-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trace exec with filter has blindspots when configured with podinformer container collection #2614
Comments
Hi!
If I remember correctly, this is a limitation of Best regards. |
The Podinformer inherently will take a bit of time before announcing there is a new container because the message comes from the Kubernetes API server (from another node) and the startup of the container is not paused during that process. Why is the fanotify-ebpf not working for you? Because the kernel is compiled without fanotify? |
That's a good question. We run it on Bottlerocket, which is pretty confined and hardened with various LSMs, but I'll try to figure exactly where it fails and come back with details. |
|
I never heard about bottlerocket, so this highly possible we do not support this distribution.
Interesting, where is Also, do you have access to their kernel config (e.g. under $ grep FANOTIFY ./arch/x86/configs/x86_64_defconfig (tags/v6.6^0) %
$ echo $? (tags/v6.6^0) %
1 https://github.com/bottlerocket-os/bottlerocket/blob/develop/packages/kernel-6.1/config-bottlerocket |
I believe the runc is in /bin/runc and the problem is not in finding it but permission denied errors I saw after enabling debug logger:
I'm going to check the kernel config as suggested. |
I've checked again and it seems that the Bottlerocket OS is compiled with fanotify support:
However, it seems that Bottlerocket's default SELinux policy block the Do you happen to know if using |
Good to know! This should be able to work then.
What is the return value you get when using
After taking a slight look, I would say these two flags are totally different:
Can you please share this code somewhere, so I can pull it and test it? |
Thanks @eiffel-fl for prompt reply. I'll share a minimal example I've been using for tests as soon as I have some spare CPU / time cycles. |
The difference between All flags with the If you use
So it would be racy. It might work but it is not guaranteed. You might lose the first few events. |
This issue has been automatically marked as stale because it has not had recent activity. |
Description
We cannot always use runc+fanotify or fanotify+ebpf container collection strategies as shown in this example. When I check code it seems that if these two strategies are not supported, IG falls back to the pod informer collection. However, in my setup the pod informer collection caused loosing exec events that happen very early in the container lifecycle, e.g. container entrypoint execution.
Impact
Lost exec events, but I can imagine it might be acceptable for such a tool as IG. I'm just trying to figure if it's expected behavior.
I assume the container event is delayed and the raw exec event is ignored before the mntns eBPF map is updated.
Environment and steps to reproduce
Bottlerocket OS 1.15.1 (aws-k8s-1.26); Kernel 5.15.128; IG v0.23.1 .. v0.26.0
Expected behavior
The entry point bash exec with container metadata is captured by IG.
Additional information
I bumped into this issue while working on capturing container runtime profiles (aka RAD fingerprints). We've been using IG for some parts of that work, but we are hitting more and more limitations. Therefore, I'd appreciate your feedback on observed behavior and whether we push IG a bit too hard to the limits. To give you a real example, check a fingerprints of ubuntu image built with fanotify and podinformer collectors respectively. The latter is incomplete.
The text was updated successfully, but these errors were encountered: