'Anti-virus in docker container - does fanotify works between host and container?
I need to implement anti-virus on-access scanning solution for files inside docker containers using open-source software. Clamav On-Access works fine but have some requirements and limitations:
- require CAP_SYS_ADMIN capability for working inside a container
- needs to be run per-container, not per-host
- require 850Mb resident memory for signatures in each running container, even small one
Does this limitation - "fanotify not working for container events when watching from host", really exists or I just misconfigured ClamAV? I have no deep knowledge how fanotify works with namespaces, but it looks like kernel limitation to me.
UPDATE: Are there any workarounds for this limitation? Adding /var/lib/docker/overlay2/container_id/merged is one option, because of dynamic container nature clamd.conf needs to be updated on every container event. But even with added path ClamAV doesn't detect malicious files in the containers.
Running ClamAV per-container creates huge memory overhead, especially for small containers.
Links collection:
Solution 1:[1]
Yes, fanotify only monitors events in the mount namespace that it is running in.
Solution 2:[2]
Now fanotify can monitor events across the filesystem, regardless of the mount namespaces. You need to use the flag FAN_MARK_FILESYSTEM alongwith FAN_MARK_ADD (FAN_MARK_ADD | FAN_MARK_FILESYSTEM). From the fanotify_mark man page here is the snippet:
FAN_MARK_FILESYSTEM (since Linux 4.20)
Mark the filesystem specified by pathname. The filesystem
containing pathname will be marked. All the contained
files and directories of the filesystem from any mount
point will be monitored.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Douglas Leeder |
| Solution 2 | surajd |