Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

container create: add inspect data to event #16599

Merged
merged 1 commit into from
Nov 29, 2022

Conversation

vrothberg
Copy link
Member

@vrothberg vrothberg commented Nov 23, 2022

When the new events_container_create_inspect_data option is enabled in
containers.conf set the ContainersCreateInspectData event field for
each container-create event.

The data was requested for the purpose of auditing (e.g., intrusion detection).

Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg [email protected]

Does this PR introduce a user-facing change?

When the new `event_audit_container_create` options is enabled in containers.conf, increase the verbosity of the container-create event by adding the inspect data of the container to the event.

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 23, 2022
@vrothberg
Copy link
Member Author

containers/common#1243 needs to merge first.

@vrothberg
Copy link
Member Author

As always, naming is the hardest part I guess.

@containers/podman-maintainers PTAL

Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

libpod/runtime_ctr.go Show resolved Hide resolved
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 23, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mheon
Copy link
Member

mheon commented Nov 23, 2022

We're going to absolutely murder the journal by doing this, but if it's what people want, I guess we have to deliver.

LGTM

Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO I think the store and backend for audit logs should be separately configurable and should not be mixed the regular logs.

I think in most cases people would like to dump audit logs to a cheaper storage and use it only when needed. https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#log-backend

But is separate store even applicable in podman do we have different events for audit ? Overall this is just an idea and not at all a blocker for this PR.

@vrothberg
Copy link
Member Author

We're going to absolutely murder the journal by doing this, but if it's what people want, I guess we have to deliver.

That was brought up but does not seem to matter.

But is separate store even applicable in podman do we have different events for audit ? Overall this is just an idea and not at all a blocker for this PR.

The idea for a separate store is very interesting. For now, the goal is not have a holistic audit-logging (e.g., with including pulls, pushs, etc.) but to meet the use case. Adding the inspect data to the container-create event turned out to integrate well into already existing tooling for reading the journal while providing all possible data on which container is created with what image (digests etc.).

libpod/events.go Outdated Show resolved Hide resolved
@vrothberg vrothberg added the bloat_approved Approve a PR in which binary file size grows by over 50k label Nov 24, 2022
@vrothberg
Copy link
Member Author

  • bin/rootlessport grew by 1262992 bytes; max allowed is 51200.

Unrelated to this change

@Luap99
Copy link
Member

Luap99 commented Nov 24, 2022

  • bin/rootlessport grew by 1262992 bytes; max allowed is 51200.

Unrelated to this change

Huh? We should investigate why, rootlessport should be as small as possible. I guess it is caused by c/common changes so not a blocker for this PR but I would like to take a look if I find some time.

@vrothberg
Copy link
Member Author

  • bin/rootlessport grew by 1262992 bytes; max allowed is 51200.

Unrelated to this change

Huh? We should investigate why, rootlessport should be as small as possible. I guess it is caused by c/common changes so not a blocker for this PR but I would like to take a look if I find some time.

Likely caused by containers/common#1239

@vrothberg
Copy link
Member Author

[+1513s] [Fail] Verify podman containers.conf usage [It] regular capabilities
[+1513s] /var/tmp/go/src/github.com/containers/podman/test/e2e/containers_conf_test.go:114

Gnah, will fix that in another PR.

@vrothberg
Copy link
Member Author

-> #16610 need this in first

libpod/events/config.go Outdated Show resolved Hide resolved
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 28, 2022
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 28, 2022
@vrothberg vrothberg marked this pull request as ready for review November 28, 2022 13:01
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 28, 2022
@vrothberg
Copy link
Member Author

Ready for review/merge ✔️

Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

libpod/events.go Outdated
return nil
}()
if err != nil {
logrus.Errorf("Unable to add inspect data to container-create event: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a customer who wants full audit data would prefer that container creation actually fail if we can't provide this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was contemplating it but couldn't decide. But you changed my mind. I also believe it's valid to fail in this case.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Note that I was very careful not to change other callers to write events. Almost all are using defer and changing that would be a (too) big PR.

I also took the occasion to rename PODMAN_CONTAINER_CREATE_INSPECT_DATA to PODMAN_CONTAINER_INSPECT_DATA ... just in case we want more container events to contain this data in the future.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 28, 2022
When the new `events_container_create_inspect_data` option is enabled in
containers.conf set the `ContainersInspectData` event field for each
container-create event.

The data was requested for the purpose of auditing (e.g., intrusion
detection).

Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <[email protected]>
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 29, 2022
@baude
Copy link
Member

baude commented Nov 29, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 29, 2022
@openshift-merge-robot openshift-merge-robot merged commit e15ffc1 into containers:main Nov 29, 2022
@vrothberg vrothberg deleted the RUN-1702 branch November 29, 2022 14:33
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 20, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bloat_approved Approve a PR in which binary file size grows by over 50k lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants