Container-Explorer

Container-Explorer is a tool to explore containerd installation on a mounted image.

Container-Explorer attempts to provide the similar exploration functionalities provided by ctr utility.

Container-Explorer provides the following options:

  • Explore namespaces
  • Explore containers
  • Explore snapshots
  • Explore images
  • Explore contents
  • Mount container

Usage

Using Virtual Machine Image

Container-Explorer can explore an offline containerd by using a commandline switch --image-root that
refers the location of mounted image containing containerd. The section below shows the container-explorer
commands:

  1. Mount the image containing containerd

# sudo mount -o ro /mnt/tags/tag001 /mnt/cases/case001
  1. Run container-explorer commands to explore containers

# container-explorer --image-root /mnt/cases/case001 list namespaces
# container-explorer --image-root /mnt/cases/case001 list containers
# container-explorer --image-root /mnt/cases/case001 list snapshots
# container-explorer --image-root /mnt/cases/case001 list images
# container-explorer --image-root /mnt/cases/case001 list contents
  1. Identify the container that needs investigation. Note the container ID and namespace

# sudo container-explorer -n <namespace> --image-root /mnt/cases/case001 <container_id> /mnt/container

NOTE: container-explorer assumes that mount point /mnt/container already exists.

  1. Perform analysis of the mounted container
  2. Unmount the mounted container

# sudo umount /mnt/container

Using containerd Directory

containerd uses /var/lib/containerd as the default directory. Analyst can copy
/var/lib/containerd and use it for analysis.

The figure shows container-explorer commands to analyse a copied directory.

# container-explorer -c test_data/var/lib/containerd list namespaces
# container-explorer -n default -c test_data/var/lib/containerd mount nginx-demo /tmp/mnt/case01

Using bolt Databases

containerd stores information in bolt (https://pkg.go.dev/go.etcd.io/bbolt) database.
containerd uses the following two databases:

  • /var/lib/containerd/io.containerd.metadata.v1.bolt/meta.db
  • /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/metadata.db

Analyst can use the following container-explorer commands to explore containerd settings.

# container-explorer -m test_data/meta.db -s test_data/metadata.db list namespaces

Running Tests

The script run_test.sh runs container-explorer tests on sample containerd data generated by using containerd-specimens (https://github.com/dfirlabs/containerd-specimens).

  1. Clone container-explorer and containerd-specimens

$ git clone https://github.com/google/container-explorer
$ git clone https://github.com/dfirlabs/containerd-specimens
  1. Change directory to containerd-specimens

$ cd containerd-specimens
  1. Run generate-specimens.sh script to generate test data

$ sudo bash generate-specimens.sh

NOTE If the script generate-specimens.sh does not generate test data.
You can run reset-containerd.sh to uninstall and install containerd package.

!!WARNING!!: reset-containerd.sh deletes existing containers. Please use carefully.

  1. Change directory to container-explorer

$ cd ../container-explorer
  1. Run container-explorer test script run_test.sh

$ sudo bash run_test.sh

GitHub

View Github