I’m trying to find a way to perform a memory dump on a docker container in order to perform memory forensics (to detect malware exploits for example). I would like to be able to perform the same methods I use on a virtual machine. The problem is that docker containers (and any kind of linux containers) use memory in a different way – containers share resources, use namespaces and cgroups…
I’d like to program a tool that performs this but am a bit lost as to where to begin.
How would one approach this problem?
Thanks in advance!
Advertisement
Answer
These days you can use the experimental Docker feature checkpoint and restore: https://github.com/boucher/docker/blob/cr-combined/experimental/checkpoint_restore.md.
There is a howto available at https://criu.org/Docker.