docs: rthooks: instructions for containerd

Add instructions for contianerd (NRI) when using minikube.

Signed-off-by: Kornilios Kourtis <[email protected]>

docs/content/en/docs/installation/runtime-hooks.md

@@ -63,3 +63,79 @@ Check logs:
 $ minikube ssh 'tail -1 /opt/tetragon/tetragon-oci-hook.log'
 {"time":"2024-07-01T10:57:21.435689144Z","level":"INFO","msg":"hook request to agent succeeded","hook":"create-