From d534324b2379c5de536215068c85135205c8aca6 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Tue, 16 Jan 2024 16:14:22 +0000 Subject: [PATCH 1/3] update!(config): add deprecation notice for syscall_event_drops Signed-off-by: Melissa Kilby --- falco.yaml | 4 ++-- userspace/falco/app/actions/load_config.cpp | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/falco.yaml b/falco.yaml index c66d943d8ee..d1bec1277a0 100644 --- a/falco.yaml +++ b/falco.yaml @@ -61,7 +61,7 @@ # Falco logging / alerting / metrics related to software functioning (advanced) # output_timeout # syscall_event_timeouts -# syscall_event_drops +# syscall_event_drops [DEPRECATED] -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! # metrics # Falco performance tuning (advanced) # syscall_buf_size_preset [DEPRECATED] -> Replaced by `engine..buf_size_preset` starting Falco 0.38! @@ -792,7 +792,7 @@ output_timeout: 2000 syscall_event_timeouts: max_consecutives: 1000 -# [Stable] `syscall_event_drops` +# [Stable] `syscall_event_drops` -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! # # Generates "Falco internal: syscall event drop" rule output when `priority=debug` at minimum # diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp index 2433edcb10e..bb840153d2e 100644 --- a/userspace/falco/app/actions/load_config.cpp +++ b/userspace/falco/app/actions/load_config.cpp @@ -41,6 +41,12 @@ static falco::app::run_result apply_deprecated_options(falco::app::state& s) return run_result::fatal("You can not specify more than one of -e, -g (--gvisor-config), --modern-bpf, --nodriver, and the FALCO_BPF_PROBE env var"); } + if(s.config->m_min_priority == falco_common::PRIORITY_DEBUG) + { + falco_logger::log(falco_logger::level::WARNING, + "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! Use 'metrics' config instead. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); + } + // Please note: is not possible to mix command line options and configs to obtain a configuration // we need to use only one method. For example, is not possible to set the gvisor-config through // the command line and the gvisor-root through the config file. For this reason, if we detect From 9223e1dbd6b99a4fd2ed88de5f48224514fd8298 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Tue, 23 Jan 2024 17:45:31 +0000 Subject: [PATCH 2/3] cleanup(configs): adjust old stats deprecation notice Co-authored-by: Andrea Terzolo Signed-off-by: Melissa Kilby --- userspace/falco/app/actions/load_config.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp index bb840153d2e..0b6f822001a 100644 --- a/userspace/falco/app/actions/load_config.cpp +++ b/userspace/falco/app/actions/load_config.cpp @@ -44,7 +44,7 @@ static falco::app::run_result apply_deprecated_options(falco::app::state& s) if(s.config->m_min_priority == falco_common::PRIORITY_DEBUG) { falco_logger::log(falco_logger::level::WARNING, - "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! Use 'metrics' config instead. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); + "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! If you rely on this config, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' to monitor the number of drops. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); } // Please note: is not possible to mix command line options and configs to obtain a configuration From 0330cee35d9b93c38cd731c45204a7a819d91cf9 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Wed, 24 Jan 2024 16:19:26 +0000 Subject: [PATCH 3/3] update(config): soft deprecation of old stats add CHANGE NOTICE wrt syscall_event_drops Co-authored-by: Leonardo Grasso Signed-off-by: Melissa Kilby --- falco.yaml | 4 ++-- userspace/falco/app/actions/load_config.cpp | 6 ------ 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/falco.yaml b/falco.yaml index d1bec1277a0..9334dfa7c84 100644 --- a/falco.yaml +++ b/falco.yaml @@ -61,7 +61,7 @@ # Falco logging / alerting / metrics related to software functioning (advanced) # output_timeout # syscall_event_timeouts -# syscall_event_drops [DEPRECATED] -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! +# syscall_event_drops -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead # metrics # Falco performance tuning (advanced) # syscall_buf_size_preset [DEPRECATED] -> Replaced by `engine..buf_size_preset` starting Falco 0.38! @@ -792,7 +792,7 @@ output_timeout: 2000 syscall_event_timeouts: max_consecutives: 1000 -# [Stable] `syscall_event_drops` -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! +# [Stable] `syscall_event_drops` -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead # # Generates "Falco internal: syscall event drop" rule output when `priority=debug` at minimum # diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp index 0b6f822001a..2433edcb10e 100644 --- a/userspace/falco/app/actions/load_config.cpp +++ b/userspace/falco/app/actions/load_config.cpp @@ -41,12 +41,6 @@ static falco::app::run_result apply_deprecated_options(falco::app::state& s) return run_result::fatal("You can not specify more than one of -e, -g (--gvisor-config), --modern-bpf, --nodriver, and the FALCO_BPF_PROBE env var"); } - if(s.config->m_min_priority == falco_common::PRIORITY_DEBUG) - { - falco_logger::log(falco_logger::level::WARNING, - "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! If you rely on this config, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' to monitor the number of drops. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); - } - // Please note: is not possible to mix command line options and configs to obtain a configuration // we need to use only one method. For example, is not possible to set the gvisor-config through // the command line and the gvisor-root through the config file. For this reason, if we detect