Announcing Falco 0.3.0

By on August 8, 2016
On Friday we released Falco 0.3.0. The biggest change in this release is significantly reduced cpu usage, involving changes in falco as well as the underlying sysdig libraries that falco uses:
  • Reordering a rule condition’s operators to put likely-to-fail operators at the beginning and expensive operators at the end. This allows rules to shortcut early when they don’t match.
  • Adding the ability to perform x in (a, b, c, ...) as a single set membership test instead of individual comparisons between x=a, x=b, etc.
  • Avoid unnecessary string manipulations.
  • Using startswith as a string comparison operator when possible.
  • Use is_open_read/is_open_write when possible instead of searching through open flags.
  • Group rules by event type, which allows for an initial filter using event type before going through each rule’s condition.
All of these changes result in dramatically reduced CPU usage. Here are some comparisons between 0.2.0 and 0.3.0 for the following workloads:
  • Phoronix‘s pts/apache and pts/dbench tests.
  • Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
  • Juttle-engine examples: Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.

Workload0.2.0 CPU Usage0.3.0 CPU Usage
pts/apache24%7%
pts/dbench70%5%
Kubernetes-Demo (Running)6%2%
Kubernetes-Demo (During Teardown)15%3%
Juttle-examples3%1%
This release also has some other handy changes:
  • Add a new output type "program" that writes a formatted event to a configurable program. Each notification results in one invocation of the program. A common use of this output type would be to send an email for every falco notification.
  • Add the ability to run falco on all events, including events that are flagged with EF_DROP_FALCO. EF_DROP_FALCO events are high-volume, low-value events that are ignored by default to improve performance.
For the full set of changes in this release, you can always look at the changelog at github.

The release is available via the usual channels–rpm/debian packages, docker hub, github.

Finally, if you want the complete story on Falco, head over to the website and read all about it.

Let us know if you have any issues, and enjoy!



Eager to learn more? Join our webinar Container Troubleshooting with Sysdig

Btw, we are running a webinar discussing the challenges of troubleshooting issues and errors in Docker containers and Kubernetes, like pods in CrashLoopBackOff, join this session and learn:

  • How to gain visibility into Docker containers with Sysdig open source and Sysdig Inspect.
  • Demo: troubleshoot a 502 Bad Gateway error on containerized app with HAproxy.
  • Demo: troubleshoot a web application that mysteriously dies after some time.
  • Demo: Nginx Kubernetes pod goes into CrashLoopBackOff, what's you can do? Will show you how to find the error without SSHin into production servers.

Join Container Troubleshooting with Sysdig webinar


Stay up to date!

Get new articles from this blog (weekly)
Or container ecosystem updates (monthly)

Thanks so much for signing up!
Please check your inbox for a confirmation email.