Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
zwass
08/17/2022, 10:20 PMIs there a good way to tell whether a process is part of a container (independent of the runtime, I know docker containers could be found with
docker_containersselect * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);pid_with_namespacea
alessandrogario
08/17/2022, 11:14 PMI have left a snippet here: https://osquery.slack.com/archives/CADGD9ACF/p1660733522601379
It's not runtime-agnostic though
That said, I think we have to know what's the strategy used by each runtime, as I don't think a "container" exists per se
Not an expert on this, but I think it is just a specific combination of different user namespaces
in the example I pasted right after that message, I'm running docker-podman on Fedora. There are actually two distinct namespace in use even though the container is the same
there is a libpod-conmon-<hash> for one process, and a libpod-<hash> for the others
s
Stefano Bonicatti
08/18/2022, 12:02 AMYeah a container is a combination of namespaces (user, network, mount, cgroup) and cgroups. Each is needed to isolate or restrict various resources.
z
zwass
08/18/2022, 12:33 AMI don't think a "container" exists per seYeah that all sounds right. Maybe we could come up with a heuristic for detecting container processes in some different runtimes? Eg. Docker (and by extension
containerdcontainerd-shimcontainerd-shima
alessandrogario
08/18/2022, 12:37 AMIt is worth investigating, keeping in mind that namespaces can be nested and mixed in different combinations
and some of the top level processes close to the shim may only have "one foot" in the final namespace combination used by the container
osquery is kind of an example of that, with pid_with_namespace joining just the mount namespace
z
zwass
08/18/2022, 1:10 AMSince Docker and k8s both use containerd by default, maybe it could make sense to create some containerd-specific tables? I know @Artemis Tosini you were talking about this. I see that containerd provides a grpc API on a unix domain socket, eg. with microk8s
sudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> c lsPotentially
containerd_containerscontainerd_imagescontainerd_namespacescontainerd_eventssudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> eventsa
alessandrogario
08/18/2022, 1:14 AMI think we had a draft impl for that somewhere, need to ask @Stefano Bonicatti
z
zwass
08/18/2022, 1:14 AMIt's in Go, but https://github.com/containerd/containerd/tree/main/cmd/ctr/commands could be quite useful
a
alessandrogario
08/18/2022, 1:15 AMWill probably have to be rewritten anyway; it would be cool to have it in core!
z
zwass
08/18/2022, 1:15 AMYeah, at least probably a very good reference
a
Artemis Tosini
08/18/2022, 2:23 PMI think that a process is almost certainly in a container if it is in a different UTS namespace than init
I was planning on directly using the runc state files cirectly because I couldn't figure out how to get the root pid of a container from the containerd api
However that also doesn't give us everything we need