You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, discussions stalled for two main reasons:
Security
The concern that introducing such a feature could be an attack vector.
Image size
Adding a shell (even a tiny one) is going to bloat the images slightly and that space isn't going to be used 99.99% of the time.
Rationale
It would be very useful for developers and admins to have the ability to debug a running container from the guest-side root namespace. Note that docker exec is NOT what we want as that is not running in the guest root namespace and is thus constrained.
Image support
We could generate two images - one with a shell and one without. However, the general view is that this is suboptimal since:
The "debug-enabled" version would probably get less testing.
If a developer/admin needs to debug a container that is already running, they might not be running the "debug" image which defeats the point of the feature.
Architecture
runv expects the agent to be running as PID = 1 (init daemon)
A debug console shell would either need to run as a separate thread or a child process of the agent.
cc-runtime (virtcontainers) assumes the agent to be running with PID != 1
A debug console shell can be launched by the init daemon (systemd by default) or could be handled as a separate thread / child of the agent.
From a testing (and security) perspective, it would be safer to have a single code path for a debug console.
Configuration and logging
If we introduce a debug console facility it:
MUST be disabled by default.
MUST be possible to query the status of the feature somehow to be assured that it is disabled.
MUST generate an agent log entry when the feature is enabled to allow an admin to detect this change.
MUST generate an agent log entry when the feature is used to allow an admin to track usage.
Background
We have considered adding a debug console in Clear Containers in the past:
However, discussions stalled for two main reasons:
Security
The concern that introducing such a feature could be an attack vector.
Image size
Adding a shell (even a tiny one) is going to bloat the images slightly and that space isn't going to be used 99.99% of the time.
Rationale
It would be very useful for developers and admins to have the ability to debug a running container from the guest-side root namespace. Note that
docker execis NOT what we want as that is not running in the guest root namespace and is thus constrained.Image support
We could generate two images - one with a shell and one without. However, the general view is that this is suboptimal since:
Architecture
runvexpects the agent to be running asPID = 1(init daemon)A debug console shell would either need to run as a separate thread or a child process of the agent.
cc-runtime(virtcontainers) assumes the agent to be running with PID!= 1A debug console shell can be launched by the init daemon (
systemdby default) or could be handled as a separate thread / child of the agent.From a testing (and security) perspective, it would be safer to have a single code path for a debug console.
Configuration and logging
If we introduce a debug console facility it: