Skip to content

falcosecurity/driverloader docker image #1171

New issue
New issue
Closed
#1172
Closed
falcosecurity/driverloader docker image#1171
#1172
Assignees
leogr
Labels
kind/featurepriority/high
Milestone
0.23.0
@leodido

Description

@leodido
leodido
opened on Apr 29, 2020

Motivation

As discussed during the today community call, on docker hub we still have the falcosecurity/probeloader docker image, while we removed its source from the repo.

This was done during the review process of docker images (#1019) and artifacts (#1114).

Since we want to install and use Falco in a security-oriented way we don't want its falcosecurity/falco docker container to run with --privileged.

To achieve this we can

  1. use an init container (that just run for an amount of time with privileges)
    1.1 it looks for the correct driver or it builds one if it's not able to find one (through the falco-driver-loader script that already behaves like so)
    1.2 it ships the whole toolchain to build drivers (that currently is inside the falcosecurity/falco image too
  2. run falcosecurity/falco just mounting the driver devices without --privileged (which falcosecurity/falco tag - `falco we want to run here depends on the following choices in the additional context)

Feature

Introduce a falcosecurity/driverloader image that wraps the falco-driver-loader script and contains the toolchain that is (optionally) needed to build the driver in case it's not a prebuilt one.

So, to recap the final situation will be:

  • falcosecurity/falco:latest stay as it is to cover the use case "run in 1 minute"
  • falcosecurity/driverloader will contain the the falco-driver-loader script and the toolchain to eventually build the driver, it will need to be run with --privileged, it will serve as an init container
  • falcosecurity/probeloader gets removed from the docker hub too
  • falcosecurity/falco:latest-slim is the image containing only Falco to be run after the init container

Alternatives

Remove the falcosecurity/probeloader docker image also from docker hub and leave to users and adopters the choice.

Additional context

At this point, about the falcosecurity/falco image we'll have two possible paths.

  • remove the toolchain needed to build the driver making the image slimmer
  • remove also the falcosecurity/falco:latest-slim image which would be not needed anymore

OR

  • keep it as is and just advertise to use falcosecurity/falco:slim after the init container run.

I vote for option 1 as written basically in the corpus of this issue.

Metadata

Metadata

Assignees

Labels

kind/featurepriority/high

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions