Documentation ¶
Overview ¶
Package containerhook detects when a container is created or terminated.
It uses two mechanisms to detect new containers:
- fanotify with FAN_OPEN_EXEC_PERM.
- ebpf on the sys_enter_execve tracepoint to get the execve arguments.
Using fanotify with FAN_OPEN_EXEC_PERM allows to call a callback function while the container is being created. The container is paused until the callback function returns.
Using ebpf on the sys_enter_execve tracepoint allows to get the execve arguments without the need to read /proc/$pid/cmdline or /proc/$pid/comm. Reading /proc/$pid/cmdline is not possible using only fanotify when the tracer is not in the same pidns as the process being traced. This is the case when Inspektor Gadget is started with hostPID=false.
https://github.com/inspektor-gadget/inspektor-gadget/blob/main/docs/devel/fanotify-ebpf.png
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ContainerEvent ¶
type ContainerEvent struct { // Type is whether the container was added or removed Type EventType // ContainerID is the container id, typically a 64 hexadecimal string ContainerID string // ContainerName is the container name, typically two words with an underscore ContainerName string // ContainerPID is the process id of the container ContainerPID uint32 // Container's configuration is the config.json from the OCI runtime // spec ContainerConfig *ocispec.Spec // Bundle is the directory containing the config.json from the OCI // runtime spec // See https://github.com/opencontainers/runtime-spec/blob/main/bundle.md Bundle string }
ContainerEvent is the notification for container creation or termination
type ContainerNotifier ¶
type ContainerNotifier struct {
// contains filtered or unexported fields
}
func NewContainerNotifier ¶
func NewContainerNotifier(callback ContainerNotifyFunc) (*ContainerNotifier, error)
NewContainerNotifier uses fanotify and ebpf to detect when a container is created or terminated, and call the callback on such event.
Limitations: - the container runtime must be installed in one of the paths listed by runtimePaths
func (*ContainerNotifier) AddWatchContainerTermination ¶
func (n *ContainerNotifier) AddWatchContainerTermination(containerID string, containerPID int) error
AddWatchContainerTermination watches a container for termination and generates an event on the notifier. This is automatically called for new containers detected by ContainerNotifier, but it can also be called for containers detected externally such as initial containers.
func (*ContainerNotifier) Close ¶
func (n *ContainerNotifier) Close()
type ContainerNotifyFunc ¶
type ContainerNotifyFunc func(notif ContainerEvent)