Add guide to disable automatic updates in Falco#1512
Add guide to disable automatic updates in Falco#1512youness240 wants to merge 2 commits intofalcosecurity:masterfrom
Conversation
This guide explains how to disable automatic updates for the Falco engine and rules, detailing steps for both scenarios: without and with falcoctl. Signed-off-by: Youness Essabri <114389276+youness240@users.noreply.github.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: youness240 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Welcome @youness240! It looks like this is your first PR to falcosecurity/falco-website 🎉 |
Added important note regarding falcoctl and auto-updates. Signed-off-by: Youness Essabri <114389276+youness240@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive documentation explaining how to disable automatic updates for both the Falco engine and rules. The guide addresses supply chain security concerns by providing clear instructions for users who want to maintain predictable, pinned configurations.
Key Changes
- Adds new documentation page explaining Falco's default update behavior (no automatic updates)
- Provides instructions for disabling falcoctl automatic updates via configuration files
- Covers scenarios with and without falcoctl tool usage
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,67 @@ | |||
| # Disabling Automatic Updates in Falco | |||
There was a problem hiding this comment.
Missing required Hugo frontmatter. All documentation pages in this repository require YAML frontmatter at the top of the file with fields like title, description, and weight. Without this, the page will not render correctly in the documentation site. Add the frontmatter block before the heading.
| **Important note: When Falco is installed via .deb or .rpm packages, falcoctl is also installed and comes with a systemd service that may have auto-update enabled by default. | ||
| In this scenario, even though Falco itself does not perform any automatic updates, falcoctl may still automatically update rules, plugins, or other artifacts. Therefore, you must ensure that falcoctl auto-update is explicitly disabled.** | ||
|
|
||
| --- |
There was a problem hiding this comment.
Misplaced horizontal rule. The triple dash (---) at line 8 is not valid Markdown separator usage here - it appears to be leftover from where the Hugo frontmatter should be. Since the frontmatter should be added at the top, this line should be removed.
| --- |
|
|
||
| ## If the configuration file already exists : | ||
|
|
||
| 1. Open /etc/falcoctl/falcoctl.yaml (or $HOME/.falcoctl.yaml if using user config). |
There was a problem hiding this comment.
Missing backticks for inline code. File paths and environment variables should be formatted with backticks for consistency with documentation conventions. Apply backticks to /etc/falcoctl/falcoctl.yaml and $HOME/.falcoctl.yaml.
| 1. Open /etc/falcoctl/falcoctl.yaml (or $HOME/.falcoctl.yaml if using user config). | |
| 1. Open `/etc/falcoctl/falcoctl.yaml` (or `$HOME/.falcoctl.yaml` if using user config). |
|
|
||
| - artifact.install.enabled: false → prevents falcoctl from **automatically downloading or installing any artifacts** (rules, plugins, drivers) | ||
|
|
||
| - artifact.follow.enabled: false → prevents falcoctl from **tracking or updating any remote artifact indexes** |
There was a problem hiding this comment.
Missing backticks for inline code. Configuration keys should be formatted with backticks for consistency. Apply backticks to artifact.follow.enabled: false.
| - artifact.follow.enabled: false → prevents falcoctl from **tracking or updating any remote artifact indexes** | |
| - `artifact.follow.enabled: false` → prevents falcoctl from **tracking or updating any remote artifact indexes** |
|
|
||
| - artifact.follow.enabled: false → prevents falcoctl from **tracking or updating any remote artifact indexes** | ||
|
|
||
| - indexes: [] → ensures no external repositories are used |
There was a problem hiding this comment.
Missing backticks for inline code. Configuration keys should be formatted with backticks for consistency. Apply backticks to indexes: [].
| - indexes: [] → ensures no external repositories are used | |
| - `indexes: []` → ensures no external repositories are used |
| ## If the configuration file already exists : | ||
|
|
||
| 1. Open /etc/falcoctl/falcoctl.yaml (or $HOME/.falcoctl.yaml if using user config). | ||
| 2. Ensure the artifact section contains: |
There was a problem hiding this comment.
