Re: [PATCH ghak90 V6 02/10] audit: add container id

[PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 01/10] audit: collect audit task parameters · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · "Serge E. Hallyn" <serge@hallyn.com> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-05-31
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-31
Re: [PATCH ghak90 V6 02/10] audit: add container id · Steve Grubb <hidden> · 2019-06-03
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-06-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-06-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-15
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-15
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-15
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-16
[PATCH ghak90 V6 03/10] audit: read container ID of a process · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 04/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Ondrej Mosnacek <omosnace@redhat.com> · 2019-05-30
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Paul Moore <paul@paul-moore.com> · 2019-05-30
[PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Ondrej Mosnacek <omosnace@redhat.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Paul Moore <paul@paul-moore.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Neil Horman <nhorman@tuxdriver.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Ondrej Mosnacek <omosnace@redhat.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Paul Moore <paul@paul-moore.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Paul Moore <paul@paul-moore.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Neil Horman <nhorman@tuxdriver.com> · 2019-04-09
[PATCH ghak90 V6 06/10] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2019-05-30
[PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-05-30
[PATCH ghak90 V6 07/10] audit: add containerid support for user records · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-04-11
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Neil Horman <nhorman@tuxdriver.com> · 2019-04-22
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-04-22
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Neil Horman <nhorman@tuxdriver.com> · 2019-04-23
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Daniel Walsh <hidden> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Steve Grubb <hidden> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Daniel Walsh <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Daniel Walsh <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Steve Grubb <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-05-30

From: Paul Moore <paul@paul-moore.com>
Date: 2019-07-15 21:10:12
Also in: linux-api, linux-fsdevel, lkml, netfilter-devel

On Mon, Jul 8, 2019 at 2:12 PM Richard Guy Briggs [off-list ref] wrote:

On 2019-05-30 19:26, Paul Moore wrote:

...

quoted

I like the creativity, but I worry that at some point these
limitations are going to be raised (limits have a funny way of doing
that over time) and we will be in trouble.  I say "trouble" because I
want to be able to quickly do an audit container ID comparison and
we're going to pay a penalty for these larger values (we'll need this
when we add multiple auditd support and the requisite record routing).

Thinking about this makes me also realize we probably need to think a
bit longer about audit container ID conflicts between orchestrators.
Right now we just take the value that is given to us by the
orchestrator, but if we want to allow multiple container orchestrators
to work without some form of cooperation in userspace (I think we have
to assume the orchestrators will not talk to each other) we likely
need to have some way to block reuse of an audit container ID.  We
would either need to prevent the orchestrator from explicitly setting
an audit container ID to a currently in use value, or instead generate
the audit container ID in the kernel upon an event triggered by the
orchestrator (e.g. a write to a /proc file).  I suspect we should
start looking at the idr code, I think we will need to make use of it.

To address this, I'd suggest that it is enforced to only allow the
setting of descendants and to maintain a master list of audit container
identifiers (with a hash table if necessary later) that includes the
container owner.

We're discussing the audit container ID management policy elsewhere in
this thread so I won't comment on that here, but I did want to say
that we will likely need something better than a simple list of audit
container IDs from the start.  It's common for systems to have
thousands of containers now (or multiple thousands), which tells me
that a list is a poor choice.  You mentioned a hash table, so I would
suggest starting with that over the list for the initial patchset.

-- 
paul moore
www.paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help