https://github.com/osquery/osquery logo
#linux
Title
# linux
z

zwass

08/17/2022, 10:20 PM
Is there a good way to tell whether a process is part of a container (independent of the runtime, I know docker containers could be found with
docker_containers
table)? Not sure if @Artemis Tosini’s cgroup work will help with this. In current osquery, best I've come up with is
select * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);
(eg. check for a different cgroup than the init process), though I think this will pick up other processes using cgroups besides just containers. I'm looking to do this in order to take advantage of the
pid_with_namespace
column @Stefano Bonicatti added to some tables.
a

alessandrogario

08/17/2022, 11:14 PM
It's not runtime-agnostic though
That said, I think we have to know what's the strategy used by each runtime, as I don't think a "container" exists per se
Not an expert on this, but I think it is just a specific combination of different user namespaces
in the example I pasted right after that message, I'm running docker-podman on Fedora. There are actually two distinct namespace in use even though the container is the same
there is a libpod-conmon-<hash> for one process, and a libpod-<hash> for the others
s

Stefano Bonicatti

08/18/2022, 12:02 AM
Yeah a container is a combination of namespaces (user, network, mount, cgroup) and cgroups. Each is needed to isolate or restrict various resources.
z

zwass

08/18/2022, 12:33 AM
I don't think a "container" exists per se
Yeah that all sounds right. Maybe we could come up with a heuristic for detecting container processes in some different runtimes? Eg. Docker (and by extension
containerd
?) seems to have a parent process of
containerd-shim
. So maybe if you take the cgroup IDs of every direct child process of
containerd-shim
then you can treat each of those as the cgroup for a container?
a

alessandrogario

08/18/2022, 12:37 AM
It is worth investigating, keeping in mind that namespaces can be nested and mixed in different combinations
and some of the top level processes close to the shim may only have "one foot" in the final namespace combination used by the container
osquery is kind of an example of that, with pid_with_namespace joining just the mount namespace
z

zwass

08/18/2022, 1:10 AM
Since Docker and k8s both use containerd by default, maybe it could make sense to create some containerd-specific tables? I know @Artemis Tosini you were talking about this. I see that containerd provides a grpc API on a unix domain socket, eg. with microk8s
sudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> c ls
Potentially
containerd_containers
,
containerd_images
,
containerd_namespaces
containerd_events
could be interesting as well
sudo ctr --address /var/snap/microk8s/common/run/containerd.sock -n <http://k8s.io|k8s.io> events
seems to stream those events
a

alessandrogario

08/18/2022, 1:14 AM
I think we had a draft impl for that somewhere, need to ask @Stefano Bonicatti
z

zwass

08/18/2022, 1:14 AM
a

alessandrogario

08/18/2022, 1:15 AM
Will probably have to be rewritten anyway; it would be cool to have it in core!
z

zwass

08/18/2022, 1:15 AM
Yeah, at least probably a very good reference
a

Artemis Tosini

08/18/2022, 2:23 PM
I think that a process is almost certainly in a container if it is in a different UTS namespace than init
I was planning on directly using the runc state files cirectly because I couldn't figure out how to get the root pid of a container from the containerd api
However that also doesn't give us everything we need
6 Views