
Falco in 2020
The scope of this post is to review the progress of Falco and its community during the pandemic year. A year will never forget.
I will try to keep it compact, but Falco, and its community, grown so much this year that I feel like this could be a blog posts series.
2020 was the year we completely and finally put the Falco release process in the open! ๐
When Lorenzo and I joined Sysdig in 2019 it was not.
This was a mandatory requirement that came out from the process to move Falco into the CNCF incubation level.
So yes, 2020 is also the year Falco got accepted as an incubation-level hosted project by the Cloud Native Computing Foundation!
The Falco release process is now open, some Falco maintainers propose themselves during our Community Calls, and they lead the next Falco release, which happens every 2 months. ๐
While moving the release process in the open, we also took the chance to:
- give Falco a clearer and coherent SemVer 2.0 versioning scheme
- separate the Falco drivers version from the Falco version
- rename the drivers in a more coherent way
- reorganize its artifacts
- every merge on the master branch and every new release create Falco packages automatically now and push them to package repositories (tarball, DEB, and RPM) on download.falco.org ๐ฆ
- reorganize its container images
- every merge on the master branch and every new release, automatically build and publish container images on the DockerHub ๐ณ
- soon on the AWS ECR Gallery, too (1512 soon to be merged in!)
- set-up a process to evolve and incubate new Falco projects and community resources in the falcosecurity GitHub organization โ
In case you wanna know more on these topics this and this are the Falco blog posts you need to read.
In the meantime, we built driverkit ๐ to let our users manually prebuild the Falco drivers for their hosts. And we created a Drivers Build Grid using this tool, making it able to run initially on CircleCI, now on our Falco Infra backed by Prow and Kubernetes on AWS.
We finally re-organized the way we store the prebuilt Falco drivers. Take a look at download.falco.org.
Would you rather take a look at the Falco Infra that I mentioned? ๐
Take a look at prow.falco.org. What an awesome outcome!
In case this topic really got you, well you can read all the details in ๐ this blog post I co-authored with Jonah on the AWS Open Source blog.
I want to publicly thank all the Falco Infra WG participants (Spencer, Massimiliano, Lorenzo, Grasso, Umang), especially Jonah from Amazon for all the help he gave and continues to give us as a new maintainer!
Another area that had a huge role in the Falco adoption is the Falco Helm chart. ๐
We internalized, fixed, and constantly improved them. Our community loves them so much that external contributors - like Spencer - help us keep the charts healthy daily.
To not mention falcosidekick. ๐ซ
What Thomas did here to enhance Falco output alerts is just awesome. Listing here all the tools he integrated with the Falco outputs alerts would make this post even longer.
So, please go read this blog post (part #4 ๐) by POP to know more about them.
Since I just mentioned him, and in case you still don't know: POP, my big ItaloAmericano friend, joined us with the intent to help the Falco community and ecosystem shine to unprecedented levels. Make no mistake: he's a great addition to the Falco community.
I presume it's clear now that 2020 was the year the Falco community took off definitely! Innit?
Look how many maintainers we have now by taking a look at this beautiful maintainers.yaml I instructed our Falco Infra to generate. ๐ฅ
We took on board a lot of new external contributors from different companies (IBM, Amazon, Mercari, Hetzner Cloud, DeltaTre, etc.) and they made the difference.
This is the Open Source power, this is what happens when people come together. ๐ค
From a technical point of view, the toughest and most important (IMHO) contribution to Falco was the fix of the Falco eBPF driver back in March developed by Lorenzo and me. ๐ฌ
In fact, as I said, the real issue was in the eBPF VM: it would have impacted many other eBPF programs potentially leading to tedious and dangerous situations.
Anyway, a lot has been done over the past year to improve the Falco core tech too.
The top things (in no particular order) that I can recall right now are (forgive me in case I forget something):
- Fixing the presence of <NA>values in the Falco alerts (1133, 1138, 1140, 1492) ๐ฉบ
- Playing with valgrind to fix various memory leaks ๐ฉ
- Improving the performances of the gRPC Falco Outputs API and making it bi-directional (1241) ๐๐
- The port of the Falco outputs mechanism from Lua to C++ (thanks Grasso for 1412) ๐ง
- Adding other gRPC APIs to the Falco core- Version API
- Stream the drop alerts too with the gRPC Falco Outputs API
 
- Investigating the drops
- 100% statically-linked version of Falco (thanks Lorenzo!) โ
- Build Falco on aarch64 (many thanks to Lorenzo again: 1442) โ
- Userspace instrumentation, making Falco able to run without the kernel module or the eBPF probe- And the first userspace Falco driver - ie., pdig - thanks to Loris and Grzegorz
 
I'm 100% sure I forgot something important. But, given the quantity of Panettone I have eaten today ๐, I consider what I remembered and written here a damn good result for my brain.
A glimpse of 2021
Stay tuned, because 2021 is the year we plan to make Falco programmable by our users. ๐ป
We're writing a real Falco rules language - ie., with a compiler and everything. โ
We're prepping a set of cool C APIs (libhawk maybe?) to let you interact with Falco (starting with its rulesets) while it runs. ๐งช
We're revamping the Falco website (watch falco-website#324).
Get ready to also read a cool new developer's documentation (watch 1513) website and contribute to the Falco core! ๐
