OpenShift Determine files written in a container
fatrace
One approach to determining files written in a container is to run fatrace in
a privileged container:
- Add a section to the Containerfile/Dockerfile to compile
fatrace, installsudo, and add the main container user tosudoers; for example:USER root RUN dnf install -y gcc make git sudo && \ git clone https://github.com/martinpitt/fatrace /usr/local/src/fatrace && \ cd /usr/local/src/fatrace && make && make install && \ echo "was ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers USER was - Create a service account to run a privileged container; for example:
oc create sa privilegedsa - Add the service account to the privileged SCC:
oc adm policy add-scc-to-user privileged -z privilegedsa - Modify the
Deploymentto use theprivilegedsaserviceAccount, modify the container to useprivileged: trueandallowPrivilegeEscalation: true, and change the container to execute a shell script that starts the privileged command in the background usingsudo(e.g.fatrace) and then executes the original run command in the image (if you can't easily find the original command, reviewpodman inspect); for example:spec: template: spec: serviceAccount: privilegedsa containers: - securityContext: privileged: true allowPrivilegeEscalation: true command: - /bin/sh args: - '-c' - 'printf ''#!/bin/sh\nnohup sudo -E /usr/local/sbin/fatrace -t -f W -c -o /tmp/diag_fatrace_$${HOSTNAME}_$$(date +%%Y%%m%%d_%%H%%M%%S).txt &\nsleep 1\n/usr/bin/env JVM_EXTRA_CMD_ARGS=-Xnoloa /work/start_server.sh\n'' > /tmp/run.sh && chmod a+x /tmp/run.sh && /tmp/run.sh' - Exercise the application as much as possible.
- Download the
/tmp/diag*file. - Review the output; for example, to list all unique files written to:
awk '{print $NF;}' *fatrace.txt | sort | uniq