On 2021-09-19 09:56+0200, Thomas Weißschuh wrote: > On 2021-09-18T11:47-0700, Andy Lutomirski wrote: > > But I admit I’m a bit confused. What exactly is the container doing that causes the container’s copy of modprobe to be called? > > The container is running an instance of the docker daemon in swarm mode. > That needs the "ip_vs" module (amongst others) and explicitly tries to load it > via modprobe. If somebody stumbles upon this specific issue: The "ip_vs" module will be autoloaded in future kernel versions with https://lore.kernel.org/lkml/20211021130255.4177-1-linux@xxxxxxxxxxxxxx/ applied. > > > If so the seccomp notifier can be used to intercept this system call for > > > the container and verify the module against an allowlist similar to how > > > we currently handle mount. > > > > > > Christian
