falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Support Falco running with sandboxed runtimes

Open egernst opened this issue 4 years ago • 43 comments

Motivation

Falco is great. I want Falco. But I also want to run the workload using a sandboxed runtime like kata containers. I hate choosing; I want both things.

Feature

It'd be awesome to be able to run either the kernel module or eBPF inside the guest kernel and have this available for Falco on the host. From taking a quick look @ https://sysdig.com/blog/understanding-common-library-implementation/, I'm hopeful that this is feasible, and we could have SCAP <-> sinsp communication occur over vsock between the guest/host.

Alternatives

I have to choose either Falco or sandboxed runtime.

Additional context

I haven't spent a lot of time yet looking through Falco yet, but before investing I am interested in high-level feedback like:

  • "Yes, this is a good idea, very straight-forward"
  • "no this doesn't make any sense"
  • something in between.

egernst avatar Sep 24 '20 17:09 egernst

+1 this - we run a lot of gVisor workloads because they're higher risk, and so getting insights into these would be awesome

ghost avatar Oct 26 '20 21:10 ghost

I think this is something we should discuss during our community call.

Please join us if you want!

leogr avatar Oct 28 '20 09:10 leogr

Hi, I'm also very interested in this feature request. Any update information?

terenceli avatar Nov 27 '20 03:11 terenceli

I'll join a future community call. Thanks @leogr !

egernst avatar Nov 30 '20 15:11 egernst

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Feb 28 '21 21:02 poiana

Has there been any discussion or movement on this?

pidydx avatar Mar 20 '21 21:03 pidydx

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Apr 19 '21 22:04 poiana

I'm also very interested in seeing it happen. Is there a community call every week?

bergwolf avatar Apr 23 '21 07:04 bergwolf

Indeed there is. :)

Every Wed. More details at https://github.com/falcosecurity/community

On Fri, 23 Apr 2021 at 09:17 Peng Tao @.***> wrote:

I'm also very interested in seeing it happen. Is there a community call every week?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/1413#issuecomment-825448178, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J42VFI5EQN2Q6FYO53DTKENJTANCNFSM4RYRVE6A .

-- L.

leodido avatar Apr 23 '21 07:04 leodido

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar May 23 '21 10:05 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar May 23 '21 10:05 poiana

@lining2020x: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Oct 09 '21 07:10 poiana

/reopen

lining2020x avatar Oct 09 '21 07:10 lining2020x

@lining2020x: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Oct 09 '21 07:10 poiana

/reopen

leogr avatar Oct 11 '21 06:10 leogr

@leogr: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Oct 11 '21 06:10 poiana

/remove-lifecycle rotten

leogr avatar Oct 11 '21 06:10 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jan 09 '22 09:01 poiana

/remove-lifecycle stale

leogr avatar Jan 10 '22 10:01 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Apr 10 '22 11:04 poiana

/remove-lifecycle stale

jasondellaluce avatar Apr 10 '22 13:04 jasondellaluce

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 10 '22 03:07 poiana

/remove-lifecycle stale

jasondellaluce avatar Jul 10 '22 09:07 jasondellaluce

cc @LucaGuerra

leogr avatar Jul 11 '22 07:07 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Oct 09 '22 09:10 poiana

/remove-lifecycle stale cc @FedeDP

leogr avatar Oct 17 '22 15:10 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jan 15 '23 21:01 poiana

/remove-lifecycle stale

FedeDP avatar Jan 15 '23 22:01 FedeDP

/help

leogr avatar Jan 18 '23 10:01 leogr

@leogr: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jan 18 '23 10:01 poiana