Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reimplement containers metadata support as a plugin #3403

Open
FedeDP opened this issue Nov 13, 2024 · 3 comments
Open

Reimplement containers metadata support as a plugin #3403

FedeDP opened this issue Nov 13, 2024 · 3 comments
Labels
kind/feature
Milestone
0.40.0

Comments

@FedeDP
Copy link
Contributor

FedeDP commented Nov 13, 2024
edited
Loading

Motivation

Historically, Falco container's information retrieval has always caused headaches to users; moreover, the current code does cause headaches to developers too.
While it's not always working fine, it also has some limitations:

  • There is no support for multiple container runtimes on a single node: Support multiple container runtime in one node #3279
  • Since the container info retrieval is done asynchronously at first clone/execve/fork event, we lose container metadata information for the very first syscall events generated by threads spawned in a new container
  • As previously stated, the code is also very hard to extend; there has been some previous attempts to improve it but for now that's what we got

Feature

Rewrite container info support as a plugin, and completely drop libsinsp internal implementation.
The plugin will leverage container engines SDKs to get notified when new containers are created/deleted; the container creation happens before the container is even started thus it should give us a time advantage and should avoid event without container metadata.
It will also be responsible of extracting all container and remaining k8s related filterchecks.

Main idea is to drop container manager from sinsp, and container_id from threadinfo.
The container_id will be added as a foreign key leveraging the libsinsp state table API by the plugin, that will take care of filling it.
Basically, sinsp without the plugin loaded will be completely unaware of containers.

All of the above should be done without breaking changes for the end users. In Falco 0.39 we added a container_engines configuration key: https://github.com/falcosecurity/falco/blob/master/falco.yaml#L1312; since it is in incubating state, we can drop it (since we will rely on the plugin init_config of course). That should be the only user-facing change.

I already have a private repo with the plugin source code i have been actively working on since mid october, and hope to be able to release it in time for Falco 0.40.0.
I also have an upstream libs branch where i am playing with the big cleanup: https://github.com/falcosecurity/libs/tree/cleanup/drop_container_manager.

I will drop the link to the plugin once i am satisfied with it and open source it :) Will share its architecture too.

Main issues:

Alternatives

No clear alternative.

Additional context

Listing related issues:

Next step would be to move user/group manager to a plugin too.
@FedeDP
Copy link
Contributor Author

FedeDP commented Nov 13, 2024

/milestone 0.40.0

@poiana poiana added this to the 0.40.0 milestone Nov 13, 2024
@leogr
Copy link
Member

leogr commented Nov 13, 2024

Thank you @FedeDP , this is awesome! 🤩

@Issif
Copy link
Member

Issif commented Nov 13, 2024

😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
0.40.0
Development

No branches or pull requests
4 participants
@leogr @Issif @FedeDP @poiana