new(docker,pkg/driverbuilder): use cmake instead of makefile template to build kmod and bpf
#302
Conversation
poiana
added
kind/feature
| git | ||
|
|
||
| # Install cmake3.x (on centos7 `cmake` package installs cmake2.x) | ||
| RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \ |
There was a problem hiding this comment.
We need to manually install a cmake 3.x on centos:7.
|
|
||
| cp /driverkit/module-Makefile {{ .DriverBuildDir }}/Makefile | ||
| bash /driverkit/fill-driver-config.sh {{ .DriverBuildDir }} | ||
| mv /tmp/module-download/*/* {{ .DriverBuildDir }} |
There was a problem hiding this comment.
Scripts are a bit different now:
- we move all the stuff under the download libs repo to
{{ .DriverBuildDir }}now, not only thedriversubfolder - we run
cmakewith lots of things disabled. Unfortunately, given that libs only recently gained the ability to build the bpf probe inMINIMAL_BUILDmode, we need to configure the project in full mode, and this requiresgitbecausegrpcandprotobufdeps need to be fetched/cloned. - Then, building is just a matter of calling
make driverandmake bpfwith the correctCCandKERNELDIR.
There was a problem hiding this comment.
I actually really like how much this all simplifies the code, and I think the trade offs are worth it.
|
cc @falcosecurity/driverkit-maintainers |
|
I think this is awesome! Which would you prefer though - we can put this through now, or do #308 first and then rebase this? |
|
Let's go with #308 first! I will split the docker images |
|
I will also need to update the new |
|
Split #309 out of this ! |
FedeDP
force-pushed
the
new/use_cmake
branch
from
6d65cb8
to
826307a
Compare
|
Need more fixes to the new local (as in "internal to containers") module and probe paths (that will now be |
| @@ -55,6 +43,14 @@ type Config struct { | |||
| *Build | |||
| } | |||
|
|
|||
| func (c Config) ToDriverFullPath() string { | |||
| return path.Join(DriverDirectory, "build", "driver", fmt.Sprintf("%s.ko", c.DriverName)) | |||
There was a problem hiding this comment.
We expect the built kmod with cmake to be under /tmp/driver/build/driver/$drivername.ko.
| return path.Join(DriverDirectory, "build", "driver", fmt.Sprintf("%s.ko", c.DriverName)) | ||
| } | ||
|
|
||
| func (c Config) ToProbeFullPath() string { |
There was a problem hiding this comment.
We expect the built probe with cmake to be under /tmp/driver/build/driver/bpf/probe.o.
| {{ if .BuildModule }} | ||
| # Build the module | ||
| cd {{ .DriverBuildDir }} | ||
| make CC=/usr/bin/gcc-{{ .GCCVersion }} KERNELDIR=/tmp/kernel | ||
| mv {{ .ModuleDriverName }}.ko {{ .ModuleFullPath }} |
There was a problem hiding this comment.
We don't need the mv anymore since ModuleFullPath is already the correct path.
| @@ -102,11 +102,11 @@ func (bp *KubernetesBuildProcessor) buildModule(b *builder.Build) error { | |||
| return err | |||
| } | |||
|
|
|||
| if builder.ModuleFullPath != "" { | |||
| if c.ModuleFilePath != "" { | |||
There was a problem hiding this comment.
The following are small fixes in the kubernetes builder. cc @Lowaiz
| @@ -275,15 +255,15 @@ func (bp *KubernetesBuildProcessor) copyModuleAndProbeFromPodWithUID(ctx context | |||
| } | |||
| if p.Status.Phase == corev1.PodRunning { | |||
| slog.With(falcoBuilderUIDLabel, falcoBuilderUID).Info("start downloading module and probe from pod") | |||
| if builder.ModuleFullPath != "" { | |||
| err = copySingleFileFromPod(build.ModuleFilePath, bp.coreV1Client, bp.clientConfig, p.Namespace, p.Name, builder.ModuleFullPath, moduleLockFile) | |||
| if c.ModuleFilePath != "" { | |||
| if err != nil { | ||
| return err | ||
| } | ||
| slog.Info("Kernel Module extraction successful") | ||
| } | ||
| if builder.ProbeFullPath != "" { | ||
| err = copySingleFileFromPod(build.ProbeFilePath, bp.coreV1Client, bp.clientConfig, p.Namespace, p.Name, builder.ProbeFullPath, probeLockFile) | ||
| if c.ProbeFilePath != "" { |
FedeDP
force-pushed
the
new/use_cmake
branch
from
0ea2552
to
6a7fde7
Compare
|
TODO: i need to also fix the |
FedeDP
force-pushed
the
new/use_cmake
branch
2 times, most recently
from
6306d33
to
33d576c
Compare
|
/hold for review |
|
So my vote here is to merge this, try it downstream, and then report back. I love this change, and we're ready to merge it. If something breaks downstream, we can handle it in a separate MR/release |
|
Nice! I will make sure to rebase asap and let the flow go on :) |
… to build kmod and bpf. Signed-off-by: Federico Di Pierro <[email protected]>
Signed-off-by: Federico Di Pierro <[email protected]>
Signed-off-by: Federico Di Pierro <[email protected]>
…` in template scripts. Signed-off-by: Federico Di Pierro <[email protected]>
…ute existing dir path. Moreover, take into account srcDir in local builder: when src-dir is specified, sources do not need to be configured through cmake. Signed-off-by: Federico Di Pierro <[email protected]>
Signed-off-by: Federico Di Pierro <[email protected]>
…e driverversions. In CI, enable multiple driverversions to test that we do not break against old driver versions. Signed-off-by: Federico Di Pierro <[email protected]>
Moreover, add back some now unused cmake variables, ie: * PROBE_NAME * PROBE_VERSION * PROBE_DEVICE_NAME Signed-off-by: Federico Di Pierro <[email protected]>
FedeDP
force-pushed
the
new/use_cmake
branch
from
33d576c
to
13171b6
Compare
Signed-off-by: Federico Di Pierro <[email protected]>
…l` cmd. Moreover, properly fill CmakeCmd for local target too. Signed-off-by: Federico Di Pierro <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: EXONER4TED, FedeDP The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area pkg
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Docker images changes will be split to their own PR if maintainers agree this is the way to go.
Also: while testing i discovered that recent archlinux kmods fail to build (eg: against
6.6.1.arch1-1) even with master images and code.Will investigate further, but it seems we need a builder image with an updated glibc version.
Opened an issue to track that: #303
Does this PR introduce a user-facing change?: