Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SBOM] Use container runtime snapshotter by default on EKS and GKE #1553

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[SBOM] Use container runtime snapshotter by default on EKS and GKE #1553

wants to merge 3 commits into from

Conversation

lebauce
Copy link
Contributor

@lebauce lebauce commented Oct 9, 2024

What this PR does / why we need it:

Detect whether the agent is deployed on EKS or GKE and use the container runtime snapshotter in these cases.

Which issue this PR fixes

(optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged)

  • fixes #

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • Chart Version bumped
  • Documentation has been updated with helm-docs (run: .github/helm-docs.sh)
  • CHANGELOG.md has been updated
  • Variables are documented in the README.md
  • For Datadog Operator chart or value changes update the test baselines (run: make update-test-baselines)

@lebauce lebauce added the chart/datadog This issue or pull request is related to the datadog chart label Oct 9, 2024
@lebauce lebauce requested a review from a team as a code owner October 9, 2024 09:47
@clamoriniere
Copy link
Collaborator

Hi @lebauce

General question, have we investigated the possibility to handle it directly in the agent code base?
Indeed the missing layer issue is impacting a lot of GKE and EKS users, however it is not the only environment that might be impacted.

Can we easily detect if we should run the snapshotter by default (maybe based on the kubelet or containerd configuration) or maybe try with the default method and fallback automatically with the snapshotter if we get the "missing layer" error when the agent tries to scan a container image.

@lebauce
Copy link
Contributor Author

lebauce commented Oct 14, 2024
edited
Loading

@clamoriniere
The problem with the approach is that you first need to detect if we run on EKS/GKE/containerd with discard_uncompressed_layers
If it's the case, we need to give the CAP_SYS_ADMIN right and bind mount /var/lib/containers
In don't see how we could give these capabilities after the agent is started and that we detected we needed them

@lebauce
Copy link
Contributor Author

lebauce commented Oct 14, 2024

Longer term solution could be to use the agent "overlayfs direct scan" mode which "only" requires mount /var/lib/containers and use by default

@clamoriniere
Copy link
Collaborator

Longer term solution could be to use the agent "overlayfs direct scan" mode which "only" requires mount /var/lib/containers and use by default

But in that case, do we loose the image layer information to identify in which layer the package is part of?

@lebauce
Copy link
Contributor Author

lebauce commented Oct 14, 2024
edited
Loading

No, we don't lose this information as we still have one folder per layer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
chart/datadog This issue or pull request is related to the datadog chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lebauce @clamoriniere