Closed thundergolfer closed 9 months ago
I tried upgrading my falco version to hopefully fix this issue, but ran into https://github.com/falcosecurity/falco/issues/2896
I believe this issue comes from the fact that the container ID is not a hexadecimal string, which is what normally happens with Docker, k8s etc. Can you try running a container with an hex ID to confirm?
Hey @LucaGuerra, we opted to ingest the gVisor tracepoints directly, so no longer have Falco setup in our system to test.
Thanks for the detailed report anyways! After an experiment with runsc I believe the issue you had was due to non-hex container IDs. I'm going to close this issue and open a more focused one in the libs repo. Thanks again!
This will be fixed in the upcoming Falco 0.37.0
/milestone 0.37.0
Describe the bug
Following https://gvisor.dev/docs/tutorials/falco/ I can successfully get Falco working and detecting issues. I first got a detection on the rule demonstrated in that guide, and then got cryptomining detection working using the default rules for that.
Unfortunately, when attempting to do exactly the same thing in our own container runtime (not Docker) where we use
runsc run
directly, Falco segfaults, or errors withError: stoull
orError: std:bad_alloc
.Here is an example log where I first run a Docker container running
nbminer
, and then attempt to run a container using our own runtime.How to reproduce it
Our container runtime is custom and closed-source, but I can provide details on the particulars as needed 🙂. Our
runsc
command looks like this:Expected behaviour
Expect that falco doesn't segfault when not using Docker and gvisor, but just
runsc run
directly.Screenshots
Environment
Kernel:
Linux ip-10-1-8-45 5.15.0-1044-aws #49~20.04.1-Ubuntu SMP Mon Aug 21 17:09:32 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Installation method: From https://download.falco.org tarballs
Additional context