You are viewing documentation for Falco version: v0.34.1

Falco v0.34.1 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Featured Image for Falco 0.27.0 a.k.a. "The happy 2021 release"
Lorenzo Fontana

Falco 0.27.0 a.k.a. "The happy 2021 release"

Today we announce the release of Falco 0.27.0 🥳

This is the first release of 2021!

You can take a look at the set of changes here:

As usual, in case you just want to try out the stable Falco 0.27.0, you can install its packages following the process outlined in the docs:

Do you rather prefer using the docker images? No problem!

You can read more about running Falco with Docker in the docs.

Important Falco 0.27.0 is the first release that has the container images released also on Amazon ECR. This is not officially supported yet and we are only releasing the falcosecurity/falco image there right now. Thanks to @leodido and @jonahjon!

What's new?

This is not a complete list, for a complete list visit the changelog.

Breaking changes

Before we dive into anything it's important to notice that this Falco release introduces one BREAKING CHANGE. If you rely on running Falco without any configuration file you can't do that anymore. All the official installation methods ships with a default configuration file with them.

Performance notes

The mechanism that handles Falco outputs has been completely rewritten in C++ (Thanks @leogr). Before this release, Falco relied on a mix of Lua and C++ API calls that led to a lot of crosstalk between the engine and the outputs mechanisms. Having a single C++ implementation helps a lot in reducing the crosstalk issue.

Since Lua is gone for the outputs now, the only reason that prevented us from having multi-threaded outputs is also gone. Outputs in Falco 0.27.0 are able to use multiple threads and also have a mechanism to detect when an output is too slow.

An output is "too slow" when it does not allow to deliver an alert within a given deadline, Falco will give an alert from the "internal" data source complaining about that. The default timeout is 200 milliseconds. It can be configured using the output_timeout configuration in falco.yaml.

Everything else!

New website As you can notice, we have a new website! Raji and Lore are the two behind this new restyle with the help of @leogr and @leodido. This new website features a new design, a search bar and a nice dropdown you can use to navigate old Falco releases (Falco 0.26 and 0.27 are the only ones available now).

gRPC changes The Falco gRPC version service now also exposes the Falco engine version.

Rules changes

We have 15 rules changes in this release! As always, our community values the quality of the rules as their top priority. Keeping a sane set of default rules for everyone to benefit is very important for us!

What's next?

We have a scheduled 0.28.0 release on March 18th 2021!

As always, we are going to have bug fixes and improvements.

A feature that is announced to go to 0.28.0 will be the support for structured rules exceptions, a way to define conditions to exclude certain alerts from happening when the exception happens.

You can read @mstemm's proposal here.

Moreover, we are very close to releasing ARM (armv7 and aarch64 builds) of Falco within the next releases. Lore worked on PR#1442 to port Falco to those architectures and Jonahjon is working to make our infrastructure support for building, testing and releasing for those as well.

Let's meet!

As always, we meet every week in our community calls, if you want to know the latest and the greatest you should join us there!

If you have any questions

Thanks to all the amazing contributors! Keep up the good vibes!

Bye!

Lore