This repository automatically runs Falco scap-open binary on all supported drivers through Ansible, spawning Firecracker microVMs to test Falco drivers against multiple kernels.
You can find list of machines being used here.
- Install Ansible
- Install Ignite from
therealbobo
fork (usemain
branch): https://github.com/therealbobo/ignite; just issuemake
and thensudo make install
to install everything needed under/usr/local/
. - Install ignite CNI plugins by following this guide: https://ignite.readthedocs.io/en/stable/installation/#cni-plugins:
export CNI_VERSION=v0.9.1
export ARCH=$([ $(uname -m) = "x86_64" ] && echo amd64 || echo arm64)
sudo mkdir -p /opt/cni/bin
curl -sSL https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz | sudo tar -xz -C /opt/cni/bin
It is advised to avoid directly modifying vars.yml
file;
instead one can create a local vars.yml file to override keys from the default vars.
The only mandatory thing to be configured is an ssh key pair:
#Path to the generated SSH private key file
ssh_key_path: "" # <-- Replace here with the key path
ssh_key_name: "" # <-- Replace here with the key name
From the ansible-playbooks
directory you can run tests on all machines by typing:
ansible-playbook main-playbook.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"
To rerun tests:
ansible-playbook scap-open.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"
To cleanup all machines
ansible-playbook clean-up.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"
To better suit the CI usage, a Github composite action has been developed.
Therefore, running kernel-testing in your Github workflow is as easy as adding this step:
- uses: falcosecurity/kernel-testing@main
# Give it an id to be able to later use its outputs
id: kernel_tests
with:
# libs version to be tested, eg: master.
# Default: 'master'
libsversion: master
# libs repo to be tested, eg: falcosecurity/libs.
# Default: 'falcosecurity/libs'
libsrepo: falcosecurity/libs
# Whether to generate matrixes as matrix artifact.
# Default: false
build_matrix: 'true'
Then you can use action outputs to retrieve artifacts:
- uses: actions/upload-artifact@latest
with:
name: ansible_output
path: ${{ steps.kernel_tests.outputs.ansible_output }}
- uses: actions/upload-artifact@latest
with:
name: matrix
path: ${{ steps.kernel_tests.outputs.matrix_output }}
As an example, see libs reusable workflow.
NOTE: Since we don't use annotated tags, one cannot use eg: falcosecurity/kernel-testing@v0, but only either exact tag name or master.
NOTE: Of course, you'll need to run your tests on virtualization-enabled nodes.