plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon falcosecurity

fix(container): crash at filter extract

Open deepskyblue86 opened this issue 2 months ago • 9 comments

What type of PR is this? /kind bug

Any specific area of the project related to this PR? /area plugins

What this PR does / why we need it: I hit a segfault with sinsp-example, just specifying -f 'container.name!=my_container'. After debugging it I realized that event filtering (using extract cap) happens before parse, so the assumption in the code didn't hold.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

deepskyblue86 avatar Oct 09 '25 18:10 deepskyblue86

Rules files suggestions

github-actions[bot] avatar Oct 09 '25 18:10 github-actions[bot]

LGTM, not sure why CI is unhappy though

I found this in the CI output:

Runtime error: cannot load plugin /usr/share/falco/plugins/libcontainer.so: plugin required API version '3.12.0' not compatible with the framework's API version '3.11.0': framework's minor is less than the requested one. Exiting.

I think this has something to do with https://github.com/falcosecurity/plugins/pull/1005 / https://github.com/falcosecurity/plugins/pull/1016. No idea why this is failing though. CC @ekoops @leogr

deepskyblue86 avatar Oct 10 '25 08:10 deepskyblue86

CI is still using an old falco:master-debian image to test this, as no new docker images of that kind has been pushed to dockerhub yet. That old image is synced with an old libs version. That's why we are getting this error.

ekoops avatar Oct 13 '25 07:10 ekoops

CI is still using an old falco:master-debian image to test this, as no new docker images of that kind has been pushed to dockerhub yet. That old image is synced with an old libs version. That's why we are getting this error.

How did the previous one pass then?

deepskyblue86 avatar Oct 13 '25 07:10 deepskyblue86

What is the previous one? Do you mean the previous merged PR? It failed as well: https://github.com/falcosecurity/plugins/actions/runs/18351059430/job/52271109104

ekoops avatar Oct 13 '25 07:10 ekoops

FYI the CI will be fixed once https://github.com/falcosecurity/falco/pull/3689 gets merged. You can ignore it at the moment.

leogr avatar Oct 13 '25 08:10 leogr

Rules files suggestions

github-actions[bot] avatar Oct 13 '25 10:10 github-actions[bot]

FYI the CI will be fixed once falcosecurity/falco#3689 gets merged. You can ignore it at the moment.

FYI it works now :sunglasses:

leogr avatar Oct 14 '25 08:10 leogr

LGTM label has been added.

Git tree hash: 3285c4b0d4228f891f1dcc4392292883522af8f0

poiana avatar Nov 17 '25 09:11 poiana

@ekoops @leogr do you mind taking a look?

irozzo-1A avatar Nov 17 '25 09:11 irozzo-1A

Rules files suggestions

github-actions[bot] avatar Nov 17 '25 15:11 github-actions[bot]

Rules files suggestions

github-actions[bot] avatar Nov 17 '25 17:11 github-actions[bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepskyblue86, irozzo-1A, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Nov 18 '25 12:11 poiana

LGTM label has been added.

Git tree hash: 1a04486c22afcfa196023aa5a4e48ab3a4683b6b

poiana avatar Nov 18 '25 12:11 poiana