Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

containerized detection isn't reliable #225

Open
dliappis opened this issue Jun 3, 2024 · 3 comments
Open

containerized detection isn't reliable #225

dliappis opened this issue Jun 3, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@dliappis
Copy link
Contributor

dliappis commented Jun 3, 2024

The logic for detecting whether go-sysinfo in running inside a container isn't always correct.
The code section is:

// Following a suggestion on Stack Overflow on how to detect
// being inside a container: https://stackoverflow.com/a/20012536/235203
if bytes.Contains(line, []byte("docker")) || bytes.Contains(line, []byte(".slice")) || bytes.Contains(line, []byte("lxc")) || bytes.Contains(line, []byte("kubepods")) {
return true, nil
}

and we can see that e.g. on a Linux host with cgroupsv2 we have:

[root@164502a64991 /]# cat /proc/1/cgroup 
0::/

which isn't covered by the above code.

We aren't the only ones who've noticed this discrepancy, as we can see in the linked stack overflow article.

The truth is that detecting containerization isn't very straightforward. For example Puppet's facter seems to only detect docker but not e.g. when running in podman. Issues have also been reported with Chef's Ohai (example) that seem to be resolved. A succinct comment with the possible strategies can be found in benfred/py-spy#614.

Ohai's implementation seems to be the most complete, so we could get some ideas from https://github.com/chef/ohai/blob/d63ae8e8af713c44d040f5583aac84cd3d79f9af/lib/ohai/plugins/linux/virtualization.rb#L180-L217

@dliappis dliappis added the bug Something isn't working label Jun 3, 2024
@dliappis
Copy link
Contributor Author

dliappis commented Jun 3, 2024

My understanding is that the above code affects at least this part of x-pack/auditbeat

@fearful-symmetry
Copy link
Contributor

Came here to file this exact issue; this won't work on a lot of newer docker versions as well, as they generally will use a private cgroup namespace:

docker run -it ubuntu:latest /bin/bash
root@484005f6da5f:/# cat /proc/1/cgroup
0::/

@git-blame
Copy link

As mentioned, there is docker information in /proc/self/mountinfo. Notably, the container ids or hashes. There is a secondary problem which is that some docker containers do not have "/etc/machine-id", "/var/lib/dbus/machine-id", or "/var/db/dbus/machine-id". So the machine-id is also empty.

This code snippet can use mountinfo to get the docker's version of machineid. It can also be re-purposed to indicate if we are in a docker container:

func DockerMachineId(defaultId string) (machineId string) {
    machineId = defaultId
    // Get docker info
    file, err := os.Open("/proc/self/mountinfo")
    if err != nil {
        return
    }
    defer file.Close()

    r, err := regexp.Compile("docker/containers/([0-9a-f]+)")
    if err != nil {
        return
    }

    scan := bufio.NewScanner(file)
    var match []string
    for scan.Scan() {
        match = r.FindStringSubmatch(scan.Text())
        if match == nil || len(match) < 2 {
            continue
        }
        machineId = match[1]
        break
    }
    return
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants