Received: by 10.223.176.5 with SMTP id f5csp1226696wra;
        Fri, 2 Feb 2018 13:30:50 -0800 (PST)
X-Google-Smtp-Source: AH8x2240JJXjDhTQrtk8Fs+BKjMxaC82yEYGD92td6HO/jBbC0m405lsm7MOs5K/D1bIF2yaawqQ
X-Received: by 10.98.33.198 with SMTP id o67mr41906149pfj.0.1517607050790;
        Fri, 02 Feb 2018 13:30:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517607050; cv=none;
        d=google.com; s=arc-20160816;
        b=RRQPy94qiAMt2PTB0EcdQZiDOXjHx4/Gj65Fk0ifGyxgvP7jlhyDN4qcBown6753L+
         K6TcET5f+/Mu+M7m+16Nc3Df7VzoI+lxjvYptIEJ9+iRTwBG5jPHkwmJkZlPODHRJo2O
         edgtEvlzTgCKSohIeffuvSATS/HmRIciAPE/T9Vl5nb/uqbxQyu9b0wFUFWoUEoSB1nz
         s5VrjiXT06OSz9/HATnfEtCyK3UX7yfpzDdFJlzmg+8wniBrwkdPWcSnYQLqCm3oYLyS
         soJi+iQ13yJMc67dPZS7WnWYFokRNAcq8vSm/HhgtP19sG3ofjJbzlrRrLVHwRWe1eqb
         vfOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=xjuGt3B/MDd/BEKxzwpJCCCpl0/XvBelHKmgZXYSmCU=;
        b=m/dRghZ0JrLQ6RGil29XoFqY44/Q2r0QEhKc1MZuKBcneEaZ+l4NFCtYWp5SwYw2Lb
         KfsfWrSo2Mw+2psEozk0MkSvh9DV04Ww0bf11E+U6bIuksaxzjF0eazPZzBj6gGfJj+r
         qyRfhThlOChGqEmWoQn4I7IQQ21ZTyZNXI4w957O9gc7qYVGh5RgZFb4byYHLwYbkL1t
         THmus0Q8SqKJGsYSOuPRNRk6zqHAt3o1YCYZNuGPF2J+VC/75yBX6p5km9Lc+Bs6Hil0
         xD29ATITUmKJgReIdc15RB3IOvP+EvM7k4/exsrURLRZzTZtmL+uFx2DCPoKENv/AlAY
         RTGw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=YGq16x3z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 92-v6si510578pli.180.2018.02.02.13.30.35;
        Fri, 02 Feb 2018 13:30:50 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=YGq16x3z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752087AbeBBVSw (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Fri, 2 Feb 2018 16:18:52 -0500
Received: from mail-lf0-f48.google.com ([209.85.215.48]:37431 "EHLO
        mail-lf0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752020AbeBBVSo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Feb 2018 16:18:44 -0500
Received: by mail-lf0-f48.google.com with SMTP id 63so33442143lfv.4
        for <linux-kernel@vger.kernel.org>; Fri, 02 Feb 2018 13:18:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=xjuGt3B/MDd/BEKxzwpJCCCpl0/XvBelHKmgZXYSmCU=;
        b=YGq16x3zZMehCQeVdl9fScYcSjRekcVbwslIVnibmDjMxO7p0K5vFEhMqIzrwAfQ5I
         uYrTcWfsKwK9MQv1n9Ku3W5g9yPDDWXaWVNcbTZS+ZmqIosJB3+O73e8/2r29dLrKRct
         T+wcFktEtlks4iNOCOCIcKNX8Wpe+ySG70gLSs232X8CHLkz1PbKHJ19WSXAnyhlegel
         D2KGS06NzdashwHBdbbk6j02egqcHH0kMUb+hN23wSXkKnN/ulXw0U2DtZAmcQ3s5QrY
         6ddeA6KIsevTYSXnMTiPSHQwBhPYEWOoNu/E5aRKiGjFnSXc6wTeFeeTMaupV0owD5FL
         KLrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=xjuGt3B/MDd/BEKxzwpJCCCpl0/XvBelHKmgZXYSmCU=;
        b=kKMUo9duk8sRaPRX9uSxH5WJ8R7F3ra+APNrnqZWjNDHoBh89rJXL9/DyLRKih0o3U
         ahEH7C2uwqZwV2jBe6kxNUdUoMDt93jHuspbP4SCk/BhP16ltuyr8MlMyOdfrkluOoCH
         ZqZwU6cU/6SrZ4n0k8tFMor4odw54OZRcW6cgs70MctS1Y1l9kTvJjXL6KOC5Ee4zrub
         Nf51eRYo+cU11HdiuNEwKCVutW/7PqY5S1hVStqdmujuXPyuLQ25HUG61iLi0SbObU3r
         1OAXELOTA8/A5RHxFRQg/5QMqCa8eIoAF7PEOWCrLfZPn5iKQUwc1en2V70NAQ7vZlxK
         cl6g==
X-Gm-Message-State: AKwxytf4oNqAp2bCZ4CVJJNwrmLVlyFlERj8eYpnr0yzD1a+vImeD+Ki
        gBULSmS8Qh2aLlN/pw4umHApznojjMJMaJbLXW8h
X-Received: by 10.25.42.197 with SMTP id q66mr24274741lfq.25.1517606322298;
 Fri, 02 Feb 2018 13:18:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.216.145 with HTTP; Fri, 2 Feb 2018 13:18:41 -0800 (PST)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <1515514736.3239.10.camel@redhat.com>
References: <20180109121620.wi7dq2423ugsraqv@madcap2.tricolour.ca> <1515514736.3239.10.camel@redhat.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Fri, 2 Feb 2018 16:18:41 -0500
Message-ID: <CAHC9VhSMnG9=h8YrrV7uS3mDGpdD5tDUivmbsOiKrmgT-ZpFYA@mail.gmail.com>
Subject: Re: RFC(V3): Audit Kernel Container IDs
To:     Simo Sorce <simo@redhat.com>
Cc:     Richard Guy Briggs <rgb@redhat.com>, cgroups@vger.kernel.org,
        Linux Containers <containers@lists.linux-foundation.org>,
        Linux API <linux-api@vger.kernel.org>,
        Linux Audit <linux-audit@redhat.com>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        Linux Kernel <linux-kernel@vger.kernel.org>,
        Linux Network Development <netdev@vger.kernel.org>,
        mszeredi@redhat.com, jlayton@redhat.com,
        "Carlos O'Donell" <carlos@redhat.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        David Howells <dhowells@redhat.com>,
        Andy Lutomirski <luto@kernel.org>, trondmy@primarydata.com,
        Eric Paris <eparis@parisplace.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jan 9, 2018 at 11:18 AM, Simo Sorce <simo@redhat.com> wrote:
> On Tue, 2018-01-09 at 07:16 -0500, Richard Guy Briggs wrote:

