[TRACKING] Falco 0.42 Release #3677
Description
We will keep this issue updated with the current status and progress.
Date
Original due date: Sept 29th 2025
Target release date: Oct 22th 2025
Pending items
Items required to finalize Falco 0.42, which are still under finalization.
- Drop enter initiative
- libs
- [Tracking] Drop syscall enter events libs#2588
- feat(userspace/libscap)!: add
C_INSTR_FROM_CALLBACKconverter support libs#2644 - chore(userspace/libsinsp): mark
evt.diras deprecated libs#2651 - feat!: drop scap files' enter events not eligible for scap conversion libs#2653
- feat!: simplify scap-converter returned codes and stop propagating events by default to upper layers libs#2657
- feat!: stabilize
EF_TMP_CONVERTER_MANAGEDasEF_CONVERTER_MANAGEDlibs#2659 - feat!: drop unused events in scap converter libs#2661
- refactor: clean parser's reset logic libs#2664
- feat!: make
PPME_SOCKET_{SEND,RECV}MMSG_X"scap converter"-managed libs#2665 - fix(userspace/libscap): push default param as evt result in converter libs#2668
- feat(userspace/libsinsp/parsers)!: drop redundant connect_x code libs#2673
- chore(cmake/modules): bump container plugin to v0.4.0-rc1 libs#2680
- chore!: drop remaining
evt.dirrefs in default output fmt and tests libs#2681 - Handle extracting of the fd argument for the exit events flagged with EF_USES_FD libs#2555
- add OLD_VERSION to/filtering ~all enter events
- TOCTOU-related events
- feat!: make enter events related to TOCTOU mitigation "scap converter"-managed libs#2649
- do not propagate TOCTOU-related events beyond the parsing layer
- Refactor handling of 0-length event params
- feat!: bump schema version to
4.0.0libs#2675 - add schema version checking API for plugins
- rules
- falco
schema version checking for pluginthis should be addressed entirely by libs- feat(engine): emit warning when a condition uses deprecated "evt.dir" #3690
- feat(engine): emit warning when a rule output uses deprecated "evt.dir" #3697
- container plugin
- k8smeta plugin
- chore(k8smeta): bump sdk version and implement get_required_event_schema version plugins#1015
- adapt parsers for dealing with empty values
- not really needed, since this plugin uses just the
resparam
- not really needed, since this plugin uses just the
- convert any parsers using syscall enter events, if any
- No enter events used (other than
PPME_ASYNCEVENT_E)
- No enter events used (other than
- libs
- Libs
- fix(userspace/libsinsp): fix extraction of the directory value libs#2647
- chore(userspace/plugin): use
RTLD_DEEPBINDfor loading plugins libs#2652 - fix(ebpf): do not map overlapping perf event buffers libs#2663
- chore(userpsace/libpman): disable logging while searching for ksym btf libs#2670
- fix(sinsp): disallow having a plugin with extract CAP with zero fields libs#2672
- fix(userspace/plugin): resolve
get_required_event_schema_version()libs#2678 - fix(userspace/libscap/engine/savefile): fall back in case of exception libs#2679
falcosecurity/testing- Falco
- fix(userspace/falco): fix actions taken when events are dropped #3676
- fix(cmake/modules): bump falcoctl to v0.11.4 #3694
- ensure engine version is bumped properly to 0.57.0
- update rules to v5.0.0
- bump libs and drivers versions
- chore(deps): bump libs and drivers versions #3701
- This will also update the container plugin to v0.4.0
- Helm Chart
- Documentation (may be postponed after the release)
- feat(content): update content for falco 0.42.0 falco-website#1497
- Collect breaking changes from 0.22 libs change log
- Missing latest tag for falco-driver-loader-legacy image charts#868
- The buf_size_preset parameter from the falco.yaml configuration is ignored by Falco 0.40.x-0.41.x #3642
-
Since we switched back to the default allocator, double-check and documentwe didn't - Clearly explain why user should CRI to consume
/run/containerd/containerd.sockin container plugin - Check accuracy of k3s deployment instructions
- Document
debugfsrequirement for modern eBPF (and update legacy ebpf refs), real example here - Document RHEL8 issue (need
LDPRELOAD) - Troubleshooting issue for memleak-related problems
External dependencies
Artifacts to be released before Falco 0.42:
- falcoctl v0.11.4
- Bulk plugin releases (for those not requiring libs 0.22)
- This is not strictly related to the release, but recommended since most of these plugins should continue to work with Falco 0.41
- release: bulk release plugin before Falco 0.42 [1/N] plugins#995
- rules v5.0.0
- plugin SDKs (for libs 0.22 compatibility)
- go (no update needed)
- rust: postponed (since it's not release blocker)
- cpp
- container plugin v0.4.0
- drivers 9.0.0+driver
- libs 0.22.0
- k8smeta plugin v0.4.0
Release Candidate
To be expected when external deps releases are done.
Manual Testing Action Items
- Running Falco on Kubernetes with the official Helm Charts
- Running Falco from RPM and DEB artifacts
- Running Falco in a container with the official images
- Running/fuzzing Falco with multiple event sources active in parallel
- Running/fuzzing Falco with variable syscall buffer dimension
- Running Falco in all officially-supported architectures (x86_64, ARM64)
- Running Falco with the supported drivers (kmod, modern eBPF, eBPF, gVisor, trace files)
- Test Falco with event generator
- Test that plugins are correctly loaded
- Test memory and CPU usage
- Test the latest version of driver loader
- Test that
containerplugin works as expected - Test that
k8smetaplugin works as expected - Test that all Falco CLI options work as expected
- Check that Falco log messages are correct and consistent
- Test that Falco ruleset loading and validation work as expected
- Bug-fixing related testing
- [RHEL8] Installation fails of Falco 0.41.3-1 #3638
⚠️ Unfortunately, this can work only withLD_PRELOAD=/lib64/libresolv.so.2 falco, we need either to document this or provide a patch release later. Not a release blocker.
- container.name shows container.id in Falco 0.41.x #3631
- latest k8saudit plugin (tested via Helm Chart)
- https://github.com/falcosecurity/falco/issues?q=is%3Aissue%20milestone%3A0.42.0%20label%3Akind%2Fbug
- [RHEL8] Installation fails of Falco 0.41.3-1 #3638
Release Steps
The process is described in this document.
- Pre-Release
- Milestone
- Code freeze in falcosecurity/falco
- Open release branch in Falco and protect it
- See
External dependenciestask lists - Prebuilt drivers publish:
- Code thaw in falcosecurity/falco
- Changelog on the release branch
- cherry-pick the changelog on master
- Release
- Github Release in the Falco repo
- Website
- Create new snapshot
- Protect snapshot branch
- Merge the release blog post
- Merge all necessary documentation PRs
- Create new snapshot
- Helm
- Release a new Helm chart version
- Update helm chart documentation
- Announcements
- mailing list
- blog post
- Slack channel
- Post-Release
- Archive community call meeting notes
- Close the resolved issues after the tag and move the unresolved ones under a new milestone
- Update supported fields and syscall documentation
- add Falco version to the rules CI
POST Release TODOs (to be scheduled before Falco 0.42)
- Clean some quirks in plugin-sdk-cpp
- https://github.com/falcosecurity/plugin-sdk-cpp/blob/main/Makefile#L23-L24
- Promote to incubating