Missing backticks for inline code. The word "artifact" is referring to a YAML configuration section and should be formatted with backticks for consistency.
| 2. Ensure the artifact section contains: | |
| 2. Ensure the `artifact` section contains: |
|
|
||
| **falcoctl** can automatically manage artifacts (rules, plugins, drivers). To disable updates: | ||
|
|
||
| ### If the configuration file does not exist : |
There was a problem hiding this comment.
Spacing issue with colon. The heading has a space before the colon which is inconsistent with standard English typography. Remove the space before the colon.
| ### If the configuration file does not exist : | |
| ### If the configuration file does not exist: |
|
|
||
| This configuration guarantees that falcoctl will **not connect to GitHub or any remote registry**, fully disabling automatic updates. | ||
|
|
||
| ## If the configuration file already exists : |
There was a problem hiding this comment.
Inconsistent heading level. This section header is a level-2 heading (##) while the previous similar section "If the configuration file does not exist" is a level-3 heading (###). They should be at the same level for consistency since they are parallel sections.
| ## If the configuration file already exists : | |
| ### If the configuration file already exists : |
| **Important note: When Falco is installed via .deb or .rpm packages, falcoctl is also installed and comes with a systemd service that may have auto-update enabled by default. | ||
| In this scenario, even though Falco itself does not perform any automatic updates, falcoctl may still automatically update rules, plugins, or other artifacts. Therefore, you must ensure that falcoctl auto-update is explicitly disabled.** |
There was a problem hiding this comment.
Missing closing double asterisk for bold text. The bold formatting that starts with "**Important note:" is never closed, which will cause rendering issues.
| **Important note: When Falco is installed via .deb or .rpm packages, falcoctl is also installed and comes with a systemd service that may have auto-update enabled by default. | |
| In this scenario, even though Falco itself does not perform any automatic updates, falcoctl may still automatically update rules, plugins, or other artifacts. Therefore, you must ensure that falcoctl auto-update is explicitly disabled.** | |
| **Important note: When Falco is installed via .deb or .rpm packages, falcoctl is also installed and comes with a systemd service that may have auto-update enabled by default.** | |
| In this scenario, even though Falco itself does not perform any automatic updates, falcoctl may still automatically update rules, plugins, or other artifacts. Therefore, you must ensure that falcoctl auto-update is explicitly disabled. |
|
Hey @youness240 any update on this? Furthermore, I believe this should be a sub section of https://falco.org/docs/setup/packages/ and instructions should be customized for that specific case. wdyt? |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| **falcoctl** can automatically manage artifacts (rules, plugins, drivers). To disable updates: | ||
|
|
||
| ### If the configuration file does not exist : |
There was a problem hiding this comment.
The heading should use consistent capitalization. In markdown documentation, section headings typically use sentence case or title case consistently. The colon and space at the end are also unnecessary. This should be:
If the configuration file does not exist
This maintains consistency with the heading on line 50.
| cat <<EOF > /etc/falcoctl/falcoctl.yaml | ||
| artifact: | ||
| install: | ||
| enabled: false | ||
| follow: | ||
| enabled: false | ||
| indexes: [] | ||
| EOF |
There was a problem hiding this comment.
The code block is incorrectly marked as sh syntax but contains YAML content. This should be:
artifact:
install:
enabled: false
follow:
enabled: false
indexes: []Using the correct language identifier ensures proper syntax highlighting.
| - If install or follow keys are missing, add them with enabled: false | ||
|
|
||
| - This overrides any defaults that would fetch or update rules/plugins automatically | ||
|
|
There was a problem hiding this comment.
The list items should use consistent formatting with the explanation on lines 42-46. Consider using bullet points instead of a dash, or ensuring the dash formatting matches markdown list syntax with a space after the dash and before the content. The current format with "- If install..." creates inconsistent visual styling.
| - If install or follow keys are missing, add them with enabled: false | |
| - This overrides any defaults that would fetch or update rules/plugins automatically | |
| 3. If `install` or `follow` keys are missing, add them with `enabled: false`. | |
| 4. This overrides any defaults that would fetch or update rules/plugins automatically. |
| @@ -0,0 +1,67 @@ | |||
| # Disabling Automatic Updates in Falco | |||
There was a problem hiding this comment.
This documentation file is missing the required frontmatter (YAML metadata) that all other files in this directory include. The file should start with YAML frontmatter between --- delimiters containing at minimum the title, description, and weight fields. For example:
title: Disabling Automatic Updates
description: Learn how to disable automatic updates for Falco engine and rules
weight: [appropriate number]
This frontmatter is required for the documentation site to properly render and organize this page.
|
|
||
| This configuration guarantees that falcoctl will **not connect to GitHub or any remote registry**, fully disabling automatic updates. | ||
|
|
||
| ## If the configuration file already exists : |
There was a problem hiding this comment.
The heading level hierarchy is inconsistent. Line 26 and line 50 use H3 (###) headings, but they appear to be at the same level as the H2 (##) sections "Without falcoctl" and "With falcoctl". These should be H3 headings nested under the "With falcoctl" section. Consider restructuring as:
With falcoctl
If the configuration file does not exist
[content...]
If the configuration file already exists
This creates a clearer hierarchy where both scenarios are subsections under the "With falcoctl" section.
| ## If the configuration file already exists : | |
| ### If the configuration file already exists : |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - If install or follow keys are missing, add them with enabled: false | ||
|
|
||
| - This overrides any defaults that would fetch or update rules/plugins automatically | ||
|
|
||
| By explicitly disabling install and follow, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns. |
There was a problem hiding this comment.
Missing backticks around configuration key names. For consistency with documentation formatting standards, the key names "install" and "follow" should be formatted with backticks: "install" and "follow".
| - If install or follow keys are missing, add them with enabled: false | |
| - This overrides any defaults that would fetch or update rules/plugins automatically | |
| By explicitly disabling install and follow, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns. | |
| - If `install` or `follow` keys are missing, add them with enabled: false | |
| - This overrides any defaults that would fetch or update rules/plugins automatically | |
| By explicitly disabling `install` and `follow`, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns. |
| - If install or follow keys are missing, add them with enabled: false | ||
|
|
||
| - This overrides any defaults that would fetch or update rules/plugins automatically | ||
|
|
||
| By explicitly disabling install and follow, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns. |
There was a problem hiding this comment.
Missing backticks around configuration key names. For consistency with documentation formatting standards, the key names "install" and "follow" should be formatted with backticks: "install" and "follow".
| - If install or follow keys are missing, add them with enabled: false | |
| - This overrides any defaults that would fetch or update rules/plugins automatically | |
| By explicitly disabling install and follow, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns. | |
| - If `install` or `follow` keys are missing, add them with enabled: false | |
| - This overrides any defaults that would fetch or update rules/plugins automatically | |
| By explicitly disabling `install` and `follow`, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns. |
|
Hey @leogr ! Hope you’re doing well. I think that’s a very good idea, I totally agree 👍 I’ll adapt the documentation to better fit this specific use case. What do you think if I:
Let me know your thoughts! 😃 |
Not sure about the general case, since it really depends on the installation method.
I don't believe there are other cases where we automatically update rules (and thus no real general case). |
|
Hi @leogr , Yes, agreed that makes sense. I’m currently working on the documentation and restructuring it around those scenarios. |
This guide explains how to disable automatic updates for the Falco engine and rules, detailing steps for both scenarios: without and with falcoctl.
What type of PR is this?
/kind content
Any specific area of the project related to this PR?
/area documentation
What this PR does / why we need it:
Adds a clear guide explaining how to disable automatic updates in Falco, which helps users who want predictable environments or pinned rule sets.
Which issue(s) this PR fixes:
Fixes #1511
Special notes for your reviewer:
None