To optimize and secure your application, RapidFort must observe the runtime behavior of the application and create a profile/Real BOM (RBOM) that lists only those software components required for your application. To enable runtime observation, SYS_PTRACE Linux kernel capability must be added.
Note: A stub image is your original application image instrumented by RapidFort to trace the runtime behavior and generate the runtime profile.
In this section, we will learn how to add SYS_PTRACE when deploying the stub image.
For more information on SYS_PTRACE, please view the capabilities(7) Linux manual page.
During initialization, the stub image will detect if SYS_PTRACE has been added. If SYS_PTRACE has not been added, the stub image will fail to run.
Adding SYS_PTRACE
Docker
Add --cap-add=SYS_PTRACE to the docker run command.
docker run --cap-add=SYS_PTRACE <flags> <stub image>
For example:
docker run --cap-add=SYS_PTRACE -p9999:80 --name=nginx-rf-test
docker.io/library/nginx:latest-rfstub
For more information, please view the Docker run reference.
Docker-Compose
Add a section called cap_add and a SYS_PTRACE list item to the Compose yaml file.
cap_add:
- SYS_PTRACE
For more information, please view the Docker-Compose specification.
Kubernetes
Add a securityContext section to the Kubernetes manifest file.
securityContext:
capabilities:
add: ["SYS_PTRACE"]
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation and readOnlyRootFilesystem are not directly related to adding SYS_PTRACE, but these are required for RapidFort to trace the runtime behavior of the stub image and must also be specified in the securityContext when deploying the stub image.
For more information, please view the Kubernetes documentation.
AWS Fargate
Add a "capabilities" section to the "linuxParameters" section in the AWS Fargate task definition.
"linuxParameters": {
"capabilities": {
"add": [
"SYS_PTRACE"
]
}
}
For more information, please view the Amazon Elastic Container Service KernelCapabilities documentation