Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set module arguments via falco-driver-loader #1342

Conversation

antoinedeschenes
Copy link
Contributor

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area engine

What this PR does / why we need it:

  • Add FALCO_DRIVER_LOADER_ARGS variable to pass arguments to falco-driver-loader in docker images. (ex. FALCO_DRIVER_LOADER_ARGS="--compile")
  • Add --module-arg option to set kernel module args via falco-driver-loader. (ex. falco-driver-loader --module-arg verbose=1 --module-arg max_consumers=2
    This seems a little pointless at first, but we have an open PR on sysdig allowing an adjustable ring buffer size via kernel params

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

docker-entrypoint: Pass FALCO_DRIVER_LOADER_ARGS as falco-driver-loader arguments
falco-driver-loader: Add --module-arg option to set kernel module args

@poiana
Copy link
Contributor

poiana commented Aug 4, 2020

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign leodido
You can assign the PR to them by writing /assign @leodido in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added the size/S label Aug 4, 2020
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall SGTM, but I have some questions:

  1. Is any particular reason why we don't pass module args when loading a locally prebuilt module?
  2. What's the expected behavior when it loads the module with modprobe?
  3. Same as above when it cannot unload the module.

Moreover, I'd inform the user in case the script is not able to pass the module args. The verbosity we added to this script helped to avoid headaches - at least for me 😄

PS
Could you link here the PR on sysdig you mentioned, please?

@antoinedeschenes antoinedeschenes changed the title Set module arguments via falco-driver-loader wip: Set module arguments via falco-driver-loader Aug 17, 2020
@antoinedeschenes
Copy link
Contributor Author

1 & 2. Hm, looks like I submitted some unfinished work 😞
3. params from the last successful insmod/modprobe will be used, we could probably print the contents of /sys/module/falco/parameters/
4. might be worth retrying the insmod without parameters in that case with a proper message

sysdig PR: draios/sysdig#1671

@antoinedeschenes antoinedeschenes force-pushed the driver-loader-module-args branch from 51e872c to 2b6a886 Compare August 18, 2020 17:36
@antoinedeschenes antoinedeschenes changed the title wip: Set module arguments via falco-driver-loader Set module arguments via falco-driver-loader Aug 19, 2020
@antoinedeschenes antoinedeschenes changed the title Set module arguments via falco-driver-loader wip: Set module arguments via falco-driver-loader Aug 19, 2020
@antoinedeschenes antoinedeschenes force-pushed the driver-loader-module-args branch 3 times, most recently from 6cd3e4b to 48ec146 Compare August 19, 2020 12:51
@antoinedeschenes antoinedeschenes changed the title wip: Set module arguments via falco-driver-loader Set module arguments via falco-driver-loader Aug 19, 2020
@antoinedeschenes
Copy link
Contributor Author

@leogr

  • Increased verbosity
  • Added arguments to all modprobe and insmod
  • Kernel behavior is:
    -> Unknown parameter: log in kern.log falco: unknown parameter 'foo' ignored
    -> Invalid value returns: ERROR: could not insert 'falco': Invalid argument

I haven't looked into retrying without parameters or printing /sys/module/falco/parameters however (say, a modprobe on an already loaded module won't fail, but won't change the kernel parameters either)

@leogr
Copy link
Member

leogr commented Aug 19, 2020

@antoinedeschenes Thank you!!!

I will take a look soon... btw I think we need more eyes 👇 on this :)
/cc @leodido
/cc @fntlnz

@poiana poiana requested review from fntlnz and leodido August 19, 2020 13:17
@leogr leogr added this to the 0.26.0 milestone Aug 20, 2020
@leogr
Copy link
Member

leogr commented Aug 20, 2020

Hey @antoinedeschenes

Since the 0.25.0 is coming next week (on Tue 25th) and we don't have enough time to test your PRs (this, #1343, and #1344) @fntlnz and I decided to move all of them for the 0.26.0.

I hope we can review them very soon.

And thank you - again - we really appreciated your contributions :)

@leogr
Copy link
Member

leogr commented Sep 11, 2020

/hold
until draios/sysdig#1671 gets merged

@krisnova krisnova modified the milestones: 0.26.0, 0.27.0 Sep 24, 2020
Allows setting sysdig kernel module args (ex. max_consumers and verbose)

Signed-off-by: Antoine Deschênes <[email protected]>
@antoinedeschenes antoinedeschenes force-pushed the driver-loader-module-args branch from 48ec146 to 0452ea1 Compare October 6, 2020 14:32
@poiana
Copy link
Contributor

poiana commented Jan 4, 2021

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@fntlnz fntlnz modified the milestones: 0.27.0, 0.28.0 Jan 15, 2021
@poiana
Copy link
Contributor

poiana commented Feb 14, 2021

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@poiana
Copy link
Contributor

poiana commented Mar 16, 2021

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

@poiana poiana closed this Mar 16, 2021
@poiana
Copy link
Contributor

poiana commented Mar 16, 2021

@poiana: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants