-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Semantic of container.id
and container.name
#2057
Comments
Thanks for reporting this one Leo! Also, cc @incertum |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
@FedeDP will your container plugin implementation go in this direction? Or is it still TBD? 🤔 |
Still TBD! |
Motivation
Historically, when a syscall event occurs outside a container, the
container.id
field is set tohost
. Our ruleset has consistently followed this pattern: 👇https://github.com/falcosecurity/rules/issues/new?permalink=https%3A%2F%2Fgithub.com%2Ffalcosecurity%2Frules%2Fblob%2Fb6ad37371923b28d4db399cf11bd4817f923c286%2Frules%2Ffalco_rules.yaml%23L226-L227
This behavior is also documented in the official documentation.
Although this design decision is opinionated, it works since a container ID cannot be
host
.The
container.name
field currently follows the same pattern: 👇https://github.com/incertum/libs/blame/master/userspace/libsinsp/filterchecks.cpp#L6232-L6236
However, using
container.name = host
is unsafe because a container could be namedhost
.Overall, the current approach could lead to confusion or errors.
Feature
To resolve this issue for non-container cases, we propose two backward-incompatible solutions:
container.name
unset (like othercontainer.*
fields) and continue usingcontainer.id=host
.container.id
andcontainer.name
unset. This would makenot container.id exists
work correctly (assuming the empty value problem will also be fixed).Alternatives
Doing nothing is not an option, as
container.name = host
could be misleading.Additional context
This change would be a major breaking change and should be targeted for Falco 1.0.
Also note the empty value problem (a.k.a. the issue) is orthogonal to this issue. Still, it should be taken into consideration
The text was updated successfully, but these errors were encountered: