-
Notifications
You must be signed in to change notification settings - Fork 912
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reimplement containers metadata support as a plugin #3403
Comments
/milestone 0.40.0 |
Thank you @FedeDP , this is awesome! 🤩 |
An update about where i am.
As you can see, i just changed a couple of fields exposed by the plugin ( Results were great, as expected :)
The very first event in the container (ie: the
Time-wise, it took Also, my upstream |
Here is the new timeline for this one:
In the end, the plan is to have this in time officially for 0.41: |
Opened the huge libs cleanup PR: falcosecurity/libs#2207 Also, the plugin gained support for Will update issue body with latest info. |
Once we release libs 0.20.0, i will rebase my libs PR and then propose to merge it asap, even if a couple of things are still missing (/~https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/ifinfo.cpp#L326 and /~https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/sinsp_filtercheck_user.cpp#L93). After 0.20.0 and Falco 0.40.0, i will also create a Falco upstream branch that points to the HEAD of my libs PR and start fixing broken things. FYI FedeDP/container_plugin#10 basically finishes implementing all fields in various container engines; we only miss |
Motivation
Historically, Falco container's information retrieval has always caused headaches to users; moreover, the current code does cause headaches to developers too.
While it's not always working fine, it also has some limitations:
clone/execve/fork
event, we lose container metadata information for the very first syscall events generated by threads spawned in a new containerFeature
Rewrite container info support as a plugin, and completely drop libsinsp internal implementation.
The plugin will leverage container engines SDKs to get notified when new containers are created/deleted; the container creation happens before the container is even started thus it should give us a time advantage and should avoid event without container metadata.
It will also be responsible of extracting all
container
and remainingk8s
related filterchecks.Main idea is to drop container manager from sinsp, and container_id from threadinfo.
The container_id will be added as a foreign key leveraging the libsinsp state table API by the plugin, that will take care of filling it.
Basically, sinsp without the plugin loaded will be completely unaware of containers.
All of the above should be done without breaking changes for the end users. In Falco 0.39 we added a
container_engines
configuration key: /~https://github.com/falcosecurity/falco/blob/master/falco.yaml#L1312; since it is in incubating state, we can drop it (since we will rely on the plugininit_config
of course). That should be the only user-facing change.The container plugin github link: /~https://github.com/FedeDP/container_plugin
Its readme has the architecture explanation and diagram: /~https://github.com/FedeDP/container_plugin/raw/main/architecture.svg
Also, there is a TODO file with stuff letf to do: /~https://github.com/FedeDP/container_plugin/blob/main/TODO.md
Ongoing libs PR with big container related stuff cleanup: falcosecurity/libs#2207
See the PR for relevant TODOs.
Alternatives
No clear alternative.
Additional context
Linking required PRs:
addOutput
json entry for pluginget_field()
API libs#2116get_owner_last_error
in plugin's capture listening capability libs#2147Listing related issues/PRs:
is_cri_async
and aget_cri_socket_paths
methods to CRI container engine libs#2022container.id
andcontainer.name
libs#2057 (might be a good time to fix it?)Next step would be to move
user/group
manager to a plugin too.The text was updated successfully, but these errors were encountered: