chore(docker): fixup check for HOST_ROOT.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

docker/driver-loader/docker-entrypoint.sh

@@ -25,4 +25,19 @@ do
     ln -s "$i" "/usr/src/$base"
 done
 
-/usr/bin/falco-driver-loader "$@"
+if [ -n "$HOST_ROOT" ] && [ "$HOST_ROOT" != "/" ]; then
+    echo "* Setting up /lib/modules links from host"
+    ln -s /lib/modules $HOST_ROOT/lib/modules 
+    
+    # If HOST_ROOT is set, but HOST_ROOT/proc does not exist
+    # link real /proc to HOST_ROOT/proc, so that Falco can run gracefully.
+    # This is mostly useful when dealing with an hypervisor, like aws Fargate,
+    # where the container running Falco does not need to bind-mount the host proc volume,
+    # and its /proc already sees all task processes because it shares the same namespace.
+    if [ ! -d "$HOST_ROOT/proc" ]; then
+        echo "* Setting up /proc links from host"
+        ln -s "/proc" "$HOST_ROOT/proc"
+    fi
+fi
+
+/usr/bin/falco-driver-loader "$@"

docker/falco/Dockerfile

@@ -103,8 +103,7 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+RUN rm -df /lib/modules
 
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually

docker/falco/docker-entrypoint.sh

@@ -30,4 +30,19 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     /usr/bin/falco-driver-loader
 fi
 
-exec "$@"
+if [ -n "$HOST_ROOT" ] && [ "$HOST_ROOT" != "/" ]; then
+    echo "* Setting up /lib/modules links from host"
+    ln -s /lib/modules $HOST_ROOT/lib/modules
+    
+    # If HOST_ROOT is set, but HOST_ROOT/proc does not exist
+    # link real /proc to HOST_ROOT/proc, so that Falco can run gracefully.
+    # This is mostly useful when dealing with an hypervisor, like aws Fargate,
+    # where the container running Falco does not need to bind-mount the host proc volume,
+    # and its /proc already sees all task processes because it shares the same namespace.
+    if [ ! -d "$HOST_ROOT/proc" ]; then
+        echo "* Setting up /proc links from host"
+        ln -s "/proc" "$HOST_ROOT/proc"
+    fi
+fi
+
+exec "$@"

docker/local/Dockerfile

@@ -96,8 +96,7 @@ RUN rm -rf /usr/bin/clang \
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+RUN rm -df /lib/modules
 
 ADD falco-${FALCO_VERSION}-*.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb

docker/local/docker-entrypoint.sh

@@ -31,4 +31,19 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     /usr/bin/falco-driver-loader
 fi
 
+if [ -n "$HOST_ROOT" ] && [ "$HOST_ROOT" != "/" ]; then
+    echo "* Setting up /lib/modules links from host"
+    ln -s /lib/modules $HOST_ROOT/lib/modules 
+    
+    # If HOST_ROOT is set, but HOST_ROOT/proc does not exist
+    # link real /proc to HOST_ROOT/proc, so that Falco can run gracefully.
+    # This is mostly useful when dealing with an hypervisor, like aws Fargate,
+    # where the container running Falco does not need to bind-mount the host proc volume,
+    # and its /proc already sees all task processes because it shares the same namespace.
+    if [ ! -d "$HOST_ROOT/proc" ]; then
+        echo "* Setting up /proc links from host"
+        ln -s "/proc" "$HOST_ROOT/proc"
+    fi
+fi
+
 exec "$@"