-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial userspace instrumentation implementation #1195
Conversation
/hold We will need to update the cmake reference once draios/sysdig#1626 is merged. |
/unhold I don't know how to un-hold something - maybe one of these will work |
/hold cancel
On Wed, 1 Jul 2020 at 23:54, Kris Nova ***@***.***> wrote:
/unhold
/continue
/please-merge
I don't know how to un-hold something - maybe one of these will work
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#1195 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA5J43OQUR3ZFOWLIPMI3TRZOV7RANCNFSM4M2X5P7Q>
.
--
L.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The first round of review.
Left some comments for further discussion and thinking next week. Nothing definitive, yet :)
Also, the PR corpus needs to be updated and refer to the actual PR introducing userspace capture - ie., draios/sysdig#1636
My main question for now is: do we want to refer to this as udig
? Or do we want to refer to it in a more eloquent way (to avoid any confusion in the users) and let this word only for specific implementations (udig, pdig, etc.)?
udig support through the -u command line flag Signed-off-by: Kris Nóva <kris@nivenly.com> Co-authored-by: Kris Nóva <kris@nivenly.com>
Signed-off-by: Kris Nova <kris@nivenly.com>
Signed-off-by: Kris Nova <kris@nivenly.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Just tested this with @leodido on my machine: # ./userspace/falco/falco -u -r ../rules/falco_rules.yaml
Wed Jul 15 10:31:05 2020: Falco initialized with configuration file /home/fntlnz/Projects/falcosecurity/falco/falco.yaml
Wed Jul 15 10:31:05 2020: Loading rules from file ../rules/falco_rules.yaml:
Wed Jul 15 10:31:05 2020: Starting internal webserver, listening on port 8765 I also needed to use a root shell, otherwise: $ ./userspace/falco/falco -u -r ../rules/falco_rules.yaml
Wed Jul 15 10:32:32 2020: Falco initialized with configuration file /home/fntlnz/Projects/falcosecurity/falco/falco.yaml
Wed Jul 15 10:32:32 2020: Loading rules from file ../rules/falco_rules.yaml:
[1] 454395 segmentation fault (core dumped) ./userspace/falco/falco -u -r ../rules/falco_rules.yaml Root is needed because userspace instrumentation scans the This is what happens now if you run Falco without root privileges, see how the error now is very clear.
This fix was already done by @leodido almost one year ago on the module check PR (https://github.com/falcosecurity/falco/pull/758/files) - We really need to get that one into! |
I've been trying to use the pdig userspace implementation but I had no luck in compiling it (will investigate later): compilation output
|
Talked with @leodido and we have a couple concerns in merging this for 0.24.0
We propose to postpone this to 0.25.0 Let's vote (add a reaction): 👍 to move this to 0.25.0 and release next month after addressing the concerns above |
Reached majority /milestone 0.25.0 |
Community call is happening right now and we all agreed on a variation of the idea I expressed in my previous comment. In particular, we agreed on the fact that the contract that Falco exposes to talk to userspace implementations needs to be dcoupled from the userspace implementation itself. With this reasoning in mind, we decided to get this change in now, for 0.24.0 while letting the implementation to follow their own lifecycle. This means that:
|
/milestone 0.24.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
LGTM label has been added. Git tree hash: 30319e4da638be9e1247a1023e2656fe983a6cb9
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
ALL.
What this PR does / why we need it:
Support in the Falco CLI for the new ptrace implementation being merged in the driver code.
Which issue(s) this PR fixes:
NONE
Special notes for your reviewer:
Does this PR introduce a user-facing change?: