gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/examples/seccheck/README.md

gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/examples/seccheck/README.md (about)

     1  This directory provides an example of a monitoring process that receives
     2  connections from gVisor sandboxes and prints the traces to `stdout`. The example
     3  contains two main files:
     4  
     5  *   server.cc: this is where `main()` and all the code is. It sets up a server
     6      listening to a Unix-domain socket located at `/tmp/gvisor_events.sock` or a
     7      configurable location via a command line argument.
     8  *   pod_init.json: this file contains the trace configuration that should be
     9      passed to `runsc`. It can be done either via `--pod-init-config` flag or
    10      using `runsc trace create` command. Note that the socket location is
    11      specified in this file, in case you change it.
    12  
    13  # Usage
    14  
    15  Let's first start the server, which waits for new connections:
    16  
    17  ```shell
    18  $ bazel run examples/seccheck:server_cc
    19  Socket address /tmp/gvisor_events.sock
    20  ```
    21  
    22  Here is a simple example using `runsc do`:
    23  
    24  ```shell
    25  runsc --rootless --network=none --pod-init-config=examples/seccheck/pod_init.json do echo 123
    26  ```
    27  
    28  Back at the server terminal, you can see the following traces being outputted:
    29  
    30  ```
    31  Connection accepted
    32  Start => id:     "runsc-329739" cwd: "/home/fvoznika" args: "echo" args: "123"
    33  E Open sysno:    257 fd: -100 pathname: "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libc.so.6" flags: 524288
    34  X Open exit      { errorno: 2 } sysno: 257 fd: -100 pathname: "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libc.so.6" flags: 524288
    35  E Open sysno:    257 fd: -100 pathname: "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libc.so.6" flags: 524288
    36  X Open exit      { errorno: 2 } sysno: 257 fd: -100 pathname: "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libc.so.6" flags: 524288
    37  ...
    38  TaskExit =>
    39  Connection closed
    40  ```
    41  
    42  Connection messages indicate when `runsc` connected and disconnected to/from the
    43  server. Then there is a trace for container start and a few syscalls to
    44  `open(2)` for searching libraries. You can change `pod_init.json` to configure
    45  the trace session to your liking.
    46  
    47  To set this up with Docker, you can add the `--pod-init-config` flag when the
    48  runtime is installed:
    49  
    50  ```shell
    51  $ sudo runsc install --runtime=runsc-trace -- --pod-init-config=$PWD/examples/seccheck/pod_init.json
    52  $ sudo systemctl restart docker
    53  $ docker run --rm --runtime=runsc-trace hello-world
    54  ```