Merge pull request #2 from Issif/workflow

add workflow to publish the plugin and its rules

Author: x-504

.github/workflows/release.yaml

@@ -0,0 +1,96 @@
+name: Release Plugins
+
+on:
+  push:
+    tags:
+      - '*.*.*'
+  
+env:
+  OCI_REGISTRY: ghcr.io
+  PLUGIN_NAME: nomad
+    
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  publish-oci-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Falcoctl Repo
+        uses: actions/checkout@v3
+        with:
+          repository: falcosecurity/falcoctl
+          ref: v0.5.1
+          path: tools/falcoctl
+      - name: Setup Golang
+        uses: actions/setup-go@v4
+        with:
+          go-version: '^1.20'
+          cache-dependency-path: tools/falcoctl/go.sum
+      - name: Build falcoctl
+        run: make
+        working-directory: tools/falcoctl
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: plugin
+      - name: Build the plugin
+        run: make build
+        working-directory: plugin
+      - id: StringRepoName
+        uses: ASzc/change-string-case-action@v5
+        with:
+          string: ${{ github.repository }}
+      - name: Upload OCI artifacts to GitHub packages
+        run: |
+              MAJOR=$(echo ${{ github.ref_name }} | cut -f1 -d".")
+              MINOR=$(echo ${{ github.ref_name }} | cut -f1,2 -d".")
+              DIR=$(pwd)
+
+              cd plugin/
+              $DIR/tools/falcoctl/falcoctl registry push \
+              ${{ env.OCI_REGISTRY }}/${{ steps.StringRepoName.outputs.lowercase }}/plugin/${{ env.PLUGIN_NAME }}:${{ github.ref_name }} \
+              --config /dev/null \
+              --type plugin \
+              --version "${{ github.ref_name }}" \
+              --tag latest --tag $MAJOR --tag $MINOR \
+              --platform linux/amd64 \
+              --requires plugin_api_version:2.0.0 \
+              --depends-on ${{ env.PLUGIN_NAME }}-rules:${{ github.ref_name }} \
+              --name ${{ env.PLUGIN_NAME }} \
+              lib${{ env.PLUGIN_NAME }}.so
+              
+              cd rules/
+              $DIR/tools/falcoctl/falcoctl registry push \
+              ${{ env.OCI_REGISTRY }}/${{ steps.StringRepoName.outputs.lowercase }}/ruleset/${{ env.PLUGIN_NAME }}:${{ github.ref_name }} \
+              --config /dev/null \
+              --type rulesfile \
+              --version "${{ github.ref_name }}" \
+              --tag latest --tag $MAJOR --tag $MINOR \
+              --depends-on ${{ env.PLUGIN_NAME }}:${{ github.ref_name }} \
+              --name ${{ env.PLUGIN_NAME }}-rules \
+              ${{ env.PLUGIN_NAME }}_rules.yaml
+        env:
+          FALCOCTL_REGISTRY_AUTH_BASIC: ${{ env.OCI_REGISTRY }},${{ github.repository_owner }},${{ secrets.GITHUB_TOKEN }}
+
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Setup Golang
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.19'
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: latest
+          args: release --clean --timeout 120m
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LDFLAGS: "-buildmode=c-shared"
+          GOPATH: /home/runner/go

.goreleaser.yml

@@ -0,0 +1,12 @@
+builds:
+  - env:
+      - GODEBUG=cgocheck=0
+    main: ./plugin
+    binary: libnomad.so
+    goos:
+      - linux
+    goarch:
+      - amd64
+    flags: -buildmode=c-shared
+checksum:
+  name_template: "checksums.txt"

Makefile

@@ -3,17 +3,21 @@ GO ?= go
 
 NAME := nomad
 OUTPUT := lib$(NAME).so
+DESTDIR := /usr/share/falco/plugins
 
 ifeq ($(DEBUG), 1)
     GODEBUGFLAGS= GODEBUG=cgocheck=2
 else
     GODEBUGFLAGS= GODEBUG=cgocheck=0
 endif
 
-all: $(OUTPUT)
+all: build
 
 clean:
-	@rm -f $(OUTPUT)
+	@rm -f lib$(NAME).so
 
-$(OUTPUT): 
-	@$(GODEBUGFLAGS) $(GO) build -buildmode=c-shared -o $(OUTPUT) ./plugin
+build: clean
+	@$(GODEBUGFLAGS) $(GO) build -buildmode=c-shared -buildvcs=false -o $(OUTPUT) ./plugin
+
+install: build
+	mv $(OUTPUT) $(DESTDIR)/

go.mod

@@ -0,0 +1,22 @@
+module github.com/albertollamaso/nomad-plugin
+
+go 1.20
+
+require (
+	github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b
+	github.com/falcosecurity/plugin-sdk-go v0.7.1
+	github.com/hashicorp/nomad/api v0.0.0-20230615131811-288ff2f0c437
+)
+
+require (
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hashicorp/cronexpr v1.1.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/iancoleman/orderedmap v0.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
+)

go.sum

@@ -0,0 +1,55 @@
+github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b h1:doCpXjVwui6HUN+xgNsNS3SZ0/jUZ68Eb+mJRNOZfog=
+github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b/go.mod h1:/n6+1/DWPltRLWL/VKyUxg6tzsl5kHUCcraimt4vr60=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/falcosecurity/plugin-sdk-go v0.7.1 h1:tVi5MdQ9dq6i5f5R29ufhsgKs0gYOXLZQ4d83gEbanE=
+github.com/falcosecurity/plugin-sdk-go v0.7.1/go.mod h1:NP+y22DYOS+G3GDXIXNmzf0CBL3nfPPMoQuHvAzfitQ=
+github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/hashicorp/cronexpr v1.1.1 h1:NJZDd87hGXjoZBdvyCF9mX4DCq5Wy7+A/w+A7q0wn6c=
+github.com/hashicorp/cronexpr v1.1.1/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/nomad/api v0.0.0-20230615131811-288ff2f0c437 h1:zKGebmv70+p0/vEqhnpCSUvMGgmNvwaeNd8f9ElChIs=
+github.com/hashicorp/nomad/api v0.0.0-20230615131811-288ff2f0c437/go.mod h1:Xjd3OXUTfsWbCCBsQd3EdfPTz5evDi+fxqdvpN+WqQg=
+github.com/iancoleman/orderedmap v0.0.0-20190318233801-ac98e3ecb4b0/go.mod h1:N0Wam8K1arqPXNWjMo21EXnBPOPp36vB07FNRdD2geA=
+github.com/iancoleman/orderedmap v0.2.0 h1:sq1N/TFpYH++aViPcaKjys3bDClUEU7s5B+z6jq8pNA=
+github.com/iancoleman/orderedmap v0.2.0/go.mod h1:N0Wam8K1arqPXNWjMo21EXnBPOPp36vB07FNRdD2geA=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/shoenig/test v0.6.6 h1:Oe8TPH9wAbv++YPNDKJWUnI8Q4PPWCx3UbOfH+FxiMU=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.3.1-0.20190311161405-34c6fa2dc709/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

index.yaml

@@ -0,0 +1,26 @@
+- name: nomad
+  type: plugin
+  registry: ghcr.io
+  repository: albertollamaso/nomad-plugin/plugin/nomad
+  description: Reads events from Nomad
+  home: https://github.com/albertollamaso/nomad-plugin
+  keywords:
+    - nomad
+  license: Apache-2.0
+  maintainers:
+    - name: Alberto Llamas
+  sources:
+    - https://github.com/albertollamaso/nomad-plugin
+- name: nomad-rules
+  type: rulesfile
+  registry: ghcr.io
+  repository: albertollamaso/nomad-plugin/ruleset/nomad
+  description: Rules for the Nomad plugin
+  home: https://github.com/albertollamaso/nomad-plugin/tree/main/rules
+  keywords:
+    - nomad
+  license: Apache-2.0
+  maintainers:
+    - name: Alberto Llamas
+  sources:
+    - https://github.com/albertollamaso/nomad-plugin/tree/main/rules/nomad_rules.yaml

pkg/nomad/plugin.go

@@ -10,11 +10,11 @@ const (
 	// note: 999 is for development only. Once released, plugins need to
 	// get assigned an ID in the public Falcosecurity registry.
 	// See: https://github.com/falcosecurity/plugins#plugin-registry
-	PluginID          uint32 = 999
+	PluginID          uint32 = 10
 	PluginName               = "nomad"
 	PluginDescription        = "Falcosecurity Nomad Plugin"
 	PluginContact            = "github.com/albertollamaso/nomad-plugin"
-	PluginVersion            = "0.1.0"
+	PluginVersion            = "0.2.0"
 	PluginEventSource        = "nomad"
 )
 

rules/nomad_rules.yaml

@@ -3,9 +3,9 @@
 
 - required_plugin_versions:
   - name: nomad
-    version: 0.1.0
-  - name: json
     version: 0.2.0
+  - name: json
+    version: 0.7.0
 
 - macro: nomad_alloc_updated
   condition: nomad.event.topic="Allocation"