Open DullJZ opened 1 month ago
Found that sysdig container.id!=host
can successfully record the events in lxd container.
However, sysdig -p "%container.id" container.id!=host
output only \n
. In other words, sysdig cannot identify lxd container's ID.
As I tried Falco, it can identify my lxd container name:
12:35:06.232167470: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=lxd ggparent=lxd gggparent=daemon.start evt_type=openat user=<NA> user_uid=1000000 user_loginuid=-1 process=cat proc_exepath=/usr/bin/cat parent=bash command=cat /etc/shadow terminal=34817 container_id=my-test container_name=my-test)
I hope sysdig can identify it as Falco does.
After a period of time of container study, I finally turned to LXC/LXD.
Using LXD to create a debian container, I found sysdig failed to collect data from it. Also
sysdig -c lscontainers
shows no result.The lxd dir is
/var/snap/lxd/common
, if snap was used to install LXD.Now that both Docker and LXC/LXD share the kernel with the host, I think it possible for sysdig to moniter and record on LXC/LXD.