From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: Audit Framework and namespaces
Date: Tue, 08 Dec 2015 11:23:14 -0500 [thread overview]
Message-ID: <7401161.8GVvY7fZY3@x2> (raw)
In-Reply-To: <20151208161056.GA32667@madcap2.tricolour.ca>
On Tuesday, December 08, 2015 11:10:56 AM Richard Guy Briggs wrote:
> On 15/12/08, Gulland, Scott A wrote:
> > It took a month to get a Open Switch linux image put together that
> > contains the audit framework. I've just started playing with it and
> > have noticed that "auditd" exits with an error when running a docker
> > container. Open Switch uses a docker container with a linux image
> > which has a switch simulator that is used for development. Of
> > course the actual released environment is using real switch hardware
> > on a non-container based linux image. It appears that the audit
> > framework does not work in a docker container. Are there plans to
> > add support for containers or is there some magic instructions for
> > getting auditd to work in a container?
>
> I assume that docker containers at least spawn a PID namespace and
> attempt to use CAP_AUDIT_CONTROL, so that would explain why it won't
> work. As outlined in my first reply, there are ideas to support PID
> namespaces, but there is no detailed design yet.
>
> Again, the definition of a container comes into it as well, but we think
> we have a reasonable understanding of the needs of docker containers and
> have an idea how to get there. User namespaces are further off, but I
> don't believe they are needed for docker at this point.
And further to the point, right now, we don't want events from inside the
container going to the system audit daemon. It potentially has no idea what a
pid, network, uid, gid, or hostname maps to. These have to be resolved inside
the container and then aggregated at the system daemon or datacenter
aggregator.
-Steve
prev parent reply other threads:[~2015-12-08 16:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-03 17:34 Audit Framework and namespaces Gulland, Scott A
2015-11-03 19:04 ` Paul Moore
2015-11-03 19:44 ` Richard Guy Briggs
2015-12-08 4:14 ` Gulland, Scott A
2015-12-08 16:10 ` Richard Guy Briggs
2015-12-08 16:23 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7401161.8GVvY7fZY3@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).