Release 1.33.0

June 19, 2024 (updated on July 16, 2024)

Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.33.0 version. 

What's New?

Support to 'Overlay' Storage Driver on 'containerd' runtime 

CS Sensor saves the image and creates a .tar output. This operation can be time-consuming if the image size is large. If you have a 'containerd' runtime installed, and your image is pulled locally, you can avoid image saving with the help of runtime's underlying overlay2fs filesystem. The 'Overlay' storage driver is supported by these sensors - General, CI/CD, and Registry. 

Currently, CS Sensor supports 'Overlay' storage driver only with 'containerd' runtime.

If you want to use the Overlay Storage Driver,

  1. Download the latest Yaml file (cssensor-containerd-ds.yml) from Qualys Cloud Platform (Container Security > CONFIGURATIONS > Sensors > Download Sensor > CLUSTER > Kubernetes > CONTAINERD).
  2. Provide the following arguments:
    ["-k8s-mode", "container-runtime", "containerd", "-- storage-driver-type", "overlay"]
  3. In the downloaded yaml file,
    under the Volumemounts section, uncomment the below section.
    #- mountPath: /var/lib/containerd
    # name: containerd-root-dir
    # readOnly: true


    and,

    under the volumes section, uncomment the below section. 
    #- name: containerd-root-dir
    # hostPath: # path: /var/lib/containerd
    # if root directory of containerd is different then update actual containerd root directory path

To know more about the storage driver, refer to CS Sensor 1.33 Deployment Guide.

In case you do not want to use the Storage Driver, you can still install the CS Sensor, but with General and CI/CD sensors; 'static', 'sca',  'secret', 'malware' scans may not work.
However, all types of scans work with Registry Sensor without the 'Overlay' Storage Driver. 

Update in Sensor Launch

Earlier, Qualys namespace was getting created automatically while launching CS Sensor using 'kubectl create -f <CS Sensor Deployment File>.yml' command. With this release, you need to create the 'qualys' namespace manually before launching CS Sensor. To know how to create and delete the namespace, refer to to CS Sensor 1.33 Deployment Guide.

You must provide the namespace name as 'qualys'. Any modification in the name of the namespace is strictly not allowed.

Helm Chart 1.12.0 Updates

The Qualys Container Security package consists of the 'values.yaml' file which deploys the sensor in various environments. This section explains the updates in the latest Helm chart (values.yaml) file. 

Enhancements

To support the 'Overlay' feature, 'storageDriverPath', 'enableStorageDriver', and 'storageDriverType' flags are introduced and the 'socketPath' flag is updated in the 'values.yaml' file. With this release, the following flags are introduced or updated in the 'values.yaml' file.  

Flag Status Flag Location in YAML 1.12.0 Description
socketPath Updated Line no. 7 Indicates runtime socket path. With this release, you can change it to customize your need. 
Default value
"/var/run/containerd/containerd.sock"
storageDriverPath New Line no. 8 Indicates storage driver path. You can change its value as per your requirement.
enableStorageDriver New Line no. 65 Enables the Storage Driver.
Valid values: true or false
Default value: false
storageDriverType New Line no. 66 Indicates the type of Storage Driver.
Valid value: overlay
Default value: overlay

Issues Addressed

The following issues have been fixed with this release.

Category Issue
Scan in Docker Swarm Sensor deployed in a Docker Swarm environment got terminated with 'Error: Cannot read sensor id from CGroups!'
Scan in Amazon Linux AMI 2023 ECS Cluster  CS Sensor deployed in an Amazon Linux AMI 2023 ECS Cluster got terminated with irrecoverable Error 10 and started the container with incorrect arguments.