Release 1.33.0
June 19, 2024 (updated on July 16, 2024)
Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.33.0 version.
What's New?
Support to 'Overlay' Storage Driver on 'containerd' runtime
CS Sensor saves the image and creates a .tar output. This operation can be time-consuming if the image size is large. If you have a 'containerd' runtime installed, and your image is pulled locally, you can avoid image saving with the help of runtime's underlying overlay2fs filesystem. The 'Overlay' storage driver is supported by these sensors - General, CI/CD, and Registry.
Currently, CS Sensor supports 'Overlay' storage driver only with 'containerd' runtime.
If you want to use the Overlay Storage Driver,
- Download the latest Yaml file (cssensor-containerd-ds.yml) from Qualys Cloud Platform (Container Security > CONFIGURATIONS > Sensors > Download Sensor > CLUSTER > Kubernetes > CONTAINERD).
- Provide the following arguments:
["-k8s-mode", "container-runtime", "containerd", "-- storage-driver-type", "overlay"] - In the downloaded yaml file,
under theVolumemountssection, uncomment the below section.
#- mountPath: /var/lib/containerd
# name: containerd-root-dir
# readOnly: true
and,
under thevolumessection, uncomment the below section.
#- name: containerd-root-dir
# hostPath: # path: /var/lib/containerd
# if root directory of containerd is different then update actual containerd root directory path
To know more about the storage driver, refer to CS Sensor 1.33 Deployment Guide.
In case you do not want to use the Storage Driver, you can still install the CS Sensor, but with General and CI/CD sensors; 'static', 'sca', 'secret', 'malware' scans may not work.
However, all types of scans work with Registry Sensor without the 'Overlay' Storage Driver.
Update in Sensor Launch
Earlier, Qualys namespace was getting created automatically while launching CS Sensor using 'kubectl create -f <CS Sensor Deployment File>.yml' command. With this release, you need to create the 'qualys' namespace manually before launching CS Sensor. To know how to create and delete the namespace, refer to to CS Sensor 1.33 Deployment Guide.
You must provide the namespace name as 'qualys'. Any modification in the name of the namespace is strictly not allowed.
Helm Chart 1.12.0 Updates
The Qualys Container Security package consists of the 'values.yaml' file which deploys the sensor in various environments. This section explains the updates in the latest Helm chart (values.yaml) file.
Enhancements
To support the 'Overlay' feature, 'storageDriverPath', 'enableStorageDriver', and 'storageDriverType' flags are introduced and the 'socketPath' flag is updated in the 'values.yaml' file. With this release, the following flags are introduced or updated in the 'values.yaml' file.
| Flag | Status | Flag Location in YAML 1.12.0 | Description |
| socketPath | Updated | Line no. 7 | Indicates runtime socket path. With this release, you can change it to customize your need. Default value: "/var/run/containerd/containerd.sock" |
| storageDriverPath | New | Line no. 8 | Indicates storage driver path. You can change its value as per your requirement. |
| enableStorageDriver | New | Line no. 65 | Enables the Storage Driver. Valid values: true or false Default value: false |
| storageDriverType | New | Line no. 66 | Indicates the type of Storage Driver. Valid value: overlay Default value: overlay |
Issues Addressed
The following issues have been fixed with this release.
| Category | Issue |
|---|---|
| Scan in Docker Swarm |
Sensor deployed in a Docker Swarm environment got terminated with 'Error: Cannot read sensor id from CGroups!'
|
| Scan in Amazon Linux AMI 2023 ECS Cluster | CS Sensor deployed in an Amazon Linux AMI 2023 ECS Cluster got terminated with irrecoverable Error 10 and started the container with incorrect arguments. |