You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following https://gvisor.dev/docs/tutorials/falco/ I can successfully get Falco working and detecting issues. I first got a detection on the rule demonstrated in that guide, and then got cryptomining detection working using the default rules for that.
Unfortunately, when attempting to do exactly the same thing in our own container runtime (not Docker) where we use runsc run directly, Falco segfaults, or errors with Error: stoull or Error: std:bad_alloc.
Here is an example log where I first run a Docker container running nbminer, and then attempt to run a container using our own runtime.
(modal) ubuntu@ip-10-1-8-45:~/modal$ sudo falco -v -r /etc/falco/falco_rules.local.yaml -c /etc/falco/falco.yaml --gvisor-config /etc/falco/pod-init.json
Wed Nov 1 15:25:38 2023: Falco version: 0.35.0 (x86_64)
Wed Nov 1 15:25:38 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Wed Nov 1 15:25:38 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Wed Nov 1 15:25:38 2023: gRPC server threadiness equals to 8
Wed Nov 1 15:25:38 2023: Starting health webserver with threadiness 8, listening on port 8765
Wed Nov 1 15:25:38 2023: Enabled event sources: syscall
Wed Nov 1 15:25:38 2023: Opening 'syscall' source with gVisor. Configuration path: /etc/falco/pod-init.json
Wed Nov 1 15:25:38 2023: Starting gRPC server at unix:///var/run/falco.sock
15:25:40.634960695: Critical Possible miner running (command=nbminer ./nbminer -a ethash -o stratum+tcp://cn.sparkpool.com:13333 -u 0x4296116d44a4a7259B52B1A756e19083e675062A.default -log pid=<NA> container=great_mccarthy (id=8cdaef990cd2) image=ubuntu)
15:25:41.699553922: Critical Possible miner running (command=nbminer ./nbminer -a ethash -o stratum+tcp://cn.sparkpool.com:13333 -u 0x4296116d44a4a7259B52B1A756e19083e675062A.default -log -RUN -reboot-times 0 pid=<NA> container=great_mccarthy (id=8cdaef990cd2) image=ubuntu)
Events detected: 2
Rule counts by severity:
CRITICAL: 2
Triggered rules by rule name:
Detect crypto miners using the Stratum protocol: 2
Wed Nov 1 15:25:53 2023: Shutting down gRPC server. Waiting until external connections are closed by clients
Wed Nov 1 15:25:53 2023: Waiting for the gRPC threads to complete
Wed Nov 1 15:25:53 2023: Draining all the remaining gRPC events
Wed Nov 1 15:25:53 2023: Shutting down gRPC server complete
Error: std::bad_alloc
How to reproduce it
Our container runtime is custom and closed-source, but I can provide details on the particulars as needed 🙂. Our runsc command looks like this:
I believe this issue comes from the fact that the container ID is not a hexadecimal string, which is what normally happens with Docker, k8s etc. Can you try running a container with an hex ID to confirm?
Thanks for the detailed report anyways! After an experiment with runsc I believe the issue you had was due to non-hex container IDs. I'm going to close this issue and open a more focused one in the libs repo. Thanks again!
Describe the bug
Following https://gvisor.dev/docs/tutorials/falco/ I can successfully get Falco working and detecting issues. I first got a detection on the rule demonstrated in that guide, and then got cryptomining detection working using the default rules for that.
Unfortunately, when attempting to do exactly the same thing in our own container runtime (not Docker) where we use
runsc run
directly, Falco segfaults, or errors withError: stoull
orError: std:bad_alloc
.Here is an example log where I first run a Docker container running
nbminer
, and then attempt to run a container using our own runtime.How to reproduce it
Our container runtime is custom and closed-source, but I can provide details on the particulars as needed 🙂. Our
runsc
command looks like this:Expected behaviour
Expect that falco doesn't segfault when not using Docker and gvisor, but just
runsc run
directly.Screenshots
Environment
Kernel:
Linux ip-10-1-8-45 5.15.0-1044-aws #49~20.04.1-Ubuntu SMP Mon Aug 21 17:09:32 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Installation method: From https://download.falco.org tarballs
Additional context
The text was updated successfully, but these errors were encountered: