Title
#linux
zwass

zwass

08/17/2022, 10:20 PM
Is there a good way to tell whether a process is part of a container (independent of the runtime, I know docker containers could be found with
docker_containers
table)? Not sure if @Artemis Tosini’s cgroup work will help with this. In current osquery, best I've come up with is
select * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);
(eg. check for a different cgroup than the init process), though I think this will pick up other processes using cgroups besides just containers. I'm looking to do this in order to take advantage of the
pid_with_namespace
column @Stefano Bonicatti added to some tables.
a

alessandrogario

08/17/2022, 11:14 PM
11:16 PM
It's not runtime-agnostic though
11:17 PM
That said, I think we have to know what's the strategy used by each runtime, as I don't think a "container" exists per se
11:17 PM
Not an expert on this, but I think it is just a specific combination of different user namespaces
11:19 PM
in the example I pasted right after that message, I'm running docker-podman on Fedora. There are actually two distinct namespace in use even though the container is the same
11:19 PM
there is a libpod-conmon-<hash> for one process, and a libpod-<hash> for the others
Stefano Bonicatti

Stefano Bonicatti

08/18/2022, 12:02 AM
Yeah a container is a combination of namespaces (user, network, mount, cgroup) and cgroups. Each is needed to isolate or restrict various resources.
zwass

zwass

08/18/2022, 12:33 AM
I don't think a "container" exists per se
Yeah that all sounds right. Maybe we could come up with a heuristic for detecting container processes in some different runtimes? Eg. Docker (and by extension
containerd
?) seems to have a parent process of
containerd-shim
. So maybe if you take the cgroup IDs of every direct child process of
containerd-shim
then you can treat each of those as the cgroup for a container?
a

alessandrogario

08/18/2022, 12:37 AM
It is worth investigating, keeping in mind that namespaces can be nested and mixed in different combinations
12:37 AM
and some of the top level processes close to the shim may only have "one foot" in the final namespace combination used by the container
12:39 AM
osquery is kind of an example of that, with pid_with_namespace joining just the mount namespace
zwass

zwass

08/18/2022, 1:10 AM
Since Docker and k8s both use containerd by default, maybe it could make sense to create some containerd-specific tables? I know @Artemis Tosini you were talking about this. I see that containerd provides a grpc API on a unix domain socket, eg. with microk8s
sudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> c ls
1:12 AM
Potentially
containerd_containers
,
containerd_images
,
containerd_namespaces
1:12 AM
containerd_events
could be interesting as well
1:13 AM
sudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> events
seems to stream those events
a

alessandrogario

08/18/2022, 1:14 AM
I think we had a draft impl for that somewhere, need to ask @Stefano Bonicatti
zwass

zwass

08/18/2022, 1:14 AM
a

alessandrogario

08/18/2022, 1:15 AM
Will probably have to be rewritten anyway; it would be cool to have it in core!
zwass

zwass

08/18/2022, 1:15 AM
Yeah, at least probably a very good reference
a

Artemis Tosini

08/18/2022, 2:23 PM
I think that a process is almost certainly in a container if it is in a different UTS namespace than init
2:29 PM
I was planning on directly using the runc state files cirectly because I couldn't figure out how to get the root pid of a container from the containerd api
2:30 PM
However that also doesn't give us everything we need