Currently slimtoolkit has partial support for podman. Specifically slimtoolkit lacks support for unprivileged podman usage.
In my attempts to run slim toolkit with unprivileged podman as the container runtime yields the below fanotify error
level=error msg="sensor: composite monitor - FAN failed to start running"
error="SensorError{Op:sensor.fanotify.Run/fanapi.initialize,kind:call.error,Wrapped:{Type=syscall.Errno,Info=operation not permitted
It is our understanding that this is due to fanotify requiring CAP_SYS_ADMIN, which is not available in unprivileged container environments
At our organization, we exclusively run Podman in rootless mode to avoid the security risks associated with privileged container runtimes. For SlimToolkit to be viable in our environment, it needs to function without relying on fanotify.
We have a working implementation that addresses this. The core approach is a fanotify-firt strategy with automatic ptrace fallback - the sensor attempts to initialize fanotify as normal, and if it fails, it falls back to using ptrace for filesystem monitoring.
We acknowledge that ptrace provides less granular file-access metadata when compared to fanotify and carries a risk of missing certain file access, but the PR along with our implementation internally will have workarounds to reduce this, we have tested it
and found it to be working reliable for our use cases.
We have the PR ready and are currently working through internal approval process.
With that being said we noticed a previous issue had been raised regarding Podman support (Issue #278), but at the time we began this work the last response was over a year old, so we assumed it was no longer and active priority and proceeded independently. However we recently saw that
there has been some new activity and progress on Podman integration from your end.
Could you please share details on this integration? In particular:
-
Will it support rootless/unpriviledged Podman, or only priviledged Podman?
-
What is the expected timeline? As we have an upcoming project deadline with a dependency on this capability.
Currently slimtoolkit has partial support for podman. Specifically slimtoolkit lacks support for unprivileged podman usage.
In my attempts to run slim toolkit with unprivileged podman as the container runtime yields the below fanotify error
level=error msg="sensor: composite monitor - FAN failed to start running"
error="SensorError{Op:sensor.fanotify.Run/fanapi.initialize,kind:call.error,Wrapped:{Type=syscall.Errno,Info=operation not permitted
It is our understanding that this is due to fanotify requiring CAP_SYS_ADMIN, which is not available in unprivileged container environments
At our organization, we exclusively run Podman in rootless mode to avoid the security risks associated with privileged container runtimes. For SlimToolkit to be viable in our environment, it needs to function without relying on fanotify.
We have a working implementation that addresses this. The core approach is a fanotify-firt strategy with automatic ptrace fallback - the sensor attempts to initialize fanotify as normal, and if it fails, it falls back to using ptrace for filesystem monitoring.
We acknowledge that ptrace provides less granular file-access metadata when compared to fanotify and carries a risk of missing certain file access, but the PR along with our implementation internally will have workarounds to reduce this, we have tested it
and found it to be working reliable for our use cases.
We have the PR ready and are currently working through internal approval process.
With that being said we noticed a previous issue had been raised regarding Podman support (Issue #278), but at the time we began this work the last response was over a year old, so we assumed it was no longer and active priority and proceeded independently. However we recently saw that
there has been some new activity and progress on Podman integration from your end.
Could you please share details on this integration? In particular:
Will it support rootless/unpriviledged Podman, or only priviledged Podman?
What is the expected timeline? As we have an upcoming project deadline with a dependency on this capability.