dcarrion87
commented
1 year ago @AkihiroSuda would be great to get your thoughts on this one.
Open dcarrion87 opened 1 year ago
dcarrion87
commented
1 year ago @AkihiroSuda would be great to get your thoughts on this one.
AkihiroSuda
commented
1 year ago Didn't try your script but it should work in a container
dcarrion87
commented
1 year ago @AkihiroSuda thanks for the response.
All good I absolutely do not expect you to run it. At the moment just trying to get an understanding of what may / may not work.
At the moment we run it like this:
[ kubernetes host ] -> [ dind host container ] -> [ docker in docker containers kicked off by users]
Is it possible to run the bypass4net seccomp agent in the "dind host container" such that when users kick off those docker in docker containers with the appropriate seccomp profile the syscalls are intercepted by bypass4net listening in the host container under those constraints.
Or does bypass4net need to run on the kubernetes host and the socket presented all the way through to the dind container.
I am attempting to run in container at the moment and the calls don't seem to be coming through and it hangs on load if I have a notify rule in the seccomp profile.
dcarrion87
commented
1 year ago @AkihiroSuda any more thoughts with more info provided in https://github.com/rootless-containers/bypass4netns/issues/37#issuecomment-1386226678 ?
dcarrion87
commented
1 year ago Hi @AkihiroSuda just checking if you have any more thoughts. We cannot get this feature to work.
AkihiroSuda
commented
1 year ago Is it possible to run the bypass4net seccomp agent in the "dind host container" such that when users kick off those docker in docker containers with the appropriate seccomp profile the syscalls are intercepted by bypass4net listening in the host container under those constraints.
Probably yes, but didn't try by myself
I've been having a read of https://pibvt.net/IPSJ-OS22156009.pdf and trying to understand how we can implement bypass4netns into our existing Kubernetes based docker in docker implementation.
I'm not entirely sure where this would need to run. We currently launch rootless docker in docker host using: https://github.com/harrison-ai/cobalt-docker-rootless-nvidia-dind/blob/main/entrypoint.sh.
Would we run bypass4net inside that container or on the underlying host itself, presenting the socket all the way through?
Ideally we could run it in the container and pass through a seccomp profile and keep it all. but I fear that bypass4net needs to actually listen on the host itself?