This repository automatically runs
Falco scap-open binary on all
supported drivers through Ansible, spawning Firecracker microVMs to test Falco drivers against multiple kernels.
You can find list of machines being used here.
You can find a document explaining the architecture of the solution here. Please read it carefully
before deploying it.
The following is the list of main prerequisites, each one annotated with a suggested (tested) version:
- Ansible ->
2.16.3-0ubuntu2 - Firecracker ->
1.13.1 - Docker -> whatever is available
- Golang ->
1.25.4
Exemplary instructions, installing and configuring all needed dependencies, and configuring host networking, can be found in config_example_amd64.sh. The script is not intended to be run as is: it is just demonstrative, and is required for the user to go through it and adapt the different parts to the specific environment.
It is advised to avoid directly modifying vars.yml file;
instead one can create a local vars.yml file to override keys from the default vars.
The only mandatory thing to be configured is an ssh key pair:
#Path to the generated SSH private key file
ssh_key_path: "" # <-- Replace here with the key path
ssh_key_name: "" # <-- Replace here with the key nameFrom the ansible-playbooks directory you can run tests on all machines by typing:
ansible-playbook main-playbook.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"To rerun tests:
ansible-playbook scap-open.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"To clean up all machines
ansible-playbook clean-up.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"To better suit the CI usage,
a GitHub composite action has been
developed.
Therefore, running kernel-testing in your GitHub workflow is as easy as adding this step:
- uses: falcosecurity/kernel-testing@main
# Give it an id to be able to later use its outputs
id: kernel_tests
with:
# libs version to be tested, eg: master.
# Default: 'master'
libsversion: master
# libs repo to be tested, eg: falcosecurity/libs.
# Default: 'falcosecurity/libs'
libsrepo: falcosecurity/libs
# Whether to generate matrixes as matrix artifact.
# Default: false
build_matrix: 'true'
# Images tag to be used, in the form vX.Y.Z
# Required.
images_tag: 'v0.3.2'
Then you can use action outputs to retrieve artifacts:
- uses: actions/upload-artifact@latest
with:
name: ansible_output
path: ${{ steps.kernel_tests.outputs.ansible_output }}
- uses: actions/upload-artifact@latest
with:
name: matrix
path: ${{ steps.kernel_tests.outputs.matrix_output }}
As an example, see libs reusable workflow.
NOTE: Since we don't use annotated tags, one cannot use eg: falcosecurity/kernel-testing@v0, but only either exact tag name or master.
NOTE: Of course, you'll need to run your tests on virtualization-enabled nodes.