falco
falco copied to clipboard
falcosecurity
Falco 0.42.1 random memory usage spikes
Describe the bug
I have recently upgraded Falco from 0.40.0 to 0.42.1 hoping to get memory leaks fixed, but still see random memory spikes which cause Falco pods to constantly get OOM killed.
How to reproduce it
Install Falco with 0.42.1, latest k8saudit, json and container plugins. Using the default ruleset with multiple exceptions.
Expected behaviour
Stable functioning of pods without getting constantly OOMed.
Screenshots
- Falco version: 0.42.1
- System info:
{
"machine": "x86_64",
"nodename": "falco",
"release": "6.1.94-3.el9.x86_64",
"sysname": "Linux",
"version":
"#1 SMP PREEMPT_DYNAMIC Mon Nov 11 12:06:56 UTC 2024"} - Installation method: Kubernetes via Helm chart (7.0.0) as a daemonset.
falco.yaml:
append_output:
- suggested_output: true
base_syscalls:
all: false
custom_set: []
repair: false
buffer_format_base64: false
buffered_outputs: true
capture:
default_duration: 5000
enabled: false
mode: rules
path_prefix: /tmp/falco
config_files:
- /etc/falco/config.d
engine:
kind: modern_ebpf
modern_ebpf:
buf_size_preset: 8
cpus_for_each_buffer: 2
drop_failed_exit: false
falco_libs:
snaplen: 80
thread_table_auto_purging_interval_s: 300
thread_table_auto_purging_thread_timeout_s: 300
thread_table_size: 262144
file_output:
enabled: false
filename: ./events.txt
keep_alive: false
grpc:
bind_address: unix:///run/falco/falco.sock
enabled: true
threadiness: 0
grpc_output:
enabled: true
http_output:
ca_bundle: ""
ca_cert: ""
ca_path: /etc/falco/certs/
client_cert: /etc/falco/certs/client/client.crt
client_key: /etc/falco/certs/client/client.key
compress_uploads: false
echo: false
enabled: true
insecure: false
keep_alive: false
max_consecutive_timeouts: 5
mtls: false
url: http://falcosecurity-falcosidekick:80/
user_agent: falcosecurity/falco
json_include_message_property: false
json_include_output_fields_property: true
json_include_output_property: true
json_include_tags_property: true
json_output: true
libs_logger:
enabled: true
severity: notice
load_plugins:
- k8saudit
- json
- container
log_level: notice
log_stderr: true
log_syslog: true
metrics:
enabled: true
interval: 1h
output_timeout: 5000
outputs_queue:
capacity: 0
plugins:
- init_config:
maxEventSize: "125829120"
webhookMaxBatchSize: "125829120"
library_path: libk8saudit.so
name: k8saudit
open_params: http://:9765/k8s-audit
- init_config: ""
library_path: libjson.so
name: json
- init_config:
engines:
bpm:
enabled: false
containerd:
enabled: true
sockets:
- /run/containerd/containerd.sock
cri:
enabled: false
sockets:
- /run/containerd/containerd.sock
- /run/crio/crio.sock
- /run/k3s/containerd/containerd.sock
- /run/host-containerd/containerd.sock
docker:
enabled: false
sockets:
- /var/run/docker.sock
libvirt_lxc:
enabled: false
lxc:
enabled: false
podman:
enabled: false
sockets:
- /run/podman/podman.sock
hooks:
- create
- start
label_max_len: 100
with_size: false
library_path: libcontainer.so
name: container
plugins_hostinfo: true
priority: debug
program_output:
enabled: false
keep_alive: false
program: 'jq ''{text: .output}'' | curl -d @- -X POST https://hooks.slack.com/services/XXX'
rule_matching: first
rules_files:
- /etc/falco/common-rules.yaml
stdout_output:
enabled: true
syscall_event_drops:
actions:
- log
- alert
max_burst: 1
rate: 0.03333
simulate_drops: false
threshold: 0.1
syscall_event_timeouts:
max_consecutives: 1000
syslog_output:
enabled: true
time_format_iso_8601: false
watch_config_files: true
webserver:
enabled: true
k8s_healthz_endpoint: /healthz
listen_address: 0.0.0.0
listen_port: 8765
prometheus_metrics_enabled: true
ssl_certificate: /etc/falco/falco.pem
ssl_enabled: false
threadiness: 0
Tried disabling k8saudit and json plugins, but these spikes are still present.