containerhook

package
v0.27.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package containerhook detects when a container is created or terminated.

It uses two mechanisms to detect new containers:

  1. fanotify with FAN_OPEN_EXEC_PERM.
  2. ebpf on the sys_enter_execve tracepoint to get the execve arguments.

Using fanotify with FAN_OPEN_EXEC_PERM allows to call a callback function while the container is being created. The container is paused until the callback function returns.

Using ebpf on the sys_enter_execve tracepoint allows to get the execve arguments without the need to read /proc/$pid/cmdline or /proc/$pid/comm. Reading /proc/$pid/cmdline is not possible using only fanotify when the tracer is not in the same pidns as the process being traced. This is the case when Inspektor Gadget is started with hostPID=false.

https://github.com/inspektor-gadget/inspektor-gadget/blob/main/docs/devel/fanotify-ebpf.png

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Supported 

func Supported() bool

Supported detects if RuncNotifier is supported in the current environment

Types

type ContainerEvent 

type ContainerEvent struct {
	// Type is whether the container was added or removed
	Type EventType

	// ContainerID is the container id, typically a 64 hexadecimal string
	ContainerID string

	// ContainerName is the container name, typically two words with an underscore
	ContainerName string

	// ContainerPID is the process id of the container
	ContainerPID uint32

	// Container's configuration is the config.json from the OCI runtime
	// spec
	ContainerConfig *ocispec.Spec

	// Bundle is the directory containing the config.json from the OCI
	// runtime spec
	// See https://github.com/opencontainers/runtime-spec/blob/main/bundle.md
	Bundle string
}

ContainerEvent is the notification for container creation or termination

type ContainerNotifier 

type ContainerNotifier struct {
	// contains filtered or unexported fields
}

func NewContainerNotifier 

func NewContainerNotifier(callback ContainerNotifyFunc) (*ContainerNotifier, error)

NewContainerNotifier uses fanotify and ebpf to detect when a container is created or terminated, and call the callback on such event.

Limitations: - the container runtime must be installed in one of the paths listed by runtimePaths

func (*ContainerNotifier) AddWatchContainerTermination 

func (n *ContainerNotifier) AddWatchContainerTermination(containerID string, containerPID int) error

AddWatchContainerTermination watches a container for termination and generates an event on the notifier. This is automatically called for new containers detected by ContainerNotifier, but it can also be called for containers detected externally such as initial containers.

func (*ContainerNotifier) Close 

func (n *ContainerNotifier) Close()

type ContainerNotifyFunc 

type ContainerNotifyFunc func(notif ContainerEvent)

type EventType 

type EventType int
const (
	EventTypeAddContainer EventType = iota
	EventTypeRemoveContainer
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.