search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.67k stars 728 forks source link

Possibility of LXD container support #2108

Open DullJZ opened 1 month ago

DullJZ commented 1 month ago

After a period of time of container study, I finally turned to LXC/LXD.

Using LXD to create a debian container, I found sysdig failed to collect data from it. Also sysdig -c lscontainers shows no result.

The lxd dir is /var/snap/lxd/common, if snap was used to install LXD.

Now that both Docker and LXC/LXD share the kernel with the host, I think it possible for sysdig to moniter and record on LXC/LXD.

DullJZ commented 1 month ago

Found that sysdig container.id!=host can successfully record the events in lxd container.

However, sysdig -p "%container.id" container.id!=host output only \n. In other words, sysdig cannot identify lxd container's ID.

As I tried Falco, it can identify my lxd container name:

12:35:06.232167470: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=lxd ggparent=lxd gggparent=daemon.start evt_type=openat user=<NA> user_uid=1000000 user_loginuid=-1 process=cat proc_exepath=/usr/bin/cat parent=bash command=cat /etc/shadow terminal=34817 container_id=my-test container_name=my-test)

I hope sysdig can identify it as Falco does.