Is there a good way to tell whether a process is part of a c

Question

Is there a good way to tell whether a process is part of a container independent of the runtime I know docker containers could be found with `docker containers` table Not sure if < Artemis Tosini> s cgroup work will help with this In current osquery best I ve come up with is `select from processes join process namespaces using pid where cgroup namespace = select cgroup namespace from process namespaces where pid = 1 ` eg check for a different cgroup than the init process though I think this will pick up other processes using cgroups besides just containers I m looking to do this in order to take advantage of the `pid with namespace` column < Stefano Bonicatti> added to some tables

alessandrogario · Answer

I have left a snippet here <https osquery slack com archives CADGD9ACF p1660733522601379>

alessandrogario · Answer

It s not runtime agnostic though

alessandrogario · Answer

That said I think we have to know what s the strategy used by each runtime as I don t think a container exists per se

alessandrogario · Answer

Not an expert on this but I think it is just a specific combination of different user namespaces

alessandrogario · Answer

in the example I pasted right after that message I m running docker podman on Fedora There are actually two distinct namespace in use even though the container is the same

alessandrogario · Answer

there is a libpod conmon lt hash gt for one process and a libpod lt hash gt for the others

Stefano Bonicatti · Answer

Yeah a container is a combination of namespaces user network mount cgroup and cgroups Each is needed to isolate or restrict various resources

zwass · Answer

gt I don t think a container exists per se Yeah that all sounds right Maybe we could come up with a heuristic for detecting container processes in some different runtimes Eg Docker and by extension `containerd` seems to have a parent process of `containerd shim` So maybe if you take the cgroup IDs of every direct child process of `containerd shim` then you can treat each of those as the cgroup for a container

alessandrogario · Answer

It is worth investigating keeping in mind that namespaces can be nested and mixed in different combinations

alessandrogario · Answer

and some of the top level processes close to the shim may only have one foot in the final namespace combination used by the container

alessandrogario · Answer

osquery is kind of an example of that with pid with namespace joining just the mount namespace

zwass · Answer

Since Docker and k8s both use containerd by default maybe it could make sense to create some containerd specific tables I know < Artemis Tosini> you were talking about this I see that containerd provides a grpc API on a unix domain socket eg with microk8s `sudo ctr address var snap microk8s common run containerd sock n c ls`

zwass · Answer

Potentially `containerd containers` `containerd images` `containerd namespaces`

zwass · Answer

`containerd events` could be interesting as well

zwass · Answer

`sudo ctr address var snap microk8s common run containerd sock n <http k8s io|k8s io> events` seems to stream those events

alessandrogario · Answer

I think we had a draft impl for that somewhere need to ask < Stefano Bonicatti>

zwass · Answer

It s in Go but <https github com containerd containerd tree main cmd ctr commands> could be quite useful

alessandrogario · Answer

Will probably have to be rewritten anyway it would be cool to have it in core

zwass · Answer

Yeah at least probably a very good reference

Artemis Tosini · Answer

I think that a process is almost certainly in a container if it is in a different UTS namespace than init

Artemis Tosini · Answer

I was planning on directly using the runc state files cirectly because I couldn t figure out how to get the root pid of a container from the containerd api

Artemis Tosini · Answer

However that also doesn t give us everything we need