Merge pull request #19 from Stenstromen/seccomp

Stenstromen · web-flow · commit aa5c1b17e442 · 2026-01-06T19:20:29.000+01:00
Seccomp
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,5 @@
 /target
-.DS_Store
+.DS_Store
+strace/*.log
+strace/strace.log
+strace/*.tar
diff --git a/strace/Dockerfile b/strace/Dockerfile
@@ -0,0 +1,16 @@
+FROM rust:alpine as builder
+WORKDIR /app
+COPY . .
+RUN apk add --no-cache musl-dev gcc && \
+    rustup target add x86_64-unknown-linux-musl && \
+    CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=gcc cargo build --target x86_64-unknown-linux-musl --release
+
+FROM alpine:latest
+COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/rustyalias /rustyalias
+RUN apk add --no-cache strace
+EXPOSE 5053/udp
+EXPOSE 5053/tcp
+ENV RUST_LOG=info
+USER 65534:65534
+ENTRYPOINT ["strace", "-f", "-e", "trace=all"]
+CMD ["/rustyalias"]
diff --git a/strace/Dockerfile.aarch b/strace/Dockerfile.aarch
@@ -0,0 +1,16 @@
+FROM rust:alpine as builder
+WORKDIR /app
+COPY . .
+RUN apk add --no-cache musl-dev gcc && \
+    rustup target add aarch64-unknown-linux-musl && \
+    CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=gcc cargo build --target aarch64-unknown-linux-musl --release
+
+FROM alpine:latest
+COPY --from=builder /app/target/aarch64-unknown-linux-musl/release/rustyalias /rustyalias
+RUN apk add --no-cache strace
+EXPOSE 5053/udp
+EXPOSE 5053/tcp
+ENV RUST_LOG=info
+USER 65534:65534
+ENTRYPOINT ["strace", "-f", "-e", "trace=all"]
+CMD ["/rustyalias"]
diff --git a/strace/README.md b/strace/README.md
@@ -0,0 +1,49 @@
+# Strace Setup for Seccomp Profile Generation
+
+This directory contains the necessary files to generate a seccomp profile using strace in a kind cluster.
+
+## Prerequisites
+
+- Podman
+- kind (Kubernetes in Docker) with experimental Podman provider
+- kubectl
+
+## Setup Instructions
+
+### 1. Set the Kind provider to Podman
+
+```bash
+export KIND_EXPERIMENTAL_PROVIDER=podman
+```
+
+### 2. Build the strace image with Podman
+
+```bash
+podman build -t rustyalias-strace:latest -f strace/Dockerfile .
+```
+
+### 3. Create the kind cluster
+
+```bash
+cd strace
+kind create cluster --name rustyalias-strace --config kind-config.yaml
+```
+
+### 4. Load the image into kind
+
+Save the image as an OCI archive and load it into the kind cluster:
+
+```bash
+# Save the image as an OCI archive
+podman save --format oci-archive -o rustyalias-strace.tar rustyalias-strace:latest
+
+# Load the image archive into kind
+kind load image-archive rustyalias-strace.tar --name rustyalias-strace
+```
+
+### 5. Deploy the application with strace
+
+```bash
+kubectl apply -f deployment.yaml
+kubectl apply -f service.yaml
+```
diff --git a/strace/deployment.yaml b/strace/deployment.yaml
@@ -0,0 +1,78 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rustyalias
+spec:
+  progressDeadlineSeconds: 10
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: rustyalias
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: rustyalias
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - env:
+            - name: RUST_LOG
+              value: debug
+            - name: GLUE_NAME
+              value: ns.addr.se
+            - name: SOA_NAME
+              value: ns.addr.se
+            - name: HOSTMASTER
+              value: hostmaster.addr.se
+            - name: GLUE_IP
+              value: 37.27.198.249
+          image: localhost/rustyalias-strace:latest
+          livenessProbe:
+            tcpSocket:
+              port: 5053
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 5053
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 5053
+            initialDelaySeconds: 1
+            periodSeconds: 5
+            failureThreshold: 30
+          resources:
+            limits:
+              cpu: 200m
+              memory: 32Mi
+            requests:
+              cpu: 50m
+              memory: 16Mi
+          securityContext:
+            runAsUser: 65534
+            runAsGroup: 65534
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            procMount: Default
+            seccompProfile:
+              type: Localhost
+              localhostProfile: profiles/seccomp-profile.json
+          imagePullPolicy: IfNotPresent
+          name: rustyalias
+          ports:
+            - containerPort: 5053
+              protocol: UDP
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
diff --git a/strace/kind-config.yaml b/strace/kind-config.yaml
@@ -0,0 +1,14 @@
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+name: rustyalias-strace
+nodes:
+- role: control-plane
+  extraMounts:
+  - hostPath: ./profiles
+    containerPath: /var/lib/kubelet/seccomp/profiles
+    readOnly: false
+- role: worker
+  extraMounts:
+  - hostPath: ./profiles
+    containerPath: /var/lib/kubelet/seccomp/profiles
+    readOnly: false
diff --git a/strace/profiles/seccomp-profile.json b/strace/profiles/seccomp-profile.json
@@ -0,0 +1,72 @@
+{
+  "defaultAction": "SCMP_ACT_ERRNO",
+  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32"],
+  "syscalls": [
+    {
+      "names": [
+        "accept4",
+        "arch_prctl",
+        "bind",
+        "clock_gettime",
+        "clone",
+        "close",
+        "connect",
+        "epoll_create1",
+        "epoll_ctl",
+        "epoll_pwait",
+        "eventfd2",
+        "execve",
+        "exit_group",
+        "fcntl",
+        "fstat",
+        "fstatfs",
+        "futex",
+        "getdents",
+        "getdents64",
+        "getpeername",
+        "getpid",
+        "getrandom",
+        "getsockname",
+        "getsockopt",
+        "gettid",
+        "listen",
+        "madvise",
+        "mmap",
+        "mprotect",
+        "munmap",
+        "nanosleep",
+        "openat",
+        "openat2",
+        "prctl",
+        "pread64",
+        "prlimit64",
+        "read",
+        "readdirent",
+        "rt_sigaction",
+        "rt_sigprocmask",
+        "rt_sigreturn",
+        "sched_getaffinity",
+        "sched_yield",
+        "setsockopt",
+        "sigaltstack",
+        "socket",
+        "statx",
+        "tgkill",
+        "uname",
+        "write",
+        "set_tid_address",
+        "poll",
+        "brk",
+        "ioctl",
+        "open",
+        "recvfrom",
+        "sendto",
+        "sendmsg",
+        "sendmmsg",
+        "recvmsg",
+        "recvmmsg"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    }
+  ]
+}
diff --git a/strace/service.yaml b/strace/service.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rustyalias-udp
+spec:
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+    - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+    - name: dns-udp
+      protocol: UDP
+      port: 5053
+      targetPort: 5053
+  selector:
+    app: rustyalias
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rustyalias-tcp
+spec:
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+    - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+    - name: dns-tcp
+      protocol: TCP
+      port: 5053
+      targetPort: 5053
+  selector:
+    app: rustyalias
+  type: ClusterIP
