOSECURITY_LIBS_VERSION
flag that references the stable Libs version is used (read below).DRIVER_VERSION
Falco was shipped with (read more below under Libs).Falco version: x.y.z (sem-ver like)
Libs version: x.y.z (sem-ver like)
Plugin API: x.y.z (sem-ver like)
Engine: x
Driver:
API version: x.y.z (sem-ver)
Schema version: x.y.z (sem-ver)
Default driver: x.y.z+driver (sem-ver like, indirectly encodes compatibility range in addition to default version Falco is shipped with)
x.y.z
) and when building Falco the libs version is set via the FALCOSECURITY_LIBS_VERSION
flag (see above).Default driver
has been introduced to still implicitly declare the compatible driver versions. For example, if the default driver version is 2.0.0+driver
, Falco works with all driver versions >= 2.0.0 and < 3.0.0. This is a consequence of how the driver version is constructed starting from the Driver API version
and Driver Schema version
. Driver API and Schema versions are explained in the respective libs driver doc -> Falco's driver-loader
will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.x.y.z
)此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。