GitHub - containers/conmon: An OCI container runtime monitor. (original) (raw)

An OCI container runtime monitor.

Conmon is a monitoring program and communication tool between a container manager (like Podman orCRI-O) and an OCI runtime (likerunc orcrun) for a single container.

Upon being launched, conmon (usually) double-forks to daemonize and detach from the parent that launched it. It then launches the runtime as its child. This allows managing processes to die in the foreground, but still be able to watch over and connect to the child process (the container).

While the container runs, conmon does two things:

• Provides a socket for attaching to the container, holding open the container's standard streams and forwarding them over the socket.
• Writes the contents of the container's streams to a log file (or to the systemd journal) so they can be read after the container's death.

Finally, upon the containers death, conmon will record its exit time and code to be read by the managing programs.

Written in C and designed to have a low memory footprint, conmon is intended to be run by a container managing library. Essentially, conmon is the smallest daemon a container can have.

In most cases, conmon should be packaged with your favorite container manager. However, if you'd like to try building it from source, follow the steps below.

Dependencies

These dependencies are required for the build:

Fedora, CentOS, RHEL, and related distributions:

sudo yum install -y
gcc
git
glib2-devel
glibc-devel
libseccomp-devel
systemd-devel
make
pkgconfig
runc

Debian, Ubuntu, and related distributions:

sudo apt-get install
gcc
git
libc6-dev
libglib2.0-dev
libseccomp-dev
pkg-config
make
runc

Build

Once all the dependencies are installed:

There are three options for installation, depending on your environment. Each can have the PREFIX overridden. The PREFIX defaults to /usr/localfor most Linux distributions.

• make install installs to $PREFIX/bin, for adding conmon to the path.
• make podman installs to $PREFIX/libexec/podman, which is used to override the conmon version that Podman uses.
• make crio installs to $PREFIX/libexec/crio, which is used to override the conmon version that CRI-O uses.

Note, to run conmon, you'll also need to have an OCI compliant runtime installed, like runc orcrun.

Testing

Once you have successfully built conmon, run the tests using:

Note that you'll also need the bats and socat packages install if not present.

Static build

It is possible to build a statically linked binary of conmon by using the officially providednixpackage and the derivation of it within this repository. The builds are completely reproducible and will create a x86_64/amd64 stripped ELF binary for glibc.

Nix

To build the binaries by locally installing the nix package manager:

Ansible

An Ansible Role is also available to automate the installation of the above statically linked binary on its supported OS:

sudo su - mkdir -p ~/.ansible/roles cd ~/.ansible/roles git clone https://github.com/alvistack/ansible-role-conmon.git conmon cd ~/.ansible/roles/conmon pip3 install --upgrade --ignore-installed --requirement requirements.txt molecule converge molecule verify