Open sudosammy opened 3 years ago
kcq
commented
3 years ago @sudosammy supporting multiple container runtimes is a good feature to have in general... though we might also need to enhance how the containerized application is monitored (new monitoring engine is coming that won't need fanotify, but it might also have problems with gvisor... for similar reasons... need to investigate)
sudosammy
commented
3 years ago Thanks @kcq, any ETA on the new monitoring engine? I also tried running DockerSlim in a container and specifying its runtime which I thought was going to work: docker run --runtime=runc -it --rm -v /var/run/docker.sock:/var/run/docker.sock dslim/docker-slim build --target my-image
But, same error which is a bit confusing...
docker-slim[build]: info=event.error status=received data=SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim/internal/app/sensor/monitors/fanotify/monitor.go}}
docker-slim[build]: state=exited version=linux|Transformer|1.31.0|508fee6f9b2aa4c3aa3920189837730c4147214a|2020-08-14_06:41:27AMThere's a couple of options... enhancing an existing engine and creating a new monitoring engine. Both are still in their planning phase mostly because of the resource constraints. I'm looking for developers to help me with both options. Any referrals are greatly appreciated :-)
DockerSlim doesn't work in the
gVisorruntime due to its lack of fanotify(7) support tracked here: https://github.com/google/gvisor/issues/2555 DockerSlim fails in the gVisor runtime with the following error:Making DockerSlim work without the use of fanotify sounds challenging and very uncool. Another solution would be to pass the
--runtimeflag to Docker so the user can specify a different runtime such asruncto perform DockerSlim actions.