wip: fix v2 migration containerd

Signed-off-by: daemon1024 <[email protected]>

KubeArmor/core/containerdHandler.go

@@ -102,6 +102,7 @@ func NewContainerdHandler() *ContainerdHandler {
 	// Subscribe to containerd events
 
 	// docker namespace
+	ch.docker = context.Background()
 	ch.docker = namespaces.WithNamespace(context.Background(), "moby")
 
 	dockerEventsCh, _ := client.EventService().Subscribe(ch.docker, "")
@@ -128,7 +129,7 @@ func (ch *ContainerdHandler) Close() {
 // ==================== //
 
 // GetContainerInfo Function
-func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID string, OwnerInfo map[string]tp.PodOwner) (tp.Container, error) {
+func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID string, eventpid uint32, OwnerInfo map[string]tp.PodOwner) (tp.Container, error) {
 	res, err := ch.client.ContainerService().Get(ctx, containerID)
 	if err != nil {
 		return tp.Container{}, err
@@ -184,6 +185,36 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s
 	}
 
 	// == //
+	if eventpid == 0 {
+		taskReq := task.ListPidsRequest{ContainerID: container.ContainerID}
+		if taskRes, err := ch.client.TaskService().ListPids(ctx, &taskReq); err == nil {
+			if len(taskRes.Processes) == 0 {
+				return container, err
+			}
+
+			container.Pid = taskRes.Processes[0].Pid
+
+		} else {
+			return container, err
+		}
+
+	} else {
+		container.Pid = eventpid
+	}
+
+	pid := strconv.Itoa(int(container.Pid))
+
+	if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/pid")); err == nil {
+		if _, err := fmt.Sscanf(data, "pid:[%d]\n", &container.PidNS); err != nil {
+			kg.Warnf("Unable to get PidNS (%s, %s, %s)", containerID, pid, err.Error())
+		}
+	}
+
+	if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/mnt")); err == nil {
+		if _, err := fmt.Sscanf(data, "mnt:[%d]\n", &container.MntNS); err != nil {
+			kg.Warnf("Unable to get MntNS (%s, %s, %s)", containerID, pid, err.Error())
+		}
+	}
 
 	taskReq := task.ListPidsRequest{ContainerID: container.ContainerID}
 	if taskRes, err := ch.client.TaskService().ListPids(ctx, &taskReq); err == nil {
@@ -267,16 +298,20 @@ func (ch *ContainerdHandler) GetContainerdContainers() map[string]context.Contex
 }
 
 // UpdateContainerdContainer Function
-func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, containerID, action string) bool {
+func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, containerID string, containerPid uint32, action string) bool {
 	// check if Containerd exists
 	if Containerd == nil {
 		return false
 	}
 
 	if action == "start" {
 		// get container information from containerd client
-		container, err := Containerd.GetContainerInfo(ctx, containerID, dm.OwnerInfo)
+		container, err := Containerd.GetContainerInfo(ctx, containerID, containerPid, dm.OwnerInfo)
 		if err != nil {
+			if strings.Contains(string(err.Error()), "pause container") {
+				kg.Debug(err.Error())
+				return false
+			}
 			kg.Err(err.Error())
 			return false
 		}
@@ -554,7 +589,7 @@ func (dm *KubeArmorDaemon) MonitorContainerdEvents() {
 
 	if len(containers) > 0 {
 		for containerID, context := range containers {
-			if !dm.UpdateContainerdContainer(context, containerID, "start") {
+			if !dm.UpdateContainerdContainer(context, containerID, 0, "start") {
 				continue
 			}
 		}
@@ -588,7 +623,7 @@ func (dm *KubeArmorDaemon) handleContainerdEvent(envelope *events.Envelope, cont
 		if err != nil {
 			kg.Errf("failed to unmarshal container's delete event: %v", err)
 		}
-		dm.UpdateContainerdContainer(context, deleteContainer.GetID(), "destroy")
+		dm.UpdateContainerdContainer(context, deleteContainer.GetID(), 0, "destroy")
 
 	case "/tasks/start":
 		startTask := &apievents.TaskStart{}
@@ -597,7 +632,7 @@ func (dm *KubeArmorDaemon) handleContainerdEvent(envelope *events.Envelope, cont
 		if err != nil {
 			kg.Errf("failed to unmarshal container's start task: %v", err)
 		}
-		dm.UpdateContainerdContainer(context, startTask.GetContainerID(), "start")
+		dm.UpdateContainerdContainer(context, startTask.GetContainerID(), startTask.GetPid(), "start")
 
 	case "/tasks/exit":
 		exitTask := &apievents.TaskStart{}
@@ -612,7 +647,7 @@ func (dm *KubeArmorDaemon) handleContainerdEvent(envelope *events.Envelope, cont
 		dm.ContainersLock.RUnlock()
 
 		if pid == exitTask.GetPid() {
-			dm.UpdateContainerdContainer(context, exitTask.GetContainerID(), "destroy")
+			dm.UpdateContainerdContainer(context, exitTask.GetContainerID(), pid, "destroy")
 		}
 
 	}

KubeArmor/go.mod

@@ -49,7 +49,7 @@ require (
 	k8s.io/cri-api v0.31.2
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
-	sigs.k8s.io/controller-runtime v0.19.3
+	sigs.k8s.io/controller-runtime v0.19.4
 )
 
 require (

KubeArmor/go.sum

@@ -519,8 +519,8 @@ k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7F
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw=
-sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM=
+sigs.k8s.io/controller-runtime v0.19.4 h1:SUmheabttt0nx8uJtoII4oIP27BVVvAKFvdvGFwV/Qo=
+sigs.k8s.io/controller-runtime v0.19.4/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

tests/go.mod

@@ -153,7 +153,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
-	sigs.k8s.io/controller-runtime v0.19.3 // indirect
+	sigs.k8s.io/controller-runtime v0.19.4 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.16.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect

tests/go.sum

@@ -394,8 +394,8 @@ k8s.io/kubectl v0.29.3 h1:RuwyyIU42MAISRIePaa8Q7A3U74Q9P4MoJbDFz9o3us=
 k8s.io/kubectl v0.29.3/go.mod h1:yCxfY1dbwgVdEt2zkJ6d5NNLOhhWgTyrqACIoFhpdd4=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw=
-sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM=
+sigs.k8s.io/controller-runtime v0.19.4 h1:SUmheabttt0nx8uJtoII4oIP27BVVvAKFvdvGFwV/Qo=
+sigs.k8s.io/controller-runtime v0.19.4/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/kustomize/api v0.16.0 h1:/zAR4FOQDCkgSDmVzV2uiFbuy9bhu3jEzthrHCuvm1g=