New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does eBPF work inside container-mode? #989
Comments
I don't know about eBPF. But if it requires full root, i.e., the same as being uid 0 outside the container, then it will not work. If it requires only root inside the container (or some capability like If you know that it requires full root, giving root inside the container access to the full root outside the container using Using Giving full root access to inside the container would of course completely eliminate any isolation promises. So I am hesitant to consider this. Are there no other solutions for you? For example, setup tracing outside the container and then run BenchExec? |
Understood.
Yeah, I would just need to know the PID of the grandchild in the outside-of-BenchExec namespace (the PID inside BenchExec's namespace is always 2). I think I could change What do you think of that? |
Use case: I wanted to benchmark an application in a normal system and one with eBPF filter on kernel tracepoints. Is this possible in container-mode?
I wrote an eBPF/bpftrace program which works as a normal user through setuid magic outside the container, but it gives the following error if I run it with containerexec:
I think that is actually a permission error. If
bpftrace
doesn't have the root ruid and euid,/sys/kernel/tracing
will not show any tracepoints. Fakeroot doesn't cut it.I'm by no means an expert in Linux namespaces, I think we would want to add an opt-in flag to benchexec that adds a mapping from root (uid=0) outside the container to root (uid=0) inside the container to
/proc/$benchexec/uid_map
. I can implement it on my own, but I wanted to hear if I am on the right path from someone who understands namespaces better.The text was updated successfully, but these errors were encountered: