From b1e8c44050b08bac54f07ed5be43562b16ef8ec7 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 9 Aug 2024 15:40:13 +0200 Subject: [PATCH] cgroups: deal with crun subgroups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit crun, an OCI container runtime used by cri-o breaks pod association for tetragon by using placing processes in a cgroup below the cgroup specified by the OCI spec: https://github.com/containers/crun/blob/main/crun.1.md#runocisystemdsubgroupsubgroup. With the introduction of cgidmap, this commit can finally deal with this issue by scanning the cgroup directory for children directories and, if it finds one, use the cgroup id of the child. A better solution would be to allow for multiple cgroup ids for each container, but this is left as a followup. The commit includes a script for testing this issue using minikube. Becaues minikube uses an older version of crun, we need to install it. The steps for reproducing this are: minikube start --driver=kvm2 --container-runtime=crio --force-systemd=true ./scripts/minikube-install-crun.sh Running tetragon without cgidmap, we observe events without pod association: 🚀 process minikube /usr/bin/ls 💥 exit minikube /usr/bin/ls 0 By installing the runtime hooks: ./scripts/minikube-install-hook.sh And runing tetragon with cgidmap (and nri) using --enable-cri --enable-cgidmap, we observe pod association for both old and new pods: 🚀 process default/test /usr/bin/ls 💥 exit default/test /usr/bin/ls 0 Signed-off-by: Kornilios Kourtis --- .../scripts/minikube-install-crun.sh | 70 +++++++++++++++++++ pkg/cgidmap/cri.go | 2 +- pkg/cgroups/cgroups.go | 42 +++++++++++ pkg/policyfilter/cgroupid.go | 2 +- pkg/rthooks/args.go | 2 +- 5 files changed, 115 insertions(+), 3 deletions(-) create mode 100755 contrib/tetragon-rthooks/scripts/minikube-install-crun.sh diff --git a/contrib/tetragon-rthooks/scripts/minikube-install-crun.sh b/contrib/tetragon-rthooks/scripts/minikube-install-crun.sh new file mode 100755 index 00000000000..f487dd8c8a2 --- /dev/null +++ b/contrib/tetragon-rthooks/scripts/minikube-install-crun.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# vim:set noet ci pi ts=4 sw=4 + +set -o pipefail +set -e + +if [ "$1" != "install" ]; then + SCRIPTPATH=$(dirname "$0") + source ${SCRIPTPATH}/helpers + + runtime=$(detect_runtime) + if [ "$runtime" != "crio" ]; then + echo "crio not installed, bailing out" + exit 1 + fi + + name=$(basename "$0") + minikube cp $0 /tmp/$name + minikube ssh sudo chmod +x /tmp/$name + minikube ssh sudo /tmp/$name install + exit 0 +fi + +set -x + +echo "Running inside minikube: $(uname -a)" +crio_v=$(crio --version | sed -ne 's/^Version:[[:space:]]\+\(.\+\)/\1/p') +echo "crio version: $crio_v" +crun_v=$(crun --version | sed -ne 's/^crun version[[:space:]]\+\(.\+\)/\1/p') +echo "old crun version: $crun_v" + +# cleanup everything +systemctl stop kubelet +crictl ps -a -q | xargs crictl stop +crictl ps -a -q | xargs crictl rm +crictl pods -q | xargs crictl stopp +crictl pods -q | xargs crictl rmp +systemctl stop crio + +cd /tmp +tarball=cri-o.amd64.v${crio_v}.tar.gz +if [ -f "${tarball}" ]; then + echo "tarball ${tarball} exists, skipping download" +else + curl -sOL -C - https://storage.googleapis.com/cri-o/artifacts/${tarball} +fi +rm -rf cri-o +tar zxf $tarball +cd cri-o +cp ./bin/crio-{conmon,conmonrs,crun} /usr/bin +crio_crun_v=$(crio-crun --version | sed -ne 's/^crun version[[:space:]]\+\(.\+\)/\1/p') +echo "new crun version: $crio_crun_v" + +fname=$(mktemp -t crio-crun-conf.XXXXX) +cat >$fname <