Trace open() system calls with eBPF for the most popular container images and publish the UID/GID result to the Podman community

[eriksjolund]

Idea: Use the tool Inspektor Gadget to find out which UID/GID are used in open() system calls for the most popular container images. Publish the result to give users of Podman an estimated guess of how to set the command-line option --userns keep-id:uid=$uid,gid=$gid

The use case I'm considering is when a container starts to run as root (--user 0:0) but later drops privileges and runs as a different user. I would like that non-root user to be mapped to the regular user on the host.

Tracing all open() system calls in a container might give enough information to know how to set $uid and $gid in the podman run option:

--userns keep-id:uid=$uid,gid=$gid

The published table could look something like this:

container image	auto-detected podman argument
docker.io/library/nginx	--userns keep-id:uid=101,gid=101

This idea is related to:

• Demo: use the eBPF tool Inspektor Gadget to detect how to set `--userns keep-id:uid=$uid,gid=$gid` #20004

Side-note 1: Tracing just open() system calls is a good start, but there are also other system calls like mkdir() that are also related to UID/GID.

Side-note 2: Instead of using the eBPF tool Inspektor Gadget another idea is to enhance
https://github.com/containers/oci-seccomp-bpf-hook
to also analyse the use of UID/GID in a container.

[vrothberg]

Interesting idea! I have no time to work on it but am interested to follow and help where I can.

[Luap99]

Instead of tracing open() wouldn't it make more sense to trace the setuid() system calls if you want to know what id's the container is running under?

[eriksjolund]

Good point, tracing setuid() system calls makes more sense.

[eriksjolund]

I tried a simpler approach that does not make use of eBPF

a sketch:

1. create a container
2. start the container
3. wait a number of seconds
4. podman unshare
5. Check UIDs and GIDs by running find . -printf '%U:%G\n' in the .GraphDriver.Data.UpperDir and in the volumes.

for details see

https://github.com/eriksjolund/podman-detect-option

I wrote some Bash shell scripts and tried it out for a few popular container images.