...

>> Changelog:
>>
>> (Upstream V3)
>> - switch back to u64 (from pmoore, can be expanded to u128 in future if
>>   need arises without breaking API.  u32 was originally proposed, up to
>>   c36 discussed)
>> - write-once, but children inherit audit container identifier and can
>>   then still be written once
>> - switch to CAP_AUDIT_CONTROL
>> - group namespace actions together, auxilliary records to namespace
>>   operations.
>>
>> (Upstream V2)
>> - switch from u64 to u128 UUID
>> - switch from "signal" and "trigger" to "register"
>> - restrict registration to single process or force all threads and
>>   children into same container
>
> I am trying to understand the back and forth on the ID size.

I'm just now getting a chance to read Richard's latest draft, but I
wanted to comment on this quickly.

There are two main reasons for keeping this a 32 or 64 bit integer:

1) After the initial "be able to associate audit events with a
container" stage, we are going to look into supporting multiple audit
daemons on the system so that you could run an audit daemon inside a
container and it would collect events generated by the container
(we're tentatively calling this "phase 2", feel free to insert your
own "magic happens" joke).  There are a lot things that need to happen
in phase two, one of these things is the addition of an audit event
routing mechanism that will send audit records to the right audit
daemons (the "host" daemon will always see everything), in order to do
this we will need to be able to quickly compare audit container IDs,
this means an integer.

2) Whatever we pick for an audit container ID it is going to be wrong
for at least one container orchestrator.  There is no "one" solution
here, so we are providing a small and flexible mechanism that higher
level orchestrators can use to provide a more complete solution.

> >From an orchestrator POV anything that requires tracking a node
> specific ID is not ideal.
>
> Orchestrators tend to span many nodes, and containers tend to have IDs
> that are either UUID or have a Hash (like SHA256) as identifier.

You're helping me prove my reason #2.

> The problem here is two-fold:
>
> a) Your auditing requires some mapping to be useful outside of the
> system.
> If you aggreggate audit logs outside of the system or you want to
> correlate the system audit logs with other components dealing with
> containers, now you need a place where you provide a mapping from your
> audit u64 to the ID a container has in the rest of the system.

Yep, see my reason #2.  I want us to have something that "works" for a
single system as well as something that can be leveraged by higher
level tools for large networks of machines.

I realize it's easy, and tempting, to expand the scope of this effort;
but if we are to have any success it is only going to be through some
discipline.  We need to focus on a small solution which addresses the
basic needs and hopefully remains flexible enough for any potential
expansion while staying palatable to the audit folks and the general
kernel community.

> b) Now you need a mapping of some sort. The simplest way a container
> orchestrator can go about this is to just use the UUID or Hash
> representing their view of the container, truncate it to a u64 and use
> that for Audit. This means there are some chances there will be a
> collision and a duplicate u64 ID will be used by the orchestrator as
> the container ID. What happen in that case ?

That is a design decision left to the different container orchestrators.

-- 
paul moore
www.paul-moore.com