-
Task
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
False
-
False
-
** Note that this is a public ticket, please refrain from adding any sensitive data. **
Currently when capturing container information for a few rules we use `podman exec` to get it. To exec in the container uses up resources available to the container, and this can be cause for concern, especially as more rules may be added in the future and cause more execs than we currently run.
For an example of resource concern;
Note here a container with a limit set to ~100MB and currently using ~50MB; [root@rhel9 ~]# cat /sys/fs/cgroup/machine.slice/libpod-011d6d6dc4ba8c7dbaa3f99ba8a1a21817e45ce78f495a22980ed241f2abea9b.scope/memory.max 104857600 [root@rhel9 ~]# cat /sys/fs/cgroup/machine.slice/libpod-011d6d6dc4ba8c7dbaa3f99ba8a1a21817e45ce78f495a22980ed241f2abea9b.scope/memory.current 4997120 If I run an exec and check the usage after; [root@rhel9 ~]# podman exec -it memory-limit-container /bin/bash [root@011d6d6dc4ba /]# cat /sys/fs/cgroup/memory.current 6393856
So even one exec of the shell uses (in this example) ~15MB of memory.
We could gather this information using host resources instead, for example;
[root@rhel9 1ed450b23f4b]# rpm -qa --root $(podman inspect 1ed450b23f4b | grep LowerDir | cut -d'"' -f4 | cut -d: -f1) | sort | head -n3
alternatives-1.24-1.el9.x86_64
audit-libs-3.1.2-2.el9.x86_64
basesystem-11-13.el9.noarch
[root@rhel9 1ed450b23f4b]# podman exec -it 1ed450b23f4b rpm -qa | sort | head -n3
alternatives-1.24-1.el9.x86_64
audit-libs-3.1.2-2.el9.x86_64
basesystem-11-13.el9.noarch
This would not rely on the constraints of any individual container and leave all or most data collection to the host alone.
