If you create a user inside a container, sysdig still uses the uids from the host in order to populate %user.name. A way to reproduce is:
$ sudo docker run -it ubuntu:latest bash
root@e0ae2d1b19c2: /root@e0ae2d1b19c2:/# useradd testme
useradd testme
root@e0ae2d1b19c2: /root@e0ae2d1b19c2:/# su - testme
su - testme
No directory, logging in with HOME=/
$ cat /etc/passwd | grep testme
testme:x:1000:1000::/home/testme:
$ cat
While doing this and running sysdig with sudo sysdig container.id!=host and evt.type=execve -p "*%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info user=%user.name uid=%user.uid", you end up with this output:
Note that although the user inside the container is "testme", sysdig reports the user as deploy, because uid 1000 within the container is being interpreted from the view of the host.
To fix this, we should keep track of uids from the container using something like user.vuid/user.vname.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If you create a user inside a container, sysdig still uses the uids from the host in order to populate %user.name. A way to reproduce is:
While doing this and running sysdig with
sudo sysdig container.id!=host and evt.type=execve -p "*%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info user=%user.name uid=%user.uid"
, you end up with this output:Note that although the user inside the container is "testme", sysdig reports the user as
deploy
, because uid 1000 within the container is being interpreted from the view of the host.To fix this, we should keep track of uids from the container using something like user.vuid/user.vname.