How to Install Falco using Containers

Mark Stemm edited this page Aug 12, 2016 · 5 revisions

How to Install Falco using Containers

Container install (general)

If you have full control of your host operating system, then installing falco using the normal installation method is the recommended best practice. This method allows full visibility into all containers on the host OS. No changes to the standard automatic/manual installation procedures are required.

However, falco can also run inside a Docker container. To guarantee a smooth deployment, the kernel headers must be installed in the host operating system, before running Falco.

This can usually be done on Debian-like distributions with: apt-get -y install linux-headers-$(uname -r)

Or, on RHEL-like distributions: yum -y install kernel-devel-$(uname -r)

Falco can then be run with:

docker pull sysdig/falco
docker run -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco

To see it in action, also run the event generator to perform actions that trigger falco's ruleset:

docker pull sysdig/falco-event-generator
docker run -it --name falco-event-generator sysdig/falco-event-generator

Using custom rules with docker container

The falco image has a built-in set of rules located at /etc/falco_rules.yaml which is suitable for most purposes. However, you may want to provide your own rules file and still use the falco image. In that case, you should add a volume mapping to map the external rules file to /etc/falco_rules.yaml within the container, by adding -v path-to-falco-rules.yaml:/etc/falco_rules.yaml to your docker run command.

Container install (CoreOS)

The recommended way to run falco on CoreOS is inside of its own Docker container using the install commands in the paragraph above. This method allows full visibility into all containers on the host OS.

This method is automatically updated, includes some nice features such as automatic setup and bash completion, and is a generic approach that can be used on other distributions outside CoreOS as well.

However, some users may prefer to run falco in the CoreOS toolbox. While not the recommended method, this can be achieved by installing Falco inside the toolbox using the normal installation method, and then manually running the sysdig-probe-loader script:

toolbox --bind=/dev --bind=/var/run/docker.sock
curl -s | bash