Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running with bypass4netns on kubernetes docker in docker #37

Open
dcarrion87 opened this issue Jan 17, 2023 · 6 comments
Open

Running with bypass4netns on kubernetes docker in docker #37

dcarrion87 opened this issue Jan 17, 2023 · 6 comments
Labels
question Further information is requested

Comments

@dcarrion87
Copy link

dcarrion87 commented Jan 17, 2023
edited
Loading

I've been having a read of https://pibvt.net/IPSJ-OS22156009.pdf and trying to understand how we can implement bypass4netns into our existing Kubernetes based docker in docker implementation.

I'm not entirely sure where this would need to run. We currently launch rootless docker in docker host using: https://github.com/harrison-ai/cobalt-docker-rootless-nvidia-dind/blob/main/entrypoint.sh.

Would we run bypass4net inside that container or on the underlying host itself, presenting the socket all the way through?

Ideally we could run it in the container and pass through a seccomp profile and keep it all. but I fear that bypass4net needs to actually listen on the host itself?
@dcarrion87 dcarrion87 changed the title Running with bypass4netns on kubernetes Running with bypass4netns on kubernetes docker in docker Jan 17, 2023
@dcarrion87
Copy link
Author

@AkihiroSuda would be great to get your thoughts on this one.

@AkihiroSuda
Copy link
Member

Didn't try your script but it should work in a container

@AkihiroSuda AkihiroSuda transferred this issue from rootless-containers/rootlesskit Jan 17, 2023
@AkihiroSuda AkihiroSuda added the question Further information is requested label Jan 17, 2023
@dcarrion87
Copy link
Author

@AkihiroSuda thanks for the response.

All good I absolutely do not expect you to run it. At the moment just trying to get an understanding of what may / may not work.

At the moment we run it like this:

[ kubernetes host ] -> [ dind host container ] -> [ docker in docker containers kicked off by users]

Is it possible to run the bypass4net seccomp agent in the "dind host container" such that when users kick off those docker in docker containers with the appropriate seccomp profile the syscalls are intercepted by bypass4net listening in the host container under those constraints.

Or does bypass4net need to run on the kubernetes host and the socket presented all the way through to the dind container.

I am attempting to run in container at the moment and the calls don't seem to be coming through and it hangs on load if I have a notify rule in the seccomp profile.

@dcarrion87
Copy link
Author

@AkihiroSuda any more thoughts with more info provided in #37 (comment) ?

@dcarrion87
Copy link
Author

Hi @AkihiroSuda just checking if you have any more thoughts. We cannot get this feature to work.

@AkihiroSuda
Copy link
Member

Is it possible to run the bypass4net seccomp agent in the "dind host container" such that when users kick off those docker in docker containers with the appropriate seccomp profile the syscalls are intercepted by bypass4net listening in the host container under those constraints.

Probably yes, but didn't try by myself

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dcarrion87 @AkihiroSuda