Add /etc mount for falco container #475
Conversation
|
Do you think it would be more secure to explicitly mount |
|
Ok, did as you suggested and I am only mounting the files Falco needs. There's a bug in the probe loader script in the logic used to detect COS vs Minikube for eBPF support. I need to submit a PR to sysdig to fix that before we should merge this. |
|
Required probe loader script fix in draios/sysdig/1273. |
|
(Commenting on this since I saw it referenced from draios/sysdig#1273) Are we sure we want to introduce that much granularity in the mount paths, which need to be propagated to sysdig, agent as well as traditional command lines, and kept in sync every time we add a new supported distribution by peeking into a new file in What you seem to be wanting to prevent is already possible in a very easy way: just go into a Falco container and run And this is without even counting that we are a privileged container, have full access to the Docker socket, and have the ability to compile and inject custom code into the kernel, we are basically already root++ on the host, so mounting From my point of view, the only reason why we are not mounting the entire host file system, thus greatly simplifying the command line invocation, is just because we don't want to keep those mount points busy when containers churn, otherwise I'd consider it reasonable, and more practical, to do that as well (other projects, such as Google's cadvisor, do exactly that and mount the entire host's Feel free to ignore this, just wanted to provide my perspective since I value CLI usability a lot, and this seems a step backwards. |
mstemm
force-pushed
the
mfdii/fix_k8sds
branch
from
48fcebb
to
e6313ed
Compare
mstemm
force-pushed
the
mfdii/fix_k8sds
branch
from
e6313ed
to
a3fed52
Compare
Fixes #473.
This is required to support COS and Minikube as the probe loader script looks for the OS version by reading files in /etc.
I also added the environment variables to enable the eBPF probe, but left them commented out.