Skip to content

runtime-tools: log container adjustments.#268

Open
klihub wants to merge 2 commits intocontainerd:mainfrom
klihub:devel/audit-logging
Open

runtime-tools: log container adjustments.#268
klihub wants to merge 2 commits intocontainerd:mainfrom
klihub:devel/audit-logging

Conversation

@klihub
Copy link
Copy Markdown
Member

@klihub klihub commented Feb 3, 2026
edited
Loading

This PR implements NRI audit logging for OCI Spec adjustments, which has been identified as one of the missing things we need to add (be)for(e) a v1.0. This patch

  • adds an extended generator option for runtimes to set an external audit event logger, and
  • updates the generator to use the configured logger for audit messages when an OCI Spec is adjusted

Here are updated trees for contained and CRI-O:

@klihub klihub force-pushed the devel/audit-logging branch 2 times, most recently from a6cac4e to c0863cc Compare February 4, 2026 07:09
@klihub klihub changed the title runtime-tools: emit audit events for OCI Spec mutation. runtime-tools: emit audit log messages for OCI Spec mutation. Feb 4, 2026
@klihub klihub changed the title runtime-tools: emit audit log messages for OCI Spec mutation. runtime-tools: emit audit log messages for adjustments. Feb 4, 2026
@klihub klihub force-pushed the devel/audit-logging branch from c0863cc to 9953d06 Compare February 4, 2026 15:39
@klihub klihub marked this pull request as ready for review February 4, 2026 17:11
@klihub
Copy link
Copy Markdown
Member Author

klihub commented Feb 4, 2026

@mikebrow @samuelkarp PTAL

mikebrow
mikebrow reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool.. Maybe add a little more detail to the short explanation in the README.md maybe links to the containerd/crio use of these opts. (where the integration test happens)

@klihub
Copy link
Copy Markdown
Member Author

klihub commented Feb 6, 2026

@samuelkarp I have a few questions.

Related to the approach taken here, is this roughly what you had in mind ? Related to event details, how detailed events do we want to log, and do we want to log them unconditionally ? The PR now logs unconditionally and detailed events, except in a few extreme cases where details could get really verbose. But should it be configurable, or should details be logged at a different logging level ? About the logged events/messages. The main messages are now exposed consts, with the idea that someone might want to build some tooling where it can come handy to have them exported. But I don't know if this really makes sense. Any thoughts ?

@chrishenzie
Copy link
Copy Markdown
Member

chrishenzie commented Feb 6, 2026

Thanks for jumping on this, @klihub.

You raised some important questions in your comment that I think we should probably settle on before finalizing the implementation. Since o11y is a key requirement for GA, could we open a GitHub issue to agree on the specific design goals and requirements first?

We can treat this PR as a PoC to inform that discussion, but I'd feel more comfortable if we aligned on the "what" and "why" in a design issue before we iterate further on the "how" here.

@klihub klihub mentioned this pull request Feb 6, 2026
Open
@klihub
Copy link
Copy Markdown
Member Author

klihub commented Feb 6, 2026

could we open a GitHub issue to agree on the specific design goals and requirements first?

I created issue #270 for that.

@klihub klihub marked this pull request as draft February 6, 2026 19:01
@klihub klihub force-pushed the devel/audit-logging branch 4 times, most recently from 95bd1fb to ef60131 Compare February 19, 2026 06:24
@klihub klihub changed the title runtime-tools: emit audit log messages for adjustments. runtime-tools: log container adjustments. Feb 19, 2026
chrishenzie
chrishenzie reviewed Feb 20, 2026
View reviewed changes
Comment thread pkg/runtime-tools/generate/generate.go Outdated
Comment thread pkg/api/owners.go Outdated
Comment thread pkg/runtime-tools/generate/generate.go
Comment thread pkg/runtime-tools/generate/generate.go
chrishenzie
chrishenzie reviewed Feb 20, 2026
View reviewed changes
Comment thread pkg/adaptation/adaptation.go
@klihub klihub force-pushed the devel/audit-logging branch from ef60131 to 6e1b91b Compare February 23, 2026 18:15
samuelkarp
samuelkarp reviewed Feb 26, 2026
View reviewed changes
Comment thread pkg/runtime-tools/generate/generate.go
Comment thread pkg/runtime-tools/generate/generate.go
Comment thread pkg/runtime-tools/generate/generate.go
@klihub klihub force-pushed the devel/audit-logging branch from 6e1b91b to fada150 Compare March 4, 2026 11:24
@klihub klihub marked this pull request as ready for review March 4, 2026 11:24
@klihub
Copy link
Copy Markdown
Member Author

klihub commented Mar 4, 2026

@mikebrow @samuelkarp @chrishenzie I tried to address/answer the initial round of review comments and took off the draft status.

chrishenzie
chrishenzie previously requested changes Mar 4, 2026
View reviewed changes
Comment thread pkg/runtime-tools/generate/generate.go Outdated
Comment thread pkg/runtime-tools/generate/generate.go Outdated
Comment thread pkg/runtime-tools/generate/generate.go Outdated
Comment thread pkg/runtime-tools/generate/generate_suite_test.go
@klihub klihub force-pushed the devel/audit-logging branch from fada150 to 0bceac6 Compare March 6, 2026 16:16
klihub added 2 commits March 6, 2026 19:15
@klihub
runtime-tools: emit audit events for OCI Spec mutation.
f9a8a9e 
Add an option for setting an external audit event logger
and use any configured logger to emit audit events as we
adjust the OCI Spec.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
@klihub
adaptation: expose source plugins for adjustments and errors.
f27ac91 
Expose owning plugins for adjustments returned by CreateContainer.
Include plugin in errors which originate from processing a request
by a plugin.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
@klihub klihub force-pushed the devel/audit-logging branch from 0bceac6 to f27ac91 Compare March 6, 2026 17:16
@klihub klihub requested a review from chrishenzie March 6, 2026 17:17
@klihub
Copy link
Copy Markdown
Member Author

klihub commented Mar 10, 2026

@chrishenzie Added test cases. PTAL.

@klihub klihub dismissed chrishenzie’s stale review March 18, 2026 08:14

PTAL after latest update.

samuelkarp
samuelkarp reviewed Apr 15, 2026
View reviewed changes
Comment thread pkg/runtime-tools/generate/generate.go

// Audit 'events' we use in logged audit messages.
const ( //nolint:revive
AuditRemoveProcessEnv = "remove environment variable"
Copy link
Copy Markdown
Member

@samuelkarp samuelkarp Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are all human-readable strings, but I think it'd actually be more valuable to have something that's closer to the actual field adjustment. For example, process.env which matches the JSON path in the OCI bundle. For being the most precise, I think we might want something as expressive as JSON Patch (RFC 6902); this could describe the exact modification that a plugin is making.

@github-project-automation github-project-automation Bot moved this to Needs Triage in Pull Request Review Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samuelkarp samuelkarp samuelkarp left review comments

@mikebrow mikebrow Awaiting requested review from mikebrow

@chrishenzie chrishenzie Awaiting requested review from chrishenzie

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Pull Request Review
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@klihub @chrishenzie @samuelkarp @mikebrow