I am running docker container without privileges and now service auditd start fails to execute even I add capabilities to docker. please try to help me as early as possible

On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Wed, 3 Feb 2016 15:34:09 +0530 > Sowndarya K <sowndaryak18(a)gmail.com&gt; wrote: >> I am running docker container without privileges and now service >> auditd start fails to execute even I add capabilities to docker. >> please try to help me as early as possible > > If auditd is being run inside a container, then it has problems > because the audit subsystem inside the kernel isn't container > aware/namespaced. I have recently made changes to auditd in svn for > the next release which allows auditd to run as a log _aggregator_ > inside a container. This means it has no knowledge of events coming > from within the container but can act as an aggregator for systems > doing remote logging. To add some commentary to this: we are not going to namespace the audit subsystem like other subsystems, but making audit *aware* of namespaces is on the todo list.

On Wed, Feb 3, 2016 at 9:08 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Wed, 3 Feb 2016 07:57:52 -0500 > Paul Moore <paul(a)paul-moore.com&gt; wrote: > >> On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: >> > On Wed, 3 Feb 2016 15:34:09 +0530 >> > Sowndarya K <sowndaryak18(a)gmail.com&gt; wrote: >> >> I am running docker container without privileges and now service >> >> auditd start fails to execute even I add capabilities to docker. >> >> please try to help me as early as possible >> > >> > If auditd is being run inside a container, then it has problems >> > because the audit subsystem inside the kernel isn't container >> > aware/namespaced. I have recently made changes to auditd in svn for >> > the next release which allows auditd to run as a log _aggregator_ >> > inside a container. This means it has no knowledge of events coming >> > from within the container but can act as an aggregator for systems >> > doing remote logging. >> >> To add some commentary to this: we are not going to namespace the >> audit subsystem like other subsystems, but making audit *aware* of >> namespaces is on the todo list. > > OK. Suppose I go out and rent a virtualized server with root access for > my web site. Turns out the company that is leasing me time used > containers as their method of virtualizing. my web site runs fine in a > container so no big deal. However, as a customer, I would want access > to the logs for my container directly in the container. As a matter of > fact, its a PCI-DSS requirement to have access to those logs. > > I really think the audit system _has to be_ namespaced, somehow, for > compliance reasons. Having access to audit events generated inside a namespace (or set of namespaces to be more specific), and only generated inside a namespace (or set of ...), does not require the audit subsystem to be namespaced; however, it does require the audit subsystem to recognize namespaces and associate them with events so that they can be tagged and routed accordingly. Based on previous conversations, I suspect we have the same goals/ideas and are just using different terminology. I wouldn't worry too much about it at this point as that work is still in the early stages.

paul moore