Build Falco from source
Welcome to the guide on how to build Falco yourself! You are very brave! Since you are already doing all this, chances that you are willing to contribute are high! Please read our contributing guide.
- Install the dependencies
CentOS 8 Stream / RHEL 8
dnf install git gcc gcc-c++ git make cmake elfutils-libelf-devel perl-IPC-Cmd
apt update && apt install git cmake clang build-essential linux-tools-common linux-tools-generic libelf-dev
pacman -S git cmake make gcc wget
pacman -S zlib jq yaml-cpp openssl curl c-ares protobuf grpc libyaml bpf
You'll also need kernel headers for building and making binaries properly.
pacman -S linux-headers
You can use uname -r
to determine the kernel version and select the appropriate header.
Since Alpine ships with musl
instead of glibc
, to build on Alpine, we need to pass the -DMUSL_OPTIMIZED_BUILD=On
CMake option.
If that option is used along with the -DUSE_BUNDLED_DEPS=On
option, then the final build will be 100% statically-linked and portable across different Linux distributions.
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static binutils bpftool clang
zypper -n install git gcc12 gcc12-c++ cmake make libelf-devel gawk
- Build Falco
git clone https://github.com/falcosecurity/falco.git
cd falco
mkdir -p build
cd build
cmake -DUSE_BUNDLED_DEPS=ON ..
make falco
More details here.
git clone https://github.com/falcosecurity/falco.git
cd falco
mkdir -p build
cd build
cmake -DUSE_BUNDLED_DEPS=On ..
make falco
More details here.
git clone https://github.com/falcosecurity/falco.git
cd falco
mkdir -p build
cd build
cmake ..
make falco
More details here.
git clone https://github.com/falcosecurity/falco.git
cd falco
mkdir -p build
cd build
cmake -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On ..
make falco
First, make sure that gcc
and g++
are version 9 or above. If you have multiple versions installed you can set the preferred one.
git clone https://github.com/falcosecurity/falco.git
cd falco
mkdir -p build
cd build
cmake -DUSE_BUNDLED_DEPS=ON ..
make falco
More details here.
- Build kernel module driver
Kernel headers are required to build the driver.
apt install linux-headers-$(uname -r)
In the build directory:
make driver
NO STEP
In the build directory:
zypper -n install kernel-default-devel
make driver
- Build eBPF driver (optional)
If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.
In the build directory:
dnf install clang llvm
cmake -DBUILD_BPF=ON ..
make bpf
If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.
In the build directory:
apt install llvm clang
cmake -DBUILD_BPF=ON ..
make bpf
If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.
In the build directory:
pacman -S llvm clang
cmake -DBUILD_BPF=ON ..
make bpf
NO STEP
If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.
In the build directory:
zypper -n install clang llvm
cmake -DBUILD_BPF=ON ..
make bpf
Dependencies
By default Falco build bundles most of its runtime dependencies dynamically.
You can notice this observing that the option USE_BUNDLED_DEPS
is OFF
by default. Which means that, whether applicable, Falco build will try to link against libraries already existing into your machine.
Changing such option to ON
causes Falco build to bundle all the dependencies statically.
Build Falco
To build Falco, you will need to create a build
directory.
It's common to have the build
directory in the Falco working copy itself, however it can be
anywhere in your filesystem.
There are three main steps to compile Falco.
- Create the build directory and enter in it
- Use cmake in the build directory to create the build files for Falco.
..
was used because the source directory is a parent of the current directory, you can also use the absolute path for the Falco source code instead - Build using make
Build all
mkdir build
cd build
cmake ..
make
You can also build only specific targets:
Build Falco only
Do the build folder and cmake setup, then:
make falco
Build the Falco engine only
Do the build folder and cmake setup, then:
make falco_engine
Build libscap only
Do the build folder and cmake setup, then:
make scap
Build libsinsp only
Do the build folder and cmake setup, then:
make sinsp
Build the eBPF probe / kernel driver only
Do the build folder and cmake setup, then:
make driver
Build results
Once Falco is built, the three interesting things that you will find in your build
folder are:
userspace/falco/falco
: the actual Falco binarydriver/src/falco.ko
: the Falco kernel driverdriver/bpf/falco.o
: if you built Falco with eBPF support
If you'd like to build a debug version, run cmake as cmake -DCMAKE_BUILD_TYPE=Debug ..
instead, see the CMake Options section for further customizations.
CMake Options
When doing the cmake
command, we can pass additional parameters to change the behavior of the build files.
Here'are some examples, always assuming your build
folder is inside the Falco working copy.
Generate verbose makefiles
-DCMAKE_VERBOSE_MAKEFILE=On
Specify C and CXX compilers
-DCMAKE_C_COMPILER=$(which gcc) -DCMAKE_CXX_COMPILER=$(which g++)
Enforce bundled dependencies
-DUSE_BUNDLED_DEPS=True
Read more about Falco dependencies here.
Treat warnings as errors
-DBUILD_WARNINGS_AS_ERRORS=True
Specify the build type
Debug build type
-DCMAKE_BUILD_TYPE=Debug
Release build type
-DCMAKE_BUILD_TYPE=Release
Notice this variable is case-insensitive and it defaults to release.
Specify the Falco version
Optionally the user can specify the version he wants Falco to have. Eg.,
-DFALCO_VERSION=0.39.2-dirty
When not explicitly specifying it the build system will compute the FALCO_VERSION
value from the git history.
In case the current git revision has a git tag, the Falco version will be equal to it (without the leading "v" character). Otherwise the Falco version will be in the form 0.<commit hash>[.dirty]
.
Enable eBPF support
-DBUILD_BPF=True
When enabling this you will be able to make the bpf
target after:
make bpf
Load latest falco kernel module
If you have a binary version of Falco installed, an older Falco kernel module may already be loaded. To ensure you are using the latest version, you should unload any existing Falco kernel module and load the locally built version.
Unload any existing kernel module via:
rmmod falco
To load the locally built version, assuming you are in the build
dir, use:
insmod driver/falco.ko
Run falco
Once Falco is built and the kernel module is loaded, assuming you are in the build
dir, you can run falco as:
sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.yaml
By default, falco logs events to standard error.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.