On Friday we released Falco 0.3.0. The biggest change in this release is significantly reduced cpu usage, involving changes in falco as well as the underlying sysdig libraries that falco uses:
* Reordering a rule condition’s operators to put likely-to-fail operators at the beginning and expensive operators at the end. This allows rules to shortcut early when they don’t match. * Adding the ability to perform x in (a, b, c, ...) as a single set membership test instead of individual comparisons between x=a, x=b, etc. * Avoid unnecessary string manipulations. * Using startswith as a string comparison operator when possible. * Use is_open_read/is_open_write when possible instead of searching through open flags. * Group rules by event type, which allows for an initial filter using event type before going through each rule’s condition.All of these changes result in dramatically reduced CPU usage. Here are some comparisons between 0.2.0 and 0.3.0 for the following workloads:
- Phoronix‘s pts/apache and pts/dbench tests.
- Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
- Juttle-engine examples: Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.
[table id=1 /]This release also has some other handy changes:
* Add a new output type “program” that writes a formatted event to a configurable program. Each notification results in one invocation of the program. A common use of this output type would be to send an email for every falco notification. * Add the ability to run falco on all events, including events that are flagged with EF_DROP_FALCO. EF_DROP_FALCO events are high-volume, low-value events that are ignored by default to improve performance.For the full set of changes in this release, you can always look at the
Finally, if you want the complete story on Falco, head over to the website and read all about it.
Let us know if you have any issues, and enjoy!