Motivation

Historically, Falco container's information retrieval has always caused headaches to users; moreover, the current code does cause headaches to developers too.
While it's not always working fine, it also has some limitations:

• There is no support for multiple container runtimes on a single node: Support multiple container runtime in one node #3279
• Since the container info retrieval is done asynchronously at first clone/execve/fork event, we lose container metadata information for the very first syscall events generated by threads spawned in a new container
• As previously stated, the code is also very hard to extend; there has been some previous attempts to improve it but for now that's what we got

Feature

Rewrite container info support as a plugin, and completely drop libsinsp internal implementation.
The plugin will leverage container engines SDKs to get notified when new containers are created/deleted; the container creation happens before the container is even started thus it should give us a time advantage and should avoid event without container metadata.
It will also be responsible of extracting all container and remaining k8s related filterchecks.

Main idea is to drop container manager from sinsp, and container_id from threadinfo.
The container_id will be added as a foreign key leveraging the libsinsp state table API by the plugin, that will take care of filling it.
Basically, sinsp without the plugin loaded will be completely unaware of containers.

All of the above should be done without breaking changes for the end users. In Falco 0.39 we added a container_engines configuration key: https://github.com/falcosecurity/falco/blob/master/falco.yaml#L1312; since it is in incubating state, we can drop it (since we will rely on the plugin init_config of course). That should be the only user-facing change.

The container plugin github link: https://github.com/FedeDP/container_plugin
Its readme has the architecture explanation and diagram: https://github.com/FedeDP/container_plugin/raw/main/architecture.svg
Also, there is a TODO file with stuff letf to do: https://github.com/FedeDP/container_plugin/blob/main/TODO.md

Ongoing libs PR with big container related stuff cleanup: falcosecurity/libs#2207
See the PR for relevant TODOs.

Alternatives

No clear alternative.

Additional context

Linking required PRs:

• new(userspace/libsinsp): expose threadinfo cgroups in plugins table api libs#2107
• new(userspace): added new addOutput json entry for plugin get_field() API libs#2116
• new(userspace/libsinsp): expose get_owner_last_error in plugin's capture listening capability libs#2147
• new(userspace): plugin api to dump async events libs#2152
• cleanup(userspace/libsinsp): drop user and group infos embedded in threadinfo libs#2165
• fix(userspace/libsinsp): user id 0 or group id 0 default values libs#2177
• new(userspace/libsinsp): support plugins in sinsp-example. libs#2179
• fix(userspace/libsinsp): let plugins parse events before eventually filtering them out through inspector global filter libs#2182
• fix(userspace/libsinsp): always initialize sinsp_evt with a proper source_idx and source_name libs#2190
• chore(userspace/libsinsp): move user group manager on container_id changed refresh to a RAII object libs#2194
• new: bump plugin API to 3.10.0. plugin-sdk-cpp#41
• fix(userspace/libsinsp): do not immediately process async events whose timestamp is in the future in case a SCAP_TIMEOUT is received libs#2250
• cleanup(userspace/libsinsp,test,build): drop container manager libs#2207
• fix(userspace/libsinsp): allow plugin filterchecks args to be both index or key libs#2280
• new(pkg,tests): support Falco running with container plugin. testing#69
• fix(pkg/falco): disable append_output.suggested_fields by default. testing#70
• fix(pkg/falco,pkg/falcoctl): increase run timeouts. testing#71
• chore(pkg/falco): use base_syscalls.all instead of -A to enable all syscalls testing#72
• Donate container plugin to plugins repo plugins#636
• chore(config): update libs and falco repositories required checks. test-infra#1777
• fix(include): use proper __forceinline flag for msvc. plugin-sdk-cpp#54
• fix(include/falcosecurity): fixed clang build issue. plugin-sdk-cpp#55

Listing related issues/PRs:

• Support multiple container runtime in one node #3279
• [TRACKING] Re-audit container engines for empty container info values (Initial focus on CRI for Kubernetes) #2708
• Add public is_cri_async and a get_cri_socket_paths methods to CRI container engine libs#2022
• [TRACKING] Improve container engine state handling  libs#1708
• Container Engine Refactor (CRI) libs#1589
• No support for Podman container activity capturing by container.id libs#1115
• Semantic of container.id and container.name libs#2057 (might be a good time to fix it?)
• new(userspace/libsinsp): support multiple CRI engines simultaneously libs#2141
• feat(libsinsp/container_engine): proper containerd support libs#2195

Next step would be to move user/group manager to a plugin too.