parca-dev
Allow running Parca Agent within user namespaces
I'm not 100% sure whether this is even possible, but here it goes. Currently, we recommend using minikube for demo purposes, for various reasons people may prefer kind, k3d, or others, which may not use actual virtual machines, but rather linux user namespaces. The problem this causes is that even if we can load the eBPF program, from within the eBPF program we will see the true host/kernel view of a process, meaning we see the host-wide PID. If we only have the host-wide PID then the user-space program of parca-agent cannot find the process maps, perf-maps, etc. that we need to actually create a profile with useful data.
Something that I've had in my head for a while that might be worth exploring: Maybe if the Parca Agent knows it's running in user-namespaces (which we might be able to discover, or if not then we could have it be a flag) it might be able to communicate to the eBPF program which level of namespaces to consider as the "root" and have the eBPF program only capture data for those processes within that nested namespace, as well as the PID that would be local to that namespace.
There may very well be strategies that I haven't thought of.
OK, quick status. I've been researching the issue, reading up on:
- https://rootlesscontaine.rs/how-it-works/userns/
- https://www.man7.org/linux/man-pages/man5/subuid.5.html
My current thinking is if /etc/subuid is non-empty then I know that I have user namespaces and within a container it's empty. I verified my thinking with root and rootless containers and can confirm this.