Add support for container metaevent to detect container spawning #405
Conversation
Create a new macro "container_started" to check both the old and the new check. Also, only look for execve exit events with vpid=1.
There was a problem hiding this comment.
Looks good. As we discussed, this could lead to multiple events as both conditions for container_started can occur for different events, based on the timing between the execve with pid=1 and the container event. Once draios/sysdig#1190 is merged, I'd like to try it out a bit to see if I can eliminate the double event in some way in the falco engine. I'll keep this open for a bit first.
| @@ -299,6 +299,9 @@ | |||
| - macro: container | |||
| condition: container.id != host | |||
|
|
|||
| - macro: container_started | |||
| condition: (evt.type = container or (evt.type=execve and evt.dir=< and proc.vpid=1)) | |||
There was a problem hiding this comment.
Just want to drop a note here, if the container is brought up with flag --pid=host or --pid=<container id or name>, the vpid wont be equal to 1. For more reference: https://docs.docker.com/engine/reference/run/#imagedigest
Or is container.id != host good enough to determine whether it is a container?
There was a problem hiding this comment.
Yeah container.id = host allows you to know that you're in a container. proc.vpid=1 was the best way we had to denote that a container was started. Now we'll have a more reliable way using the container event.
|
We need to wait, the related sysdig code wasn't ever merged and now there's a new approach for emitting container events: draios/sysdig#1283. That work needs to complete and we also need to change sysdig to emit "container" events when containers are created. |
A new macro
container_startedcontains both the new and the old check.Also, returns true only for execve enter events with
vpid=1, not for both directions.This depends on draios/sysdig#1190.