Trace open() system calls with eBPF for the most popular container images and publish the UID/GID result to the Podman community
#20006
Replies: 3 comments 1 reply
-
|
Interesting idea! I have no time to work on it but am interested to follow and help where I can. |
Beta Was this translation helpful? Give feedback.
-
|
Instead of tracing open() wouldn't it make more sense to trace the setuid() system calls if you want to know what id's the container is running under? |
Beta Was this translation helpful? Give feedback.
-
|
Good point, tracing setuid() system calls makes more sense. |
Beta Was this translation helpful? Give feedback.
-
|
I tried a simpler approach that does not make use of eBPF a sketch:
for details see https://github.com/eriksjolund/podman-detect-option I wrote some Bash shell scripts and tried it out for a few popular container images. |
Beta Was this translation helpful? Give feedback.
-
Idea: Use the tool Inspektor Gadget to find out which UID/GID are used in
open()system calls for the most popular container images. Publish the result to give users of Podman an estimated guess of how to set the command-line option--userns keep-id:uid=$uid,gid=$gidThe use case I'm considering is when a container starts to run as root (
--user 0:0) but later drops privileges and runs as a different user. I would like that non-root user to be mapped to the regular user on the host.Tracing all
open()system calls in a container might give enough information to know how to set$uidand$gidin thepodman runoption:The published table could look something like this:
This idea is related to:
Side-note 1: Tracing just
open()system calls is a good start, but there are also other system calls likemkdir()that are also related to UID/GID.Side-note 2: Instead of using the eBPF tool Inspektor Gadget another idea is to enhance
https://github.com/containers/oci-seccomp-bpf-hook
to also analyse the use of UID/GID in a container.
Beta Was this translation helpful? Give feedback.
All reactions