Closed incertum closed 3 months ago
@leogr @FedeDP @Issif
The first 3 points should be addressed in the Helm Chart eventually, I guess. cc @alacuku
Anyway:
HOST_ROOT=/host
: it should be the default value configured via the Dockerfile in all container images, IIRC. /usr
: I vague recall there're other reasons to mount the full /usr
, as stated by our documentation. This needs to be double-checked.Sounds good, I wold still add HOST_ROOT=/host
just so we serve up a better and clearer template.
ACK re double-checking /usr
Thanks @incertum! I agree with all points except for /usr mount as stated by @leogr if it's really needed, otherwise good point for me to selectively mount only /usr/src/kernels one.
We clarified that we indeed need entire /usr/src
because of ubuntu distros etc, I updated the original post indicating to disregard that comment. Thanks.
Quick question since it came up in a different issue. Aren't we missing the host /etc mount for the falco
container in order to resolve user uids to their names and such?
Add the following:
- mountPath: /host/etc
name: etc-fs
Quick question since it came up in a different issue. Aren't we missing the host /etc mount for the
falco
container in order to resolve user uids to their names and such?Add the following:
- mountPath: /host/etc name: etc-fs
I can't recall if we looked up from /etc
for that purpose :thinking: @FedeDP ?
/assign
Yes, we actually need it to resolve user
and group
related info: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/user.cpp#L60
I think we completely forgot to update our charts back when we implemented the feat. Great catch @incertum !
Hello, one more thing :upside_down_face:
See https://github.com/falcosecurity/cncf-green-review-testing/pull/9 we also totally forgot to include /run/k3s/containerd/containerd.sock
as container runtime socket and k3s appears to be more frequently used now.
Yes, we actually need it to resolve
user
andgroup
related info: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/user.cpp#L60I think we completely forgot to update our charts back when we implemented the feat. Great catch @incertum !
Hi @incertum, @FedeDP I fixed it here: https://github.com/falcosecurity/charts/pull/601/commits/3cf8bdf753c436a0a41d3f34ade6c35921de1b01. Will be released once falco 0.37.0 is out. Is it ok, or do we need the fix before that?
Thanks @alacuku ! Great job, as always :) For me, it's ok to release the fix with the Falco 0.37.0 chart.
HOST_ROOT
env in initContainersfalco-driver-loader
2.
For completeness suggest explicitly adding
HOST_ROOT
env to the falco container, plus addFALCO_HOSTNAME
env as we now use it in Falco'smetrics
option and expose it as filter inevt.hostname
, so it would be a great example template.4.
The docs here are not sufficient, happy to update them!