Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ROADMAP - Build slim and full Falco container images #776

Merged
merged 10 commits into from Oct 11, 2019
Merged

Conversation

@mfdii
Copy link
Member

mfdii commented Aug 20, 2019

Signed-off-by: Michael Ducy michael@ducy.org

What type of PR is this?
/kind feature

Any specific area of the project related to this PR?

/area deployment

What this PR does / why we need it:
The current Falco images are quite large (720 MB) and carry lots of build tools that we want to remove from the current image. The build tools are required to compile kernel modules dynamically when the Falco container starts.

Under the new design we wish to remove the build tools and create two image categories:

  • Init container image for Kernel Module/eBPF probe delivery
    • Container for building probe dynamically (current model)
    • Container for pulling module via HTTPS
    • Container for building & packaging custom kernel modules
    • Container(s) shipping prebuilt modules
  • Falco container image containing the minimum required software
    • Minimal Image falcosecurity/falco-minimal - only required executables and libraries (~19.5mb)
    • Slim Image falcosecurity/falco-slim - Distribution based image (~224mb)

Other tasks before this PR is complete:

  • Update kubernetes manifests to support new model
  • Update helm chart (external PR)
  • Automated build process for new container images
  • Testing of images in deployment scenarios
    • GKE
    • Response Engine
    • IKS
    • Minikube

Which issue(s) this PR fixes:

Fixes #532

Does this PR introduce a user-facing change?:

Initial redesign container images to remove build tools and leverage init containers for kernel module delivery.
@mfdii

This comment has been minimized.

Copy link
Member Author

mfdii commented Aug 20, 2019

Note that the Falco application images can be tested by using the falcosecurity/falco-minimal or falcosecurity/falco-slim images. Currently I've only built a falco probe container image for the linuxkit kernel (docker desktop, falcosecurity/probe-linuxkit-4.9.184).

You can test by running the following:

docker run --rm --privileged falcosecurity/probe-linuxkit-4.9.184
docker run --rm -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock     -v /dev:/host/dev -v /proc:/host/proc:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro falcosecurity/falco-slim:0.17.0
Copy link
Contributor

JPLachance left a comment

This is a superb start! I'll be happy to test it in K8s v1.11.10 in AWS 🎉

docker/kernel/linuxkit/Dockerfile Outdated Show resolved Hide resolved
docker/kernel/linuxkit/Dockerfile Outdated Show resolved Hide resolved
docker/kernel/linuxkit/Dockerfile Outdated Show resolved Hide resolved
@poiana

This comment has been minimized.

Copy link

poiana commented Aug 20, 2019

@JPLachance: changing LGTM is restricted to assignees, and only falcosecurity/falco repo collaborators may be assigned issues.

In response to this:

This is a superb start! I'll be happy to test it in K8s v1.11.10 in AWS 🎉

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@leodido leodido self-requested a review Aug 21, 2019
@leodido leodido added this to the 0.18.0 milestone Aug 22, 2019
@poiana poiana added size/XL and removed size/L labels Aug 26, 2019
@mfdii

This comment has been minimized.

Copy link
Member Author

mfdii commented Aug 26, 2019

@JPLachance I've pushed the httploader initContainer. This replicates the current method of pulling kernel modules from S3. Look at the updated k8s daemonset to see how to configure.

@mfdii mfdii force-pushed the mfdii/slim-images branch from d952e4b to 12425c3 Aug 26, 2019
Copy link
Contributor

JPLachance left a comment

Good job! We are almost there! 🎉

# value: "https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/"
containers:
- name: falco
image: falcosecurity/falco-minimal:latest

This comment has been minimized.

Copy link
@JPLachance

JPLachance Aug 26, 2019

Contributor

Do we need to update Falco rules to allow those new images to run with the --privileged flag?

https://github.com/falcosecurity/falco/blob/dev/rules/falco_rules.yaml#L1751

I think yes, but I'm not sure.

This comment has been minimized.

Copy link
@mfdii

mfdii Aug 28, 2019

Author Member

Yes, we will need this.

_p0, err := unix.BytePtrFromString("")

if _, _, err := unix.Syscall(313, file.Fd(), uintptr(unsafe.Pointer(_p0)), 0); err != 0 {
log.Fatalf("Error loading kernel module: %s. The module may already be loaded.", path)

This comment has been minimized.

Copy link
@JPLachance

JPLachance Aug 26, 2019

Contributor

If the kernel module is already loaded for some reason, how does a Falco user fix it? I think we should add a link to some documentation in the log.

This comment has been minimized.

Copy link
@mfdii

mfdii Aug 27, 2019

Author Member

One thing that the current probe loader does is remove the loaded module. We could do this as well, with a retry loop and timeout.

Copy link
Member

fntlnz left a comment

Here's an initial review, thanks for working on this @mfdii !

I also think we need a readme on how to use it but didn't know where to commentt this

docker/kernel/httploader/httploader/main.go Outdated Show resolved Hide resolved
docker/slim-stable/Dockerfile Outdated Show resolved Hide resolved
docker/slim-dev/Dockerfile Outdated Show resolved Hide resolved
Copy link
Member

leodido left a comment

Some nits

docker/kernel/httploader/Dockerfile Outdated Show resolved Hide resolved
docker/kernel/httploader/Dockerfile Outdated Show resolved Hide resolved
docker/kernel/httploader/Dockerfile Outdated Show resolved Hide resolved
docker/slim-dev/Dockerfile Outdated Show resolved Hide resolved
docker/slim-stable/Dockerfile Outdated Show resolved Hide resolved
Copy link
Member

leodido left a comment

Another nit

fntlnz and others added 5 commits Oct 11, 2019
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
@poiana poiana added size/XL and removed size/XXL labels Oct 11, 2019
@leodido leodido self-requested a review Oct 11, 2019
Copy link
Member

leodido left a comment

🎉

@poiana

This comment has been minimized.

Copy link

poiana commented Oct 11, 2019

LGTM label has been added.

Git tree hash: 2851f34f65c67c607edf8be621c502ae5d6732ba

@poiana poiana added the lgtm label Oct 11, 2019
@fntlnz

This comment has been minimized.

Copy link
Member

fntlnz commented Oct 11, 2019

@mfdii me and @leodido took over to continue this PR.

We moved the httploader tool to falcoctl falcosecurity/falcoctl#21 - now it's falcoctl install probe

The docker image reflects that. It is pushed following the same versioning as falco, so now we have:

  • falcosecurity/probeloader:latest
  • falcosecurity/probeloader:0.17.1

Also instead of having a different image repository for every slim and minimal we are using tags.

E.g: for falco 0.18.0 we will have

  • falcosecurity/falcoctl:0.18.0
  • falcosecurity/falcoctl:0.18.0-slim
  • falcosecurity/falcoctl:0.18.0-minimal

And for latest

  • falcosecurity/falcoctl:latest
  • falcosecurity/falcoctl:latest-slim
  • falcosecurity/falcoctl:latest-minimal

Those slim and minimal images will not be pushed for old falco versions, like 0.17.1 but starting from 0.18.0, the milestone attached to this PR.

The Release process is NOT automated and we have a work item on that #726

@mfdii

This comment has been minimized.

Copy link
Member Author

mfdii commented Oct 11, 2019

lgtm

@poiana

This comment has been minimized.

Copy link

poiana commented Oct 11, 2019

@mfdii: you cannot LGTM your own PR.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
@poiana poiana removed the lgtm label Oct 11, 2019
@leodido

This comment has been minimized.

Copy link
Member

leodido commented Oct 11, 2019

As planned during last meetings we are going to merge this PR.

@mfdii : there are some missing points/goals listed in the PR corpus, what's the planning for those? I propose to open issues to track them, first of all.

@leodido leodido self-requested a review Oct 11, 2019
@poiana

This comment has been minimized.

Copy link

poiana commented Oct 11, 2019

LGTM label has been added.

Git tree hash: 89fbc0566bfc3da02c532e95f0a01edb3774ba4a

@poiana poiana added the lgtm label Oct 11, 2019
@fntlnz
fntlnz approved these changes Oct 11, 2019
@poiana

This comment has been minimized.

Copy link

poiana commented Oct 11, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, kris-nova, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [fntlnz,kris-nova,leodido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@leodido leodido merged commit f71c4f0 into dev Oct 11, 2019
3 of 4 checks passed
3 of 4 checks passed
tide Not mergeable. Job Travis CI - Pull Request has not succeeded.
Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details
dco All commits have Signed-off-by
Details
@poiana poiana deleted the mfdii/slim-images branch Oct 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.