logging: new mode -l passthrough

[giuseppe]

it allows to pass the current std streams down to the container.

conmon support: containers/conmon#289

[NO TESTS NEEDED] it needs a new conmon.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[giuseppe]

@vrothberg what do you think?

This should improve integration with systemd (but some commands won't work)

[TomSweeneyRedHat]

Changes LGTM
but tests are an ugly red.

[mheon]

Shouldn't these conflict? It doesn't seem particularly sane to log to the terminal's STDOUT and STDERR when the process is no longer attached to the controlling terminal.

[giuseppe]

the fds are passed down to the container that can still use them.

I think the only sane usage of this option is within a systemd service.

Using a tty won't be allowed by conmon as it opens to security issues: https://github.com/containers/conmon/pull/289/files#diff-26c58c117a24670c396f3e8e3e86cd6a6f134b3f02f84f8c894213c16c542d4cR165-R166

[mheon]

Can we get documentation to that effect? I was very confused by what this option was for.

Also, I think conflicting with --tty makes a lot of sense - we won't have split stderr/stdout, and won't have raw mode set so the output will likely be garbage.

[vrothberg]

I like Matt's suggestion

[giuseppe]

I added the error also to Podman so we don't rely on conmon checking for it

[giuseppe]

converted to draft. Let's wait for the conmon change to be accepted first

[alexlarsson]

Ok, I played with this by launching podman with the passthrough log driver from a systemd service, and it works just like I expected. For example, it properly picks up the syslog identifiers set by the systemd unit, and the individual journal entries are tagged with the correct pid, cmdline and exe (i.e. not everything looks like it came from conmon).

The one issue I have is that the systemd journal connection has a system_u:system_r:init_t:s0 selinux context and the container is running in system_u:system_r:container_runtime_t:s0, so I'm getting AVC denied when writing to the journal breaking selinux enforcing mode. I wonder what is the best way to handle this. @rhatdan opinions?

[alexlarsson]

These are the AVCs i get:

   type=AVC msg=audit(1630657057.309:47775): avc:  denied  { ioctl } for  pid=1312362 comm="bash" path="socket:[7069215]" dev="sockfs" ino=7069215 ioctlcmd=0x540f scontext=system_u:system_r:container_t:s0:c139,c179 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
   type=AVC msg=audit(1630657057.319:47776): avc:  denied  { getattr } for  pid=1312362 comm="autobus.py" path="socket:[7069215]" dev="sockfs" ino=7069215 scontext=system_u:system_r:container_t:s0:c139,c179 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1

[rhatdan]

This should be fixed in container-selinux.

[rhatdan]

Looks like this is allowed in current container-selinux.

container-selinux-2.167

$ audit2allow -i /tmp/t

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t init_t:unix_stream_socket getattr;

[alexlarsson]

Ok. I'm only on container-selinux-2.164.2-1.fc34 atm.

[rhatdan]

@alexlarsson Have you updated to the latest container-selinux to the latest version to make sure it works.

[giuseppe]

this is ready

[Luap99]

Can you add a test?

[giuseppe]

the issue is that it needs a new conmon which is not available in the CI

[rhatdan]

Lets get this in, and then add tests when the new conmon is ready. Then the people who need this IE @alexlarsson can start playing with it now, and see if there are any issues.
LGTM

[TomSweeneyRedHat]

LGTM

[TomSweeneyRedHat]

/lgtm