feat: add hostname field in gRPC output #927
Conversation
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
|
Welcome @aarroyoc! It looks like this is your first PR to falcosecurity/falco 🎉 |
There was a problem hiding this comment.
@aarroyoc - this PR looks very good overall and this had also been a very needed feature in the community so thanks a lot for this!
I find this PR complete overall, I only want to see if we can do differently for the hostname, see my comment below.
userspace/falco/falco_outputs.cpp
Outdated
| @@ -146,6 +146,12 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source, | |||
|
|
|||
| std::lock_guard<std::mutex> guard(m_ls_semaphore); | |||
| lua_getglobal(m_ls, m_lua_output_event.c_str()); | |||
| char hostname[1024]; | |||
| int err = gethostname(hostname, sizeof(hostname)); | |||
There was a problem hiding this comment.
While this might be good for most use cases, imagine this scenario.
You run this as a Daemonset on Kubernetes.
Then you consume the outputs somewhere else and try to get the hostname.
You notice that you are getting the hostname of the container and not the one of the node.
My proposed solution, is to create a new environment variable for the hostname. Then we read that environment variable and if it's not present we get the system hostname.
In that way, when deploying in kubernetes we can just go and do something like this in the Pod spec:
...
containers:
- name: falco
image: falcosecurity/falco:latest
env:
- name: FALCO_GRPC_HOSTNAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
...Please note that FALCO_GRPC_HOSTNAME is just a filler idea I had for the variable name, I'm totally unsure what name to pick !
There was a problem hiding this comment.
I've updated the PR to reflect that change
There was a problem hiding this comment.
Let's merge the functionality then we can pick battle on names (I really like such battles Lorenzo knows ahaha).
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
|
Hi @leodido, thanks for your feedback. Could you please point us to a better place to setup the env var? Thanks! |
userspace/falco/falco_outputs.cpp
Outdated
| int err = gethostname(c_hostname, 256); | ||
| if(err != 0){ | ||
| string err = "Failed to get hostname"; | ||
| throw falco_exception(err); |
There was a problem hiding this comment.
You can pass the error string directly here
|
@palmerabollo @aarroyoc - the environment variable setup is all done in Once you have that, we have two options:
Wdyt? |
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
|
I've added it in falco_outputs because I think it's more of an initialization value |
There was a problem hiding this comment.
Thanks Adrian for applying the changes requested!
This seems pretty good to me! 🎉
There is only one nitpick: not sure we should throw falco_exception there. But to be fair I think that all the exceptions/errors should be reviewed and that's not the scope of this PR. So let's merge this! :)
|
LGTM label has been added. Git tree hash: 6289fbf7c0d289f6d42887c2638d88a32b13e12d
|
|
@fntlnz does it look good to you? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Looks good! Thanks @aarroyoc for the pr and for makin the requested changes ! This is a very needed and cool improvement ! Merging ! |
|
/milestone 0.19.0 |
Signed-off-by: Adrián Arroyo Calle adrian.arroyocalle@gmail.com
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area integrations
What this PR does / why we need it:
This PR adds a new field (hostname) in gRPC event messages.
Which issue(s) this PR fixes:
Fixes #923
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
In theory, it adds a new field without causing trouble to old clients. It also passes hostname to other outputs but it does nothing. This was done to keep consistency between methods signatures. Maybe we want to move the field to
outputFields