Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Container Checkpoint Support #374

Open
Elghazali-99 opened this issue Jul 15, 2024 · 3 comments
Open

Feature request: Container Checkpoint Support #374

Elghazali-99 opened this issue Jul 15, 2024 · 3 comments
Assignees
@Issif
Labels
lifecycle/stale new feature New feature request
Milestone
v0.x

Comments

@Elghazali-99
Copy link

I would like to suggest adding support for container checkpoint functionality to Falco Talon.

This feature allows saving the state of running containers, which could enhance the capability to perform forensics and investigation on the compromized containers/pods.

This feature has been merged into Kubernetes v1.25.

Supports:
@Issif
Copy link
Member

Issif commented Jul 15, 2024
edited
Loading

Good idea, I'll add that to our Todo list. I already thought about it, it requires the runtime to be started with the right flag, it's not always true.

@Issif Issif added this to the v0.1.0 milestone Jul 15, 2024
@Issif Issif self-assigned this Jul 17, 2024
@Issif
Copy link
Member

Issif commented Jul 26, 2024

I did some searches, you can correct me if I'm wrong, but here's the results:

  • the feature has a lot of requirements:
    • the container runtime must have the feature and be started with it enabled
    • the feature in k8s is behind the feature gate, it requires the kubelet to be started with a specific option
    • criu must be installed on all nodes
  • moreover, the checkpoints are stored under /var/lib/kubelet/checkpoints, it means, we have to follow this procedure:
    • trigger the checkpoint with talon
    • wait til the completion
    • start a pod on the exact same node with /var/lib/kubelet/checkpoints mounted from the host
    • use that pod to get the checkpoint and push it to an available output (s3 or minio) for now

Even if it's technically doable, I would prefer to wait this feature to be GA and avoid to spend to much time on it today, and see it totally removed or modified in the future.

wdyt?

cc @IgorEulalio @xinity

@Issif Issif modified the milestones: v0.1.0, v0.x Jul 26, 2024
@Issif Issif added the new feature New feature request label Aug 22, 2024
@poiana
Copy link

poiana commented Nov 20, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Issif Issif

Labels
lifecycle/stale new feature New feature request
Projects
None yet
Milestone
v0.x
Development

No branches or pull requests
3 participants
@Issif @poiana @Elghazali-99