https://github.com/osquery/osquery logo
Join Slack
Powered by
Is there a good way to tell whether a process is p...
# linux
z
Is there a good way to tell whether a process is part of a container (independent of the runtime, I know docker containers could be found with 
docker_containers
table)? Not sure if @Artemis Tosini’s cgroup work will help with this. In current osquery, best I've come up with is 
select * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);
(eg. check for a different cgroup than the init process), though I think this will pick up other processes using cgroups besides just containers. I'm looking to do this in order to take advantage of the 
pid_with_namespace
column @Stefano Bonicatti added to some tables.
a
It's not runtime-agnostic though
That said, I think we have to know what's the strategy used by each runtime, as I don't think a "container" exists per se
Not an expert on this, but I think it is just a specific combination of different user namespaces
in the example I pasted right after that message, I'm running docker-podman on Fedora. There are actually two distinct namespace in use even though the container is the same
there is a libpod-conmon-<hash> for one process, and a libpod-<hash> for the others
s
Yeah a container is a combination of namespaces (user, network, mount, cgroup) and cgroups. Each is needed to isolate or restrict various resources.
z
I don't think a "container" exists per se
Yeah that all sounds right. Maybe we could come up with a heuristic for detecting container processes in some different runtimes? Eg. Docker (and by extension 
containerd
?) seems to have a parent process of 
containerd-shim
. So maybe if you take the cgroup IDs of every direct child process of 
containerd-shim
then you can treat each of those as the cgroup for a container?
a
It is worth investigating, keeping in mind that namespaces can be nested and mixed in different combinations
and some of the top level processes close to the shim may only have "one foot" in the final namespace combination used by the container
osquery is kind of an example of that, with pid_with_namespace joining just the mount namespace
z
Since Docker and k8s both use containerd by default, maybe it could make sense to create some containerd-specific tables? I know @Artemis Tosini you were talking about this. I see that containerd provides a grpc API on a unix domain socket, eg. with microk8s 
sudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> c ls
Potentially 
containerd_containers
, 
containerd_images
, 
containerd_namespaces
containerd_events
could be interesting as well
sudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> events
seems to stream those events
a
I think we had a draft impl for that somewhere, need to ask @Stefano Bonicatti
z
a
Will probably have to be rewritten anyway; it would be cool to have it in core!
z
Yeah, at least probably a very good reference
a
I think that a process is almost certainly in a container if it is in a different UTS namespace than init
I was planning on directly using the runc state files cirectly because I couldn't figure out how to get the root pid of a container from the containerd api
However that also doesn't give us everything we need
9 Views
Open in Slack
PreviousNext
Powered by