Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support configuring audit rules from bootstrap container #3831

Merged
merged 2 commits into from
Mar 21, 2024
Merged

support configuring audit rules from bootstrap container #3831

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6f53acf
host-ctr: support auditctl in bootstrap containers
bcressey Mar 12, 2024
dec7643
os: set syslog id for host and bootstrap containers
bcressey Mar 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions packages/os/bootstrap-containers@.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,4 @@ ExecStartPost=/usr/bin/bootstrap-containers mark-bootstrap \
--mode '${CTR_MODE}'
RemainAfterExit=true
StandardError=journal+console
SyslogIdentifier=bootstrap-containers@%i
1 change: 1 addition & 0 deletions packages/os/host-containers@.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Restart=always
RestartSec=45
TimeoutStopSec=60
StandardError=journal+console
SyslogIdentifier=host-containers@%i

[Install]
WantedBy=multi-user.target
14 changes: 11 additions & 3 deletions sources/host-ctr/cmd/host-ctr/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@
Value: false,
},
},
Action: func(c *cli.Context) error {

Check warning on line 143 in sources/host-ctr/cmd/host-ctr/main.go

View workflow job for this annotation

GitHub Actions / lint 

unused-parameter: parameter 'c' seems to be unused, consider removing or renaming it as _ (revive)
return runCtr(containerdSocket, namespace, containerID, source, superpowered, registryConfig, containerType(cType), useCachedImage)
},
},
Expand Down Expand Up @@ -191,7 +191,7 @@
Required: true,
},
},
Action: func(c *cli.Context) error {

Check warning on line 194 in sources/host-ctr/cmd/host-ctr/main.go

View workflow job for this annotation

GitHub Actions / lint 

unused-parameter: parameter 'c' seems to be unused, consider removing or renaming it as _ (revive)
return cleanUp(containerdSocket, namespace, containerID)
},
},
Expand Down Expand Up @@ -742,14 +742,22 @@
withPrivilegedMounts(),
withStorageMounts(),
withRootFsShared(),
// host PID namespace is required to configure audit rules
oci.WithHostNamespace(runtimespec.PIDNamespace),
oci.WithSelinuxLabel("system_u:system_r:control_t:s0-s0:c0.c1023"),
// Bootstrap containers don't require all capabilities. We only add
// Bootstrap containers don't require all capabilities. We only add:
// - CAP_SYS_ADMIN: for mounting filesystems
// - CAP_NET_ADMIN: for managing iptables rules
// - CAP_SYS_CHROOT: to execute binaries from the root filesystem
// - CAP_SYS_MODULE: to load kernel modules from the root filesystem
// managing iptables rules, `CAP_SYS_CH`
oci.WithAddedCapabilities([]string{"CAP_SYS_ADMIN", "CAP_NET_ADMIN", "CAP_SYS_CHROOT", "CAP_SYS_MODULE"}),
// - CAP_AUDIT_CONTROL: to retrieve and configure audit rules
oci.WithAddedCapabilities([]string{
"CAP_SYS_ADMIN",
"CAP_NET_ADMIN",
"CAP_SYS_CHROOT",
"CAP_SYS_MODULE",
"CAP_AUDIT_CONTROL",
}),
// `WithDefaultProfile` creates the proper seccomp profile based on the
// container's capabilities.
seccomp.WithDefaultProfile(),
Expand Down Expand Up @@ -972,7 +980,7 @@

// withProxyEnv reads proxy environment variables and returns a spec option for passing said proxy environment variables
func withProxyEnv() oci.SpecOpts {
noOp := func(_ context.Context, _ oci.Client, _ *containers.Container, s *runtimespec.Spec) error { return nil }

Check warning on line 983 in sources/host-ctr/cmd/host-ctr/main.go

View workflow job for this annotation

GitHub Actions / lint 

unused-parameter: parameter 's' seems to be unused, consider removing or renaming it as _ (revive)
httpsProxy, httpsProxySet := os.LookupEnv("HTTPS_PROXY")
noProxy, noProxySet := os.LookupEnv("NO_PROXY")
withHTTPSProxy := noOp
Expand Down