track user names from inside container, not host

[mstemm]

If you create a user inside a container, sysdig still uses the uids from the host in order to populate %user.name. A way to reproduce is:

$ sudo docker run -it ubuntu:latest bash
root@e0ae2d1b19c2: /root@e0ae2d1b19c2:/# useradd testme
useradd testme
root@e0ae2d1b19c2: /root@e0ae2d1b19c2:/# su - testme
su - testme
No directory, logging in with HOME=/
$ cat /etc/passwd | grep testme
testme:x:1000:1000::/home/testme:
$ cat

While doing this and running sysdig with sudo sysdig container.id!=host and evt.type=execve -p "*%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info user=%user.name uid=%user.uid", you end up with this output:

5760 08:42:01.554078825 0 bash (12218) > execve filename=/bin/cat  user=deploy uid=1000
5797 08:42:01.554326172 0 cat (12218) < execve res=0 exe=cat args= tid=12218(cat) pid=12218(cat) ptid=12160(bash) cwd= fdlimit=1024 pgft_maj=0 pgft_min=33 vm_size=372 vm_rss=4 vm_swap=0 comm=cat cgroups=cpuset=/docker/e0ae2d1b19c25120fca711f6f8399728ccca234d1897d6474ad4bf3b543378... env=SHELL=/bin/bash.TERM=xterm.USER=testme.MAIL=/var/mail/testme.PATH=/usr/local/... tty=34816  user=deploy uid=1000

Note that although the user inside the container is "testme", sysdig reports the user as deploy, because uid 1000 within the container is being interpreted from the view of the host.

To fix this, we should keep track of uids from the container using something like user.vuid/user.vname.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.