containers
/
conmon-rs
mirror of https://github.com/containers/conmon-rs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
An OCI container runtime monitor written in Rust
4,553 Commits 4 Branches 16 Tags 62 MiB
Rust 63.6%
Go 30.2%
Cap'n Proto 2.2%
Shell 1.8%
Makefile 1.6%
Other 0.6%
Go to file
openshift-merge-bot[bot] 632a36f345
Merge pull request #2716 from containers/dependabot/github_actions/google-github-actions/auth-3.0.0 
build(deps): bump google-github-actions/auth from 2.1.12 to 3.0.0
 		2025-08-29 12:57:49 +00:00
.github Merge pull request #2716 from containers/dependabot/github_actions/google-github-actions/auth-3.0.0 2025-08-29 12:57:49 +00:00
conmon-rs build(deps): bump shadow-rs from 1.2.1 to 1.3.0 2025-08-29 11:04:40 +00:00
contrib/tracing Update jaeger to v2 2025-07-15 11:26:20 +02:00
internal/proto Add streaming server 2025-06-26 16:27:20 +02:00
nix Update nixpkgs and nix 2025-07-21 10:41:32 +02:00
pkg/client Output heaptrack messages if used 2025-08-13 09:23:55 +02:00
scripts Add GITHUB_TOKEN env support to get script 2025-07-24 10:22:04 +02:00
.codecov.yml Setup basic CI 2021-11-08 16:23:14 +01:00
.gitignore Add cargo dependency update job 2024-08-14 15:13:22 +02:00
.golangci.yml Update golangci-lint and config 2025-07-14 11:44:03 +02:00
.packit.sh Packit: Fix sed for release tag update in rpm spec 2023-03-09 19:43:04 +05:30
.packit.yaml Disable epel 9 builds for now 2025-06-25 08:14:17 +02:00
.rustfmt.toml Update rustfmt config 2025-06-26 13:27:45 +02:00
CONTRIBUTING.md Add issue and PR templates 2022-05-10 14:00:26 +02:00
Cargo.lock build(deps): bump shadow-rs from 1.2.1 to 1.3.0 2025-08-29 11:04:40 +00:00
Cargo.toml Stop vendoring Rust sources 2025-06-24 13:19:33 +02:00
Cross.toml Add support for OpenTelemetry tracing via OTLP 2022-10-10 17:14:56 +02:00
LICENSE Add license 2021-11-08 13:08:21 +01:00
Makefile Update golangci-lint and config 2025-07-14 11:44:03 +02:00
OWNERS Add CRI-O OWNERS 2024-08-26 10:00:48 +02:00
OWNERS_ALIASES Add @bitoku as reviewer 2025-07-03 08:56:43 +00:00
README.md Add logo to README.md 2023-03-24 08:58:02 +01:00
conmon-rs.spec.rpkg [CI:DOCS] Packit: fix comments 2023-02-14 17:52:35 +05:30
dependencies.yaml Use latest Rust toolchain 2025-08-12 08:47:11 +02:00
go.mod build(deps): bump github.com/onsi/ginkgo/v2 from 2.25.1 to 2.25.2 2025-08-29 12:02:29 +00:00
go.sum build(deps): bump github.com/onsi/ginkgo/v2 from 2.25.1 to 2.25.2 2025-08-29 12:02:29 +00:00
release.md Remove double vendored sources from release 2024-08-05 16:20:04 +02:00
usage.md Add usage documentation 2022-11-09 16:33:29 +01:00

README.md

ci gh-pages codecov dependencies builds docs go-docs

A pod level OCI container runtime monitor.

The goal of this project is to provide a container monitor in Rust. The scope of conmon-rs encompasses the scope of the c iteration of conmon, including daemonizing, holding open container standard streams, writing the exit code.

However, the goal of conmon-rs also extends past that of conmon, attempting to become a monitor for a full pod (or a group of containers). Instead of a container engine creating a conmon per container (as well as subsequent conmons per container exec), the engine will spawn a conmon-rs instance when a pod is created. That instance will listen over an UNIX domain socket for new requests to create containers, and exec processes within them.

Obtain the latest version

We provide statically linked binaries for every successfully built commit on main via our Google Cloud Storage Bucket. Our provided get script can be used to download the latest version:

> curl https://raw.githubusercontent.com/containers/conmon-rs/main/scripts/get | bash

It is also possible to select a specific git SHA or the output binary path by:

> curl https://raw.githubusercontent.com/containers/conmon-rs/main/scripts/get | \
    bash -s -- -t $GIT_SHA -o $OUTPUT_PATH

The script automatically verifies the created sigstore signatures if the local system has cosign available in its $PATH.

More information about how to use conmon-rs can be found in the usage documentation.

If you want to create a new conmon-rs release, please refer to the release documentation.

Architecture

The whole application consists of two main components:

  1. The Rust server: conmon-rs/server (docs)
  2. A golang client: pkg/client (docs)

The golang client should act as main interface while it takes care of creating the server instance via the Command Line Interface (CLI) as well as communicating to the server via Capn Proto. The client itself hides the raw Capn Proto parts and exposes dedicated golang structures to provide a clean API surface.

The following flow chart explains the client and container creation process:

Goals

  • Single conmon per pod (post MVP/stretch)
  • Keeping RSS under 3-4 MB
  • Support exec without respawning a new conmon
  • API with RPC to make it extensible (should support golang clients)
  • Act as pid namespace init
  • Join network namespace to solve running hooks inside the pod context
  • Use pidfds (it doesn't support getting exit code today, though)
  • Use io_uring
  • Plugin support for seccomp notification
  • Logging rate limiting (double buffer?)
  • Stats
  • IPv6 port forwarding

Future development

In the future, conmon-rs may:

  • Be extended to mirror the functionality for each runtime operation.
    • Thus reducing the amount of exec calls that must happen in the container engine, and reducing the amount of memory it uses.
  • Be in charge of configuring the namespaces for the pod
    • Taking over functionality that pinns has historically done.