fix(docker): missing HOST_ROOT env in "no-driver" docker image

[leogr]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

Any specific area of the project related to this PR?

/area build

What this PR does / why we need it:

This PR solves the problem described in #1491 and makes env vars consistent between the "falco" and the "no-driver" docker images.
It also updates the container labels with the correct docker usage command line.

Which issue(s) this PR fixes:

Fixes #1491

Special notes for your reviewer:

/milestone 0.27.0

Does this PR introduce a user-facing change?:

fix: set `HOST_ROOT=/host` environment variable for the `falcosecurity/falco-no-driver` container image by default

[fntlnz]

We didn't do the /host env variable thing in that image because with --device you have no way to remap falco devices to /host/dev and thus we were advising to do /var/run/docker.sock on the no-driver image.

If we just merge this PR but don't adjust the wording around that too this will just create more confusion.

See: https://falco.org/docs/running/

[fntlnz]

Look at what we do here https://falco.org/docs/running/

[leogr]

Please note that this ☝️ is the falco-driver-loader image and I have used the documentation as source, indeed it matches:

docker pull falcosecurity/falco-driver-loader:latest
docker run --rm -i -t \
    --privileged \
    -v /root/.falco:/root/.falco \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro \
    -v /usr:/host/usr:ro \
    -v /etc:/host/etc:ro \
    falcosecurity/falco-driver-loader:latest

Am I missing something else?

[fntlnz]

Added a comment

[leogr]

We didn't do the /host env variable thing in that image because with --device you have no way to remap falco devices to /host/dev and thus we were advising to do /var/run/docker.sock on the no-driver image.

If we just merge this PR but don't adjust the wording around that too this will just create more confusion.

See: https://falco.org/docs/running/

Good point, I have not considered that.

Anyway I believe is still convenient HOST_ROOT=/host by default, and then update the documentation for the "least privileged" in this way:

docker pull falcosecurity/falco-no-driver:latest
docker run --rm -i -t \
    -e HOST_ROOT=/ \
    --cap-add SYS_PTRACE --pid=host $(ls /dev/falco* | xargs -I {} echo --device {}) \
    -v /var/run/docker.sock:/var/run/docker.sock \
    falcosecurity/falco-no-driver:latest

WDYT?

I had already prepared a PR to update the doc 👉 falcosecurity/falco-website#313, so if you agree, I can update it again accordingly.

[fntlnz]

I agree, if we want to stick with the least privileged wording.

[leogr]

I agree, if we want to stick with the least privileged wording.

👍

Yes, I prefer this option, since having different defaults across images can be more confusing. I will update the doc PR ASAP.

[leogr]

Hey @fntlnz

done, PTAL 👉 https://github.com/falcosecurity/falco-website/pull/313/files

And thank you for the suggestion! 🤗

[leodido]

I've looked at the #313 PR on the falco-website, and the edits you did to this one.

/lgtm

[poiana]

LGTM label has been added.

Git tree hash: 505c4ac1b892636f9f9a12afd2047077f0379088

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• docker/OWNERS [fntlnz,leodido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment