当我以交互模式运行Docker脚本时,它可以正常工作。我可以在控制台和AWS CloudWatch Logs中看到日志。下面的Docker脚本以交互模式运行,并添加了awslogs配置,使日志进入CloudWatch。Docker awslogs 配置。
为了重现问题,请在上述其中一个终端运行,并在另一个终端运行以下命令。
docker run --rm -i -t --log-driver awslogs \
--log-opt awslogs-region=us-east-1 \
--log-opt awslogs-group=falcoint \
--log-opt awslogs-create-group=true \
--privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
但是,一旦我以-d分离模式运行,所有日志都不会发送到AWS CloudWatch。
docker run --rm -d --log-driver awslogs \
--log-opt awslogs-region=us-east-1 \
--log-opt awslogs-group=falcoint \
--log-opt awslogs-create-group=true \
--privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
当我在前台模式下运行相同的脚本,即没有-it或-d参数时,云监控也没有记录任何日志。但是当falco docker停止时,所有数据都会被缓冲并发送。
docker run --rm --log-driver awslogs \
--log-opt awslogs-region=us-east-1 \
--log-opt awslogs-group=falcoint \
--log-opt awslogs-create-group=true \
--privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
当停止falco docker时,它会将以下内容转储到日志中。理想情况下,“Error File created below…”的日志应该已经被记录在CloudWatch Logs中,而不必停止容器。
2020-06-04T02:33:44+0000: SIGINT received, exiting...
Syscall event drop monitoring:
- event drop detected: 0 occurrences
- num times actions taken: 0
2020-06-04T02:32:32.495581404+0000: Notice A shell was spawned in a container with an attached terminal (user=root <NA> (id=01ca7b2306b5) shell=sh parent=runc cmdline=sh terminal=34816 container_id=01ca7b2306b5 image=<NA>)
2020-06-04T02:33:00.014981252+0000: Error File created below /dev by untrusted program (user=root command=touch /dev/rootkit2 file=/dev/rootkit2 container_id=01ca7b2306b5 image=<NA>)
2020-06-04T02:33:30.226554205+0000: Error File created below /dev by untrusted program (user=root command=touch /dev/rootkit3 file=/dev/rootkit3 container_id=01ca7b2306b5 image=<NA>)
Events detected: 3
Rule counts by severity:
ERROR: 2
NOTICE: 1
Triggered rules by rule name:
Terminal shell in container: 1
Create files below dev: 2
为了重现问题,请在上述其中一个终端运行,并在另一个终端运行以下命令。
docker run -it node:8-alpine sh
然后登录到容器并运行
touch /dev/rootkit
更新:
我注意到当我使用 -d -t 运行docker时,日志会发送到AWS Cloudwatch日志中。不知道为什么会出现这种情况?