fix(cli/clistat): improve detection of container environment (#8643)

johnstcn · web-flow · commit fd372f673582 · 2023-07-21T10:18:56.000Z
Use the presence of /var/run/secrets/kubernetes.io/serviceaccount/token to determine if we are in a container in addition to sniffing /proc/1/cgroup
diff --git a/cli/clistat/cgroup.go b/cli/clistat/cgroup.go
@@ -338,7 +338,7 @@ func readInt64Prefix(fs afero.Fs, path, prefix string) (int64, error) {
 
 	scn := bufio.NewScanner(bytes.NewReader(data))
 	for scn.Scan() {
-		line := scn.Text()
+		line := strings.TrimSpace(scn.Text())
 		if !strings.HasPrefix(line, prefix) {
 			continue
 		}
diff --git a/cli/clistat/container.go b/cli/clistat/container.go
@@ -10,8 +10,9 @@ import (
 )
 
 const (
-	procMounts    = "/proc/mounts"
-	procOneCgroup = "/proc/1/cgroup"
+	procMounts                           = "/proc/mounts"
+	procOneCgroup                        = "/proc/1/cgroup"
+	kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec
 )
 
 // IsContainerized returns whether the host is containerized.
@@ -38,6 +39,14 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) {
 		}
 	}
 
+	// Sometimes the above method of sniffing /proc/1/cgroup isn't reliable.
+	// If a Kubernetes service account token is present, that's
+	// also a good indication that we are in a container.
+	_, err = afero.ReadFile(fs, kubernetesDefaultServiceAccountToken)
+	if err == nil {
+		return true, nil
+	}
+
 	// Last-ditch effort to detect Sysbox containers.
 	// Check if we have anything mounted as type sysboxfs in /proc/mounts
 	mountsData, err := afero.ReadFile(fs, procMounts)

Original file line number	Diff line number	Diff line change
`@@ -338,7 +338,7 @@ func readInt64Prefix(fs afero.Fs, path, prefix string) (int64, error) {`
`338`	`338`
`339`	`339`	`scn := bufio.NewScanner(bytes.NewReader(data))`
`340`	`340`	`for scn.Scan() {`
`341`		`- line := scn.Text()`
	`341`	`+ line := strings.TrimSpace(scn.Text())`
`342`	`342`	`if !strings.HasPrefix(line, prefix) {`
`343`	`343`	`continue`
`344`	`344`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,9 @@ import (`
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`const (`
`13`		`- procMounts = "/proc/mounts"`
`14`		`- procOneCgroup = "/proc/1/cgroup"`
	`13`	`+ procMounts = "/proc/mounts"`
	`14`	`+ procOneCgroup = "/proc/1/cgroup"`
	`15`	`+ kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`// IsContainerized returns whether the host is containerized.`
`@@ -38,6 +39,14 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) {`
`38`	`39`	`}`
`39`	`40`	`}`
`40`	`41`
	`42`	`+ // Sometimes the above method of sniffing /proc/1/cgroup isn't reliable.`
	`43`	`+ // If a Kubernetes service account token is present, that's`
	`44`	`+ // also a good indication that we are in a container.`
	`45`	`+ _, err = afero.ReadFile(fs, kubernetesDefaultServiceAccountToken)`
	`46`	`+ if err == nil {`
	`47`	`+ return true, nil`
	`48`	`+ }`
	`49`	`+`
`41`	`50`	`// Last-ditch effort to detect Sysbox containers.`
`42`	`51`	`// Check if we have anything mounted as type sysboxfs in /proc/mounts`
`43`	`52`	`mountsData, err := afero.ReadFile(fs, procMounts)`