Is it possible to pass mounts to host-container

[dpavlov-smartling]

Use-case:
I am researching the way to use Osquery audit software on the Bottlerocket.
The idea is to run Osquery as a host-container and mount files and folders that should be monitored. For example:

  -v /etc/passwd:/etc/passwd:ro \
  -v /etc/group:/etc/group:ro \
  -v /etc/shadow:/etc/shadow:ro \
  -v /etc/os-release:/etc/os-release \

The reason to run it as a host-container is that we want to make sure that audit syb-system works even if server didn't join ECS cluster.
I can see that host-container gets a lot of mounts by default like /.bottlerocket/rootfs, etc. But I don't see the way to modify the list of the default mounts.

Thanks,

[KCSesh]

Today it is not possible to pass custom mount points to host-containers.
This is something that would require changes in host-ctr if we were to consider something like that.

I am seeing a possible feature request here - but it would need some design and discussion tied to this.

[bcressey]

I can see that host-container gets a lot of mounts by default like /.bottlerocket/rootfs, etc.

/.bottlerocket/rootfs will also show all the other mounts and files on the host, so for example /etc/passwd is available under /.bottlerocket/rootfs/etc/passwd.

If you wanted, you could have your default entry point script set up bind mounts to the expected locations for these files prior to executing osquery. However, since the distro inside the container also needs these files (e.g. to show owner and group names in a directory listing), there's potential for some confusing behavior or bugs.

One alternative is to have your host container execute the program inside the root filesystem:

# using chroot
chroot /.bottlerocket/rootfs /some/path/to/osquery

# entering the host namespaces as seen from PID 1
nsenter -t 1 -a -- /some/path/to/osquery

(This would work best if osquery was a fully static binary that didn't make assumptions about shared libraries or other files on the host.)