A container symbol that extracts the underlying container runtime and sends it to a far flung server.
Poke on the underlying container runtime of your favourite CSP container platform!
As showed by the use of runc CVE-2019-5736, conventional Linux container runtimes reveal themselves to the bins they are operating thru
whoc makes use of this hyperlink to learn the container runtime executing it.
whoc default mode that works towards dynamically hooked up container runtimes.
whocsymbol entrypoint is able to
/proc/self/exe, and the picture’s dynamic linker (
ld.so) is changed with
- As soon as the picture is administered, the container runtime re-executes itself right through the container.
- Given the runtime is dynamically hooked up, the kernel moderately such a lot our faux dynamic linker to the runtime procedure and passes execution to it.
fake_ldobtains a file descriptor for the runtime binary by the use of opening
/proc/self/exe, and executes
upload_runtimereads the runtime binary from
/proc/self/fd/<runtime-fd>and sends it to the configured far flung server.
For statically hooked up container runtimes,
whoc is available in each and every different taste:
upload_runtimeis the picture entrypoint, and runs because the
whoccontainer PID 1.
- The patron is predicted to exec into the
whoccontainer and invoke a file pointing to
docker exec whoc-ctr /proc/self/exe)
- As temporarily for the reason that exec happens, the container runtime re-executes itself right through the container
upload_runtimereads the runtime binary thru
/proc/<runtime-pid>/exeand sends it to the configured far flung server
Take a look at In the neighborhood
You are able to want
python3 put in. Clone the repository:
$ git clone [email protected]:twistlock/whoc.git
Arrange a file server to obtain the extracted container runtime:
$ cd whoc
$ mkdir -p stash && cd stash
$ ln -s ../util/fileserver.py fileserver
From each and every different shell, run the
whoc symbol on your container surroundings of selection, for example Docker:
$ cd whoc
$ docker compile -f Dockerfile_dynamic -t whoc:newest src # or ./util/compile.sh
$ docker run --rm -it --net=host whoc:newest 127.0.0.1 # or ./util/run_local.sh
--net=host may be very highest utilized in native assessments in order that the
whoc container may merely simply prevail throughout the fileserver at the host by the use of
Have the same opinion
Have the same opinion for
whoc‘s number one binary,
Utilization: upload_runtime [options] <server_ip>
-p, --port Port of far flung server, defaults to 8080
-e, --exec Wait-for-exec mode for static container runtimes, waits till an exec to the container passed off
-b, --exec-bin In exec mode, overrides the default binary created for the exec, default is /bin/input
-a, --exec-extra-argument In exec mode, pass an extra argument to the runtime so it may not pass out briefly
-r, --exec-readdir-proc In exec mode, as an alternative of guessing the runtime pid (which provides whoc one shot of catching the runtime),
to look out the runtime thru way of searching for new processes beneath '/proc'