- 10 Feb 2023
- 3 Minutes to read
- Print
- Dark
Docker
- Updated on 10 Feb 2023
- 3 Minutes to read
- Print
- Dark
Kubernetes
You can also run LimaCharlie at the host level in a container cluster system like Kubernetes in order to monitor all running containers on the host with a single sensor. In fact, this is the prefered method as it reduces the overhead of running LC within every single container.
This privileged container has visibility into everything happening in the cluster and sends telemetry directly back to the LimaCharlie, in real-time, for processing.
This is accomplished by a combination of a few techniques:
- A privilged container running LC.
- LC runs with
HOST_FS
environment variable pointing to the host's root filesystem mounted within the container. - LC runs with the
NET_NS
environment variable pointing to the host's directory listing network namespaces. - Running the container with the required flags to make sure it can have proper access.
The first step is straight forward. For example, set the environment like ENV HOST_FS=/rootfs
and ENV NET_NS=/netns
as part of your Dockerfile
. This will let the LC sensor know where it can expect host-level information.
The second step is to run the container like: docker run --privileged --net=host -v /:/rootfs:ro --env HOST_FS=/rootfs -v /var/run/docker/netns:/netns:ro --env NET_NS=/netns --env LC_INSTALLATION_KEY=your_key your-lc-container-name
.
Remember to pick the approriate LC sensor architecture installer for the container that will be running LC (not the host).
So if your privileged container runs Alpine Linux, use the alpine64
version of LC.
A public version of the container described below is available from dockerhub as: refractionpoint/limacharlie_sensor:latest
.
##### Sample Configurations
This is a sample Dockerfile
you may use to run LC within a privileged container as described above:
And this is a sample Kubernetes deployment
on
a cluster supporting eBPF (kernel > 5.7):
a cluster not supporting eBPF (kernel < 5.7):