chore(src): improve containerd support.

Backport changes from falcosecurity/libs#2195.

Signed-off-by: Federico Di Pierro <[email protected]>

README.md

@@ -163,7 +163,7 @@ load_plugins: [container]
 By default, all engines are enabled on **default sockets**:
 * Docker: `/var/run/docker.sock`
 * Podman: `/run/podman/podman.sock` for root, + `/run/user/$uid/podman/podman.sock` for each user in the system
-* Containerd: [`/run/containerd/containerd.sock`, `/run/k3s/containerd/containerd.sock`]
+* Containerd: [`/run/containerd/containerd.sock`, `/run/k3s/containerd/containerd.sock`, `/run/host-containerd/containerd.sock`]
 * Cri: `/run/crio/crio.sock`
 
 ### Rules

src/matchers/containerd.cpp

@@ -3,6 +3,10 @@
 
 using namespace libsinsp::runc;
 
+// Containers created via ctr
+// use the "default" namespace (instead of the cri "k8s.io" namespace)
+// which will result in the `/default` cgroup path.
+// https://github.com/containerd/containerd/blob/3b15606e196e450cf817fa9f835ab5324b35a28b/pkg/namespaces/context.go#L32
 constexpr const cgroup_layout CONTAINERD_CGROUP_LAYOUT[] = {{"/default/", ""}, {nullptr, nullptr}};
 
 bool containerd::resolve(const std::string& cgroup, std::string& container_id) {

src/matchers/runc.cpp

@@ -3,7 +3,6 @@
 namespace {
 const size_t CONTAINER_ID_LENGTH = 64;
 const size_t REPORTED_CONTAINER_ID_LENGTH = 12;
-const char *CONTAINER_ID_VALID_CHARACTERS = "0123456789abcdefABCDEF";
 
 static_assert(REPORTED_CONTAINER_ID_LENGTH <= CONTAINER_ID_LENGTH,
 "Reported container ID length cannot be longer than actual length");
@@ -13,6 +12,25 @@ static_assert(REPORTED_CONTAINER_ID_LENGTH <= CONTAINER_ID_LENGTH,
 namespace libsinsp {
 namespace runc {
 
+inline static bool endswith(const std::string &s, const std::string &suffix) {
+	return s.rfind(suffix) == (s.size() - suffix.size());
+}
+
+inline static bool is_host(const std::string &cgroup) {
+	// A good approximation to minize false-positives is to exclude systemd suffixes.
+	if(endswith(cgroup, ".slice") || endswith(cgroup, ".service")) {
+		return true;
+	} else if(endswith(cgroup, ".scope")) {
+		if(cgroup.find("crio-") != std::string::npos ||
+		   cgroup.find("docker-") != std::string::npos) {
+			return false;
+		}
+		return true;
+	}
+
+	return false;
+}
+
 // check if cgroup ends with <prefix><container_id><suffix>
 // If true, set <container_id> to a truncated version of the id and return true.
 // Otherwise return false and leave container_id unchanged
@@ -31,16 +49,21 @@ bool match_one_container_id(const std::string &cgroup,
         return false;
     }
 
-    if(end_pos - start_pos != CONTAINER_ID_LENGTH) {
+    // In some container runtimes the container id is not
+    // necessarly CONTAINER_ID_LENGTH long and can be arbitrarly defined.
+    // To keep it simple we only discard the container id > of CONTAINER_ID_LENGTH.
+    if(end_pos - start_pos > CONTAINER_ID_LENGTH || end_pos - start_pos == 0) {
         return false;
     }
 
-    size_t invalid_ch_pos = cgroup.find_first_not_of(CONTAINER_ID_VALID_CHARACTERS, start_pos);
-    if(invalid_ch_pos < CONTAINER_ID_LENGTH) {
+    if(is_host(cgroup)) {
         return false;
     }
 
-    container_id = cgroup.substr(start_pos, REPORTED_CONTAINER_ID_LENGTH);
+    size_t reported_len = end_pos - start_pos >= REPORTED_CONTAINER_ID_LENGTH
+                                  ? REPORTED_CONTAINER_ID_LENGTH
+                                  : end_pos;
+    container_id = cgroup.substr(start_pos, reported_len);
     return true;
 }
 
@@ -52,7 +75,6 @@ bool matches_runc_cgroup(const std::string &cgroup,
             return true;
         }
     }
-
     return false;
 }
 }  // namespace runc

src/plugin_config.cpp

@@ -52,6 +52,7 @@ void from_json(const nlohmann::json& j, PluginConfig& cfg) {
     if (cfg.containerd.sockets.empty()) {
         cfg.containerd.sockets.emplace_back("/run/containerd/containerd.sock");
         cfg.containerd.sockets.emplace_back("/run/k3s/containerd/containerd.sock");
+        cfg.containerd.sockets.emplace_back("/run/host-containerd/containerd.sock"); // bottlerocket host containers socket
     }
 }