An OCI container runtime monitor.
Upon being launched, conmon (usually) double-forks to daemonize and detach from the parent that launched it. It then launches the runtime as its child. This allows managing processes to die in the foreground, but still be able to watch over and connect to the child process (the container).
While the container runs, conmon does two things:
- Provides a socket for attaching to the container, holding open the container's standard streams and forwarding them over the socket.
- Writes the contents of the container's streams to a log file (or to the systemd journal) so they can be read after the container's death.
Finally, upon the containers death, conmon will record its exit time and code to be read by the managing programs.
Written in C and designed to have a low memory footprint, conmon is intended to be run by a container managing library. Essentially, conmon is the smallest daemon a container can have.
In most cases, conmon should be packaged with your favorite container manager. However, if you'd like to try building it from source, follow the steps below.
These dependencies are required for the build:
Fedora, CentOS, RHEL, and related distributions:
sudo yum install -y \ gcc \ git \ glib2-devel \ glibc-devel \ libseccomp-devel \ make \ pkgconfig \ runc
Debian, Ubuntu, and related distributions:
sudo apt-get install \ gcc \ git \ libc6-dev \ libglib2.0-dev \ libseccomp-dev \ pkg-config \ make \ runc
Once all the dependencies are installed:
There are three options for installation, depending on your environment.
Each can have the PREFIX overridden. The PREFIX defaults to
for most Linux distributions.
make installinstalls to
$PREFIX/bin, for adding conmon to the path.
make podmaninstalls to
$PREFIX/libexec/podman, which is used to override the conmon version that Podman uses.
make crioinstalls to
$PREFIX/libexec/crio, which is used to override the conmon version that CRI-O uses.
It is possible to build a statically linked binary of conmon by using the officially provided nix package and the derivation of it within this repository. The builds are completely reproducible and will create a x86_64/amd64 stripped ELF binary for glibc.
To build the binaries by locally installing the nix package manager:
nix build -f nix/
An Ansible Role is also available to automate the installation of the above statically linked binary on its supported OS:
sudo su - mkdir -p ~/.ansible/roles cd ~/.ansible/roles git clone https://github.com/alvistack/ansible-role-conmon.git conmon cd ~/.ansible/roles/conmon pip3 install --upgrade --ignore-installed --requirement requirements.txt molecule converge molecule verify