new(config): add container_engines config to falco.yaml
#3266
Conversation
|
/milestone 0.39.0 |
|
Re unit tests: Curious to know where to add tests as for most configs we do not have any here except for example for |
falco.yaml
Outdated
| enabled: true | ||
| cri: | ||
| enabled: true | ||
| cri: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"] |
There was a problem hiding this comment.
| cri: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"] | |
| sockets: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"] |
falco.yaml
Outdated
| cri: | ||
| enabled: true | ||
| cri: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"] | ||
| disable-cri-async: false |
There was a problem hiding this comment.
| disable-cri-async: false | |
| disable-async: false |
There was a problem hiding this comment.
@leogr? Re both names we ok with having them different to the CLI args?
|
I'd also add a debug print of enabled container engines during the startup of Falco ;) |
Yes, agree! Also, you could add some tests to /~https://github.com/falcosecurity/testing/blob/main/tests/falco/config_test.go; for example you could test that enabling each container engine yields a debug log (aforementioned) with the requested engine enabled. |
falco.yaml
Outdated
| rocket: | ||
| enabled: true |
There was a problem hiding this comment.
AFAIK rocket was the initial name, but its official name is rkt
Still, rkt was discontinued in 2020 (/~https://github.com/rkt/rkt), so I don't see any compelling reason to keep it.
@falcosecurity/libs-maintainers wdyt? 🤔
There was a problem hiding this comment.
Oh I didn't know, yes can change it to rkt.
There was a problem hiding this comment.
@falcosecurity/libs-maintainers wdyt? 🤔
Agree, we can clean it up; +1 from me!
There was a problem hiding this comment.
Removed it. It's not relevant for Falco as you pointed out.
| } | ||
| } | ||
|
|
||
| // Decide whether to do sync or async for CRI metadata fetch | ||
| inspector->set_cri_async(!s.options.disable_cri_async); | ||
|
|
||
| if(s.options.disable_cri_async || s.config->m_container_engines_disable_cri_async) | ||
| { | ||
| falco_logger::log(falco_logger::level::DEBUG, "Disabling async lookups for 'CRI'"); |
There was a problem hiding this comment.
Would be nice to extend the API and add a is_cri_async and a get_cri_socket_paths methods. If you also think it would be good I can do it during this dev cycle, but no rush.
There was a problem hiding this comment.
falcosecurity/libs#2022 also added a label "good first issue" if someone wanted to get started helping us.
|
So, log before the initial:
string. |
|
Aside from ☝️ , LGTM! |
The test should not be dependent on the order? If so, we should adjust the test anyways. Above ones are generated while parsing the config. |
Yes but the test enforces that the very first log line should be |
|
We need to fix #3270 in order to fix CI, since centos7 is eol. |
|
Hey Melissa, we were finally able to bump libs in Falco master, can you rebase this one? :) |
incertum
force-pushed
the
container-engines-config
branch
2 times, most recently
from
b2ece6a to
425adc3
Compare
Thanks @FedeDP |
| m_metrics_include_empty_values(false) | ||
| m_metrics_include_empty_values(false), | ||
| m_container_engines_mask(0), | ||
| m_container_engines_cri_socket_paths({"/run/containerd/containerd.sock", "/run/crio/crio.sock","/run/k3s/containerd/containerd.sock"}), |
There was a problem hiding this comment.
Not for now but i'd expose these defaults as static strings from libs cri namespace, like: libsinsp::container_engines::cri::s_default_socket_paths.
There was a problem hiding this comment.
The schema_json in this file must be updated to match the newly added config key.
There was a problem hiding this comment.
This will also fix CI of course.
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
…pector Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
incertum
force-pushed
the
container-engines-config
branch
from
425adc3 to
4363c7b
Compare
|
LGTM label has been added. Git tree hash: 4a0d14e5afced1c00a54495c6fbb28b65032016c
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, incertum The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
Fixes #3258
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: