Merge pull request cri-o#6120 from saschagrunert/seccomp-notifier

Add seccomp notifier feature

docs/crio.8.md

@@ -290,7 +290,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--metrics-cert**="": Certificate for the secure metrics endpoint.
 
-**--metrics-collectors**="": Enabled metrics collectors. (default: "operations", "operations_latency_microseconds_total", "operations_latency_microseconds", "operations_errors", "image_pulls_by_digest", "image_pulls_by_name", "image_pulls_by_name_skipped", "image_pulls_failures", "image_pulls_successes", "image_pulls_layer_size", "image_layer_reuse", "containers_oom_total", "containers_oom", "processes_defunct", "operations_total", "operations_latency_seconds", "operations_latency_seconds_total", "operations_errors_total", "image_pulls_bytes_total", "image_pulls_skipped_bytes_total", "image_pulls_failure_total", "image_pulls_success_total", "image_layer_reuse_total", "containers_oom_count_total")
+**--metrics-collectors**="": Enabled metrics collectors. (default: "operations", "operations_latency_microseconds_total", "operations_latency_microseconds", "operations_errors", "image_pulls_by_digest", "image_pulls_by_name", "image_pulls_by_name_skipped", "image_pulls_failures", "image_pulls_successes", "image_pulls_layer_size", "image_layer_reuse", "containers_oom_total", "containers_oom", "processes_defunct", "operations_total", "operations_latency_seconds", "operations_latency_seconds_total", "operations_errors_total", "image_pulls_bytes_total", "image_pulls_skipped_bytes_total", "image_pulls_failure_total", "image_pulls_success_total", "image_layer_reuse_total", "containers_oom_count_total", "containers_seccomp_notifier_count_total")
 
 **--metrics-key**="": Certificate key for the secure metrics endpoint.
 

docs/crio.conf.5.md

@@ -337,6 +337,34 @@ A workload is chosen for a pod based on whether the workload's **activation_anno
   "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm.
   "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the cgroup v2 unified block for a container.
   "io.containers.trace-syscall" for tracing syscalls via the OCI seccomp BPF hook.
+  "io.kubernetes.cri-o.seccompNotifierAction" for enabling the seccomp notifier feature.
+
+#### Using the seccomp notifier feature:
+
+This feature can help you to debug seccomp related issues, for example if
+blocked syscalls (permission denied errors) have negative impact on the
+workload.
+
+To be able to use this feature, configure a runtime which has the annotation
+"io.kubernetes.cri-o.seccompNotifierAction" in the `allowed_annotations` array.
+
+It also requires at least runc 1.1.0 or crun 0.19 which support the notifier
+feature.
+
+If everything is setup, CRI-O will modify chosen seccomp profiles for containers
+if the annotation "io.kubernetes.cri-o.seccompNotifierAction" is set on the Pod
+sandbox. CRI-O will then get notified if a container is using a blocked syscall
+and then terminate the workload after a timeout of 5 seconds if the value of
+"io.kubernetes.cri-o.seccompNotifierAction=stop".
+
+This also means that multiple syscalls can be captured during that period, while
+the timeout will get reset once a new syscall has been discovered.
+
+This also means that the Pods "restartPolicy" has to be set to "Never",
+otherwise the kubelet will restart the container immediately.
+
+Please be aware that CRI-O is not able to get notified if a syscall gets blocked
+based on the seccomp defaultAction, which is a general runtime limitation.
 
 ### CRIO.RUNTIME.WORKLOAD.RESOURCES TABLE
 The resources table is a structure for overriding certain resources for pods using this workload.

go.mod

@@ -55,6 +55,7 @@ require (
 	github.com/opencontainers/selinux v1.10.2
 	github.com/prometheus/client_golang v1.13.0
 	github.com/psampaz/go-mod-outdated v0.8.0
+	github.com/seccomp/libseccomp-golang v0.10.0
 	github.com/sirupsen/logrus v1.9.0
 	github.com/soheilhy/cmux v0.1.5
 	github.com/stretchr/testify v1.8.0
@@ -301,7 +302,6 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saschagrunert/go-modiff v1.3.0 // indirect
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
-	github.com/seccomp/libseccomp-golang v0.10.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect