From 8742d6824ab1f8b618e09fb432b3d868003e8e62 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 6 Apr 2018 12:13:57 -0700 Subject: [PATCH] Updated How to Install Falco using Containers and or Orchestration (markdown) --- How-to-Install-Falco-using-Containers-and-or-Orchestration.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/How-to-Install-Falco-using-Containers-and-or-Orchestration.md b/How-to-Install-Falco-using-Containers-and-or-Orchestration.md index 965b62d..0e036b5 100644 --- a/How-to-Install-Falco-using-Containers-and-or-Orchestration.md +++ b/How-to-Install-Falco-using-Containers-and-or-Orchestration.md @@ -50,6 +50,10 @@ If you'd like to run falco as a K8s DaemonSet, we have instructions and a sample ## Additional Notes on Running Falco in Containers/K8s +### Falco won't run with [Minikube](https://github.com/kubernetes/minikube) + +Falco depends on a kernel module that intercepts all system calls, and that kernel module is usually built on-the-fly when falco is installed/run as a container. The VM used by minikube doesn't include kernel headers, so falco can't build the kernel module on the fly. We do have precompiled kernel modules that can be downloaded as a backup, but the kernel used by minikube isn't a standard one, so we can't easily create precompiled kernel modules. + ### Growing Memory Usage for Falco Container When Using File Output If you notice that the memory usage for a container running Falco increases when using file output methods, even when the memory usage of the falco process itself does not increase, it could be due to the buffer page cache being counted against the memory usage of the container. See falco issue https://github.com/draios/falco/issues/338 for a longer discussion, and the underlying K8s bug/feature is discussed in https://github.com/kubernetes/kubernetes/issues/43916. You can safely cap the memory size of the container to a value like 160Mb, at which point the buffer page cache growth will be limited.