search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
478 stars 47 forks source link

Any plans to support containerd? #90

Closed perezjasonr closed 2 years ago

perezjasonr commented 3 years ago

Is your feature request related to a problem? Please describe. I just noticed its not listed among the various container runtimes but it is widely used.

Describe the solution you'd like containerd support

Describe alternatives you've considered there is nothing I'm aware of.

Additional context if containerd is implied by one of the others, than this is obviously an unnecessary request, but it might be a good idea to mention it somewhere.

wrabcak commented 3 years ago

@vmojzis, it's good idea to look on containerd engine and include it to supported engines.

perezjasonr commented 3 years ago

im wondering if the inspect output of crio is any different from containerd, they are both oci compliant and both can use crictl right?

I tried it with containerd and udica did create a policy, but I'm not sure if its reliable, just wanted to try it to see if it rejected inspect json.

vmojzis commented 3 years ago

im wondering if the inspect output of crio is any different from containerd, they are both oci compliant and both can use crictl right?

I tried it with containerd and udica did create a policy, but I'm not sure if its reliable, just wanted to try it to see if it rejected inspect json.

I experimented a bit with ctr container info, but it doesn't provide all the necessary info https://github.com/containerd/containerd/discussions/5811

perezjasonr commented 3 years ago

what about crictl inspect? crictl seems to be configurable for a containerd or crio sock.

alegrey91 commented 2 years ago

I just tried with nerdctl inspect output (in dockercompat mode), but it doesn't seems to work. Error output is Couldn't parse inspect data: 'Config'. Probably udica needs more information to create SELinux policies that are not currently present in inspect output.

vmojzis commented 2 years ago

@alegrey91 Thank you for the contribution and sorry for the wait. The code is now merged and released on Fedora https://bodhi.fedoraproject.org/updates/FEDORA-2022-7d6e3be239 Note: aside from nerdctl inspect, udica should also be able to process crictl inspect of containerd hosted container.

alegrey91 commented 2 years ago

@vmojzis don't worry! It has been a pleasure to contribute to this project :)