Implement driver loading capabilities in falcoctl

[LucaGuerra]

What would you like to be added:

According to this proposal: /~https://github.com/falcosecurity/falco/blob/master/proposals/20221129-artifacts-distribution.md#deprecate-falco-driver-loader we need a new home for the Falco driver loader. This issue acts as a basic requirement specification for this and as a place for discussion. The issue will be updated with more details as it's being developed.

This issue covers feature parity with the driver loader script. The main required features are:

• Distribution detection
• Ability to download prebuilts from https://download.falco.org
• Ability to compile with the local toolchain (i.e. the one available in the container image or the one in the host)
• Options to select compilation, download or both with fallback
• Options to select kmod or (classic) bpf probe -- the modern ebpf probe does not need a driver loader
• Support for at least debian, ubuntu, amzn, flatcar, minikube, bottlerocket, talos and generic

In addition, the design should allow for other projects using the Falco libs to use falcoctl or import it into their own Go-based tooling, meaning that their strategy to download and build prebuilt could be a little different and the design should still allow for that to work. In addition, it should be easier for contributors to add support for their own favorite distribution, since it has proven to be a bit hard to do the same in the bash script.

Why is this needed:

/~https://github.com/falcosecurity/falco/blob/master/proposals/20221129-artifacts-distribution.md#deprecate-falco-driver-loader

[leogr]

/assign @FedeDP
/assign @LucaGuerra

[FedeDP]

Still missing:

• tests
• fix up driver type names to match new: driver selection in falco.yaml falco#2413 once it get merged (eg: modern-bpf will become modern-ebpf) and eventually other Falco config changes
• Improvements, eg: use unix.lsmod/insmod etc etc instead of exec.Command to reduce exec.Command usages

[FedeDP]

I'd like to tag a 0.7.0-alpha once falcosecurity/falco#2413 is merged and needed changes land in falcoctl, to be able to test Falco with the new driver-loader.

[leogr]

I'd like to tag a 0.7.0-alpha once falcosecurity/falco#2413 is merged and needed changes land in falcoctl, to be able to test Falco with the new driver-loader.

I'll take a look at falcosecurity/falco#2413 soon 👍

[FedeDP]

IMHO we can close this one; Falco master now ships the new driver loader, and tests are ongoing.
Not much development left (except for fixing bugs if they happen).
/close

[poiana]

@FedeDP: Closing this issue.

In response to this:

IMHO we can close this one; Falco master now ships the new driver loader, and tests are ongoing.
Not much development left (except for fixing bugs if they happen).
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.