In any case, the log seems to imply the Docker daemon is being forcibly killed before completing startup.
I'm not aware of Docker daemon creating an executable file like "/check" that it then runs as an important part of its startup. Seems possible that there is some missing context here, or that this is coming from something else specific to your nodes/containers? Nevertheless, I can imagine a DIND setup is the exact opposite of what "container drift protection" seeks to deal with in a sense. Docker by design is downloading random executables within layered filesystems, writing them and then executing them. If you are mounting a host socket into these pods, even harder for something like CrowdStrike Falcon to make sense of. -Chad On Tue, Dec 24, 2024 at 1:22 AM Sriram Narayanan <sriram...@gmail.com> wrote: > Thanks for sharing this. > > It might be worthwhile understanding the relationship between /check and > the docker daemon not being reachable. > > Perhaps due to compliance, this particular Falcon setting could get > reapplied someday and reintroduce this particular failure. > > — Sriram > > On Mon, 23 Dec 2024 at 9:44 PM, 'Ashwanth Kumar' via go-cd < > go-cd@googlegroups.com> wrote: > >> A quick update folks, We recently integrated Crowdstrike Falcon agents >> into our EKS Cluster and noticed that Falcon has something called Drift >> Detection where if any new executables were created and executed in the >> container it would kill / block it. In our setup, there was an executable >> called "/check" that was getting created and executed. This process was >> killed by Falcon as part of a Drift Indicator called >> "RecentlyModifiedFileExecutedInContainer". I had to disable the "Container >> drift prevention" policy check to make sure gocd agents do not have this >> issue. >> >> After disabling new pods (agents) that were getting assigned on the >> underlying host started working just fine. >> >> Sharing it here hoping someone on the internet will find this useful and >> don't want to spend 5+ hours of their life trying to figure out why DinD >> setup is likely to fail in a Falcon protected environment. >> >> Thanks, >> >> -- >> >> Ashwanth Kumar / ashwanthkumar.in >> >> -- >> You received this message because you are subscribed to the Google Groups >> "go-cd" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to go-cd+unsubscr...@googlegroups.com. >> To view this discussion visit >> https://groups.google.com/d/msgid/go-cd/CAD9m7CzpgDHd6mM-KQz%2BmW_UdKV1DmnBmwZMwBcCSVQuzLVx2w%40mail.gmail.com >> <https://groups.google.com/d/msgid/go-cd/CAD9m7CzpgDHd6mM-KQz%2BmW_UdKV1DmnBmwZMwBcCSVQuzLVx2w%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to go-cd+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/go-cd/CANiY96ZXQN-1fL%3D2_ScafhVGNb5v5dKgMGLc2xCpUT1VP3reQg%40mail.gmail.com > <https://groups.google.com/d/msgid/go-cd/CANiY96ZXQN-1fL%3D2_ScafhVGNb5v5dKgMGLc2xCpUT1VP3reQg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/go-cd/CAA1RwH8bN0Kg86neYSy3fWv26m5XBDJDCKw5PY3b%2B23adzrO1A%40mail.gmail.com.
