Nevertheless, you may want to upgrade to 24.5.0 (for agent base image) to pick up the fix to https://github.com/gocd/gocd/pull/13321 if running the dind images on AL2023 EKS nodes; even though the "fix" itself is not 100% reliable until the race condition can be addressed upstream within moby/Docker.
I don't see the telltale signs of that particular issue in your setup, but when you add privileged tools like Falcon to nodes, who knows what's going on :-) -Chad On Tue, Dec 24, 2024 at 11:49 AM Chad Wilson <[email protected]> wrote: > In any case, the log seems to imply the Docker daemon is being forcibly > killed before completing startup. > > I'm not aware of Docker daemon creating an executable file like "/check" > that it then runs as an important part of its startup. Seems possible that > there is some missing context here, or that this is coming from something > else specific to your nodes/containers? > > Nevertheless, I can imagine a DIND setup is the exact opposite of what > "container drift protection" seeks to deal with in a sense. Docker by > design is downloading random executables within layered filesystems, > writing them and then executing them. If you are mounting a host socket > into these pods, even harder for something like CrowdStrike Falcon to make > sense of. > > -Chad > > On Tue, Dec 24, 2024 at 1:22 AM Sriram Narayanan <[email protected]> > wrote: > >> Thanks for sharing this. >> >> It might be worthwhile understanding the relationship between /check and >> the docker daemon not being reachable. >> >> Perhaps due to compliance, this particular Falcon setting could get >> reapplied someday and reintroduce this particular failure. >> >> — Sriram >> >> On Mon, 23 Dec 2024 at 9:44 PM, 'Ashwanth Kumar' via go-cd < >> [email protected]> wrote: >> >>> A quick update folks, We recently integrated Crowdstrike Falcon agents >>> into our EKS Cluster and noticed that Falcon has something called Drift >>> Detection where if any new executables were created and executed in the >>> container it would kill / block it. In our setup, there was an executable >>> called "/check" that was getting created and executed. This process was >>> killed by Falcon as part of a Drift Indicator called >>> "RecentlyModifiedFileExecutedInContainer". I had to disable the "Container >>> drift prevention" policy check to make sure gocd agents do not have this >>> issue. >>> >>> After disabling new pods (agents) that were getting assigned on the >>> underlying host started working just fine. >>> >>> Sharing it here hoping someone on the internet will find this useful and >>> don't want to spend 5+ hours of their life trying to figure out why DinD >>> setup is likely to fail in a Falcon protected environment. >>> >>> Thanks, >>> >>> -- >>> >>> Ashwanth Kumar / ashwanthkumar.in >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "go-cd" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/d/msgid/go-cd/CAD9m7CzpgDHd6mM-KQz%2BmW_UdKV1DmnBmwZMwBcCSVQuzLVx2w%40mail.gmail.com >>> <https://groups.google.com/d/msgid/go-cd/CAD9m7CzpgDHd6mM-KQz%2BmW_UdKV1DmnBmwZMwBcCSVQuzLVx2w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "go-cd" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/d/msgid/go-cd/CANiY96ZXQN-1fL%3D2_ScafhVGNb5v5dKgMGLc2xCpUT1VP3reQg%40mail.gmail.com >> <https://groups.google.com/d/msgid/go-cd/CANiY96ZXQN-1fL%3D2_ScafhVGNb5v5dKgMGLc2xCpUT1VP3reQg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/go-cd/CAA1RwH-pPagxkjaBfrx0%3DQg62S32XosxsRtBgtVCypqhnPyv1w%40mail.gmail.com.
