chore(docker): fixup check for HOST_ROOT.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

docker/driver-loader/docker-entrypoint.sh

@@ -25,4 +25,19 @@ do
     ln -s "$i" "/usr/src/$base"
 done
 
-/usr/bin/falco-driver-loader "$@"
+if [ -n "$HOST_ROOT" ] && [ "$HOST_ROOT" != "/" ]; then
+    echo "* Setting up /lib/modules links from host"
+    ln -s /lib/modules $HOST_ROOT/lib/modules 
+    
+    # If HOST_ROOT is set, but HOST_ROOT/proc does not exist
+    # link real /proc to HOST_ROOT/proc, so that Falco can run gracefully.
+    # This is mostly useful when dealing with an hypervisor, like aws Fargate,
+    # where the container running Falco does not need to bind-mount the host proc volume,
+    # and its /proc already sees all task processes because it shares the same namespace.
+    if [ ! -d "$HOST_ROOT/proc" ]; then
+        echo "* Setting up /proc links from host"
+        ln -s "/proc" "$HOST_ROOT/proc"
+    fi
+fi
+
+/usr/bin/falco-driver-loader "$@"

docker/falco/Dockerfile

@@ -103,8 +103,7 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+RUN rm -df /lib/modules
 
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually

docker/falco/docker-entrypoint.sh

@@ -30,4 +30,19 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     /usr/bin/falco-driver-loader
 fi
 
-exec "$@"
+if [ -n "$HOST_ROOT" ] && [ "$HOST_ROOT" != "/" ]; then
+    echo "* Setting up /lib/modules links from host"
+    ln -s /lib/modules $HOST_ROOT/lib/modules
+    
+    # If HOST_ROOT is set, but HOST_ROOT/proc does not exist
+    # link real /proc to HOST_ROOT/proc, so that Falco can run gracefully.
+    # This is mostly useful when dealing with an hypervisor, like aws Fargate,
+    # where the container running Falco does not need to bind-mount the host proc volume,
+    # and its /proc already sees all task processes because it shares the same namespace.
+    if [ ! -d "$HOST_ROOT/proc" ]; then
+        echo "* Setting up /proc links from host"
+        ln -s "/proc" "$HOST_ROOT/proc"
+    fi
+fi
+
+exec "$@"

docker/local/Dockerfile

@@ -96,8 +96,7 @@ RUN rm -rf /usr/bin/clang \
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+RUN rm -df /lib/modules
 
 ADD falco-${FALCO_VERSION}-*.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb

docker/local/docker-entrypoint.sh

@@ -31,4 +31,19 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     /usr/bin/falco-driver-loader
 fi
 
+if [ -n "$HOST_ROOT" ] && [ "$HOST_ROOT" != "/" ]; then
+    echo "* Setting up /lib/modules links from host"
+    ln -s /lib/modules $HOST_ROOT/lib/modules 
+    
+    # If HOST_ROOT is set, but HOST_ROOT/proc does not exist
+    # link real /proc to HOST_ROOT/proc, so that Falco can run gracefully.
+    # This is mostly useful when dealing with an hypervisor, like aws Fargate,
+    # where the container running Falco does not need to bind-mount the host proc volume,
+    # and its /proc already sees all task processes because it shares the same namespace.
+    if [ ! -d "$HOST_ROOT/proc" ]; then
+        echo "* Setting up /proc links from host"
+        ln -s "/proc" "$HOST_ROOT/proc"
+    fi
+fi
+
 exec "$@"

userspace/falco/app_actions/process_events.cpp

@@ -335,7 +335,12 @@ application::run_result application::process_events()
 			try
 			{
 				falco_logger::log(LOG_DEBUG, "Opening event source '" + source + "'\n");
-				open_live_inspector(src_info->inspector, source);
+				res = open_live_inspector(src_info->inspector, source);
+				if (!res.success)
+				{
+					return res;
+				}
+
 				if (m_state->enabled_sources.size() == 1)
 				{
 					// optimization: with only one source we don't spawn additional threads