search

puppetlabs-toy-chest / lumogon

Get a complete picture of what your applications are made of *without* changing how you currently build and run containers. Just run and report.
Other
198 stars 14 forks source link

(DI-755) Update GetLocalContainerID to work in nested containers #60

Closed johnmccabe closed 7 years ago

johnmccabe commented 7 years ago

This PR updates the GetLocalContainerID function and its tests to handle the extraction of the local container ID when Lumogon is running within a nested Docker engine, Docker-in-Docker for example.

It does so by extracting the right-most id match in /proc/self/cgroup.

johnmccabe commented 7 years ago

FYI @davejohnston this should sort the issue you'd been seeing

johnmccabe commented 7 years ago

NOTE make sure you have jq installed locally.

You can test as follows, first setup a dind instance and run a single container inside.

$ docker run --privileged --name dind -d docker:stable-dind
$ docker run --rm --link dind:docker docker:stable docker run -d --name nginx nginx
$ docker run --rm --link dind:docker docker:stable docker ps

Now run a lumogon scan against it... you will see it reports 2 containers, nginx and the lumogon container itself.

$ docker run --rm --link dind:docker docker:stable docker run --rm -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon scan -- | jq '.containers[] | {id: .container_id, name: .container_name, image: .capabilities.container.payload.image}'
[Lumogon] 2017/09/27 16:35:50.185305 Scanning: /boring_poitras
[Lumogon] 2017/09/27 16:35:50.185362 Scanning: /nginx
{
  "id": "17fed79e79b42d1c29bf7506b76c644e824794650f12a8607ad9bedaf5c33c13",
  "name": "/nginx",
  "image": "nginx"
}
{
  "id": "5563be7e1d21f757ef27c101fc8e585cb01387a634c1742158a75bd83c376949",
  "name": "/boring_poitras",
  "image": "puppet/lumogon"
}

Build the image locally and save it to disk.

$ make image
$ docker save puppet/lumogon:latest > lumo-dev.tar

Run a docker container linked with the dind container and map the local directory so you can load the dev image.

$ docker run --rm --link dind:docker -v ${PWD}:/lumo -ti docker:stable sh

And within that session load the image

$ docker load < /lumo/lumo-dev.tar

Exit the session and run the scan against the dind container again.

$ docker run --rm --link dind:docker docker:stable docker run --rm -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon scan -- | jq '.containers[] | {id: .container_id, name: .container_name, image: .capabilities.container.payload.image}'
[Lumogon] 2017/09/27 16:57:03.387503 Scanning: /nginx
{
  "id": "17fed79e79b42d1c29bf7506b76c644e824794650f12a8607ad9bedaf5c33c13",
  "name": "/nginx",
  "image": "nginx"
}

You should only see the nginx container