saschagrunert
commented
2 years ago Thank you for opening the issue, I'm happy to look into it but I'm lacking Apple hardware to give it a test. I assume it's not possible to export the docker machine VM to a kvm or virtualbox compatible format, isn't it?
About the log enricher issue:
- the enricher should fallback to syslog messages if auditd is not available, see: https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/installation-usage.md#using-the-log-enricher
- if using auditd, do you see the seccomp related messages in the auditd.log? if yes, what's the output of the enricher daemon (the log-enricher container)?
About the ebpf recorder:
- Which operating system and kernel version is docker machine using?
- Is
/etc/os-releaseor/usr/lib/os-releaseavailable within the VM? - It looks like that the OS cannot be found:
OS not found in btf map:, maybe I can improve that
chrisns
π I don't appear to be able to get the profile recorder to work with docker-desktop or podman machine in combination with kind|k3d|minikube (minikube using --driver podman|docker)
I think the issue is the lack of syslog/auditd running in the host vm, and then maybe something to do with correlating between pid namespaces.
I've made it work using docker desktop's built in k8s service, which is different to kind|k3d|minikube by running the k8s api-server and other components and workload at the top level without nesting - at least I think thats whats going on by doing
docker psI can see everything. I don't think these issues are specific to being on a mac/m1/arm though I've definitely made it harder for myself this way.I documented my work so far here: https://github.com/appvia/security-profiles-operator-demo
the eBPF recorder leaves me with these logs:
I think it'll be reasonably easy to reproduce by running syslog in a container rather than trying to look at the host's
/var/log/syslogor/var/log/audit/audit.logso perhaps as a feature request rather than the log-enricher looking for the logs in hard coded locations, if it tailed the kernel buffer ring itself and handled mapping between the pid namespaces through some magic that at least bring some consistency.In a thread on the Kubernetes slack I raised this https://kubernetes.slack.com/archives/C013FQNB0A2/p1641572536002500 @pjbgf suggested it might be possible to make the SPO better aware of pids by mounting a the host
/prochttps://github.com/kubernetes-sigs/security-profiles-operator/blob/d49ab905b22a2afc25a6c30bffe547c4fff84276/internal/pkg/util/containers.go#L55 and using that.I tried that https://github.com/chrisns/security-profiles-operator/commit/dc1f948caa8fe16c33016aac6297e02a0bfb3e1b but no different results π’ but then I really have no idea what I'm doing π€£
Thoughts welcome, or better yet, tell me I'm being an an idiot and done it all wrong π€£