Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add hostname field in gRPC output #927

Merged
merged 5 commits into from Nov 27, 2019
Merged

feat: add hostname field in gRPC output #927

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e73a70f
feat: add hostname field in gRPC output
aarroyoc Nov 18, 2019
fdcd89a
chore: add environment variable FALCO_GRPC_HOSTNAME
aarroyoc Nov 19, 2019
e5f5c5b
chore: hostname can be 253 characters maximum
aarroyoc Nov 19, 2019
3dd2edc
chore: use std::string to have safer copies
aarroyoc Nov 20, 2019
2b463fe
chore: read hostname in initialization
aarroyoc Nov 21, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 16 additions & 5 deletions userspace/falco/falco_outputs.cpp
View file
Open in desktop
Expand Up @@ -146,6 +146,12 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,

std::lock_guard<std::mutex> guard(m_ls_semaphore);
lua_getglobal(m_ls, m_lua_output_event.c_str());
char hostname[1024];
int err = gethostname(hostname, sizeof(hostname));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this might be good for most use cases, imagine this scenario.

You run this as a Daemonset on Kubernetes.

Then you consume the outputs somewhere else and try to get the hostname.

You notice that you are getting the hostname of the container and not the one of the node.

My proposed solution, is to create a new environment variable for the hostname. Then we read that environment variable and if it's not present we get the system hostname.

In that way, when deploying in kubernetes we can just go and do something like this in the Pod spec:

...
      containers:
        - name: falco
          image: falcosecurity/falco:latest
          env:
            - name: FALCO_GRPC_HOSTNAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
...

Please note that FALCO_GRPC_HOSTNAME is just a filler idea I had for the variable name, I'm totally unsure what name to pick !

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the PR to reflect that change

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's merge the functionality then we can pick battle on names (I really like such battles Lorenzo knows ahaha).

if(err != 0){
string err = "Failed to get hostname";
throw falco_exception(err);
}
if(lua_isfunction(m_ls, -1))
{
lua_pushlightuserdata(m_ls, ev);
Expand All @@ -154,8 +160,9 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
lua_pushstring(m_ls, falco_common::priority_names[priority].c_str());
lua_pushnumber(m_ls, priority);
lua_pushstring(m_ls, format.c_str());
lua_pushstring(m_ls, hostname);

if(lua_pcall(m_ls, 6, 0, 0) != 0)
if(lua_pcall(m_ls, 7, 0, 0) != 0)
{
const char* lerr = lua_tostring(m_ls, -1);
string err = "Error invoking function output: " + string(lerr);
Expand Down Expand Up @@ -300,12 +307,13 @@ int falco_outputs::handle_http(lua_State *ls)
int falco_outputs::handle_grpc(lua_State *ls)
{
// check parameters
if(!lua_islightuserdata(ls, -7) ||
if(!lua_islightuserdata(ls, -8) ||
!lua_isstring(ls, -7) ||
!lua_isstring(ls, -6) ||
!lua_isstring(ls, -5) ||
!lua_isstring(ls, -4) ||
!lua_isstring(ls, -3) ||
!lua_istable(ls, -2) ||
!lua_istable(ls, -3) ||
!lua_isstring(ls, -2) ||
!lua_istable(ls, -1))
{
lua_pushstring(ls, "Invalid arguments passed to handle_grpc()");
Expand Down Expand Up @@ -355,7 +363,10 @@ int falco_outputs::handle_grpc(lua_State *ls)
}
lua_pop(ls, 1); // pop table

// hostname
grpc_res.set_hostname((char* )lua_tostring(ls, 7));

falco::output::queue::get().push(grpc_res);

return 1;
}
}
18 changes: 9 additions & 9 deletions userspace/falco/lua/output.lua
View file
Open in desktop
Expand Up @@ -17,7 +17,7 @@ local mod = {}

local outputs = {}

function mod.stdout(event, rule, source, priority, priority_num, msg, format, options)
function mod.stdout(event, rule, source, priority, priority_num, msg, format, hostname, options)
mod.stdout_message(priority, priority_num, msg, outputs)
end

Expand Down Expand Up @@ -57,7 +57,7 @@ function mod.file_open(options)
end
end

function mod.file(event, rule, source, priority, priority_num, msg, format, options)
function mod.file(event, rule, source, priority, priority_num, msg, format, hostname, options)
mod.file_message(priority, priority_num, msg, options)
end

Expand Down Expand Up @@ -91,7 +91,7 @@ function mod.file_reopen(options)
end
end

function mod.syslog(event, rule, source, priority, priority_num, msg, format, options)
function mod.syslog(event, rule, source, priority, priority_num, msg, format, hostname, options)
mod.syslog_message(priority, priority_num, msg, options)
end

Expand All @@ -114,7 +114,7 @@ function mod.program_open(options)
end
end

function mod.program(event, rule, source, priority, priority_num, msg, format, options)
function mod.program(event, rule, source, priority, priority_num, msg, format, hostname, options)
mod.program_message(priority, priority_num, msg, options)
end

Expand Down Expand Up @@ -153,7 +153,7 @@ function mod.program_reopen(options)
end
end

function mod.http(event, rule, source, priority, priority_num, msg, format, options)
function mod.http(event, rule, source, priority, priority_num, msg, format, hostname, options)
mod.http_message(priority, priority_num, msg, options)
end

Expand All @@ -167,9 +167,9 @@ end
function mod.http_reopen()
end

function mod.grpc(event, rule, source, priority, priority_num, msg, format, options)
function mod.grpc(event, rule, source, priority, priority_num, msg, format, hostname, options)
fields = formats.resolve_tokens(event, source, format)
c_outputs.handle_grpc(event, rule, source, priority, msg, fields, options)
c_outputs.handle_grpc(event, rule, source, priority, msg, fields, hostname, options)
end

function mod.grpc_message(priority, priority_num, msg, options)
Expand All @@ -183,7 +183,7 @@ end
function mod.grpc_reopen()
end

function output_event(event, rule, source, priority, priority_num, format)
function output_event(event, rule, source, priority, priority_num, format, hostname)
-- If format starts with a *, remove it, as we're adding our own
-- prefix here.
if format:sub(1, 1) == "*" then
Expand Down Expand Up @@ -215,7 +215,7 @@ function output_event(event, rule, source, priority, priority_num, format)
msg = formats.format_event(event, rule, source, priority, format)

for index, o in ipairs(outputs) do
o.output(event, rule, source, priority, priority_num, msg, format, o.options)
o.output(event, rule, source, priority, priority_num, msg, format, hostname, o.options)
end
end

Expand Down
3 changes: 2 additions & 1 deletion userspace/falco/output.proto
View file
Open in desktop
Expand Up @@ -35,5 +35,6 @@ message response {
string rule = 4;
string output = 5;
map<string, string> output_fields = 6;
// repeated string tags = 7; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
string hostname = 7;
// repeated string tags = 8; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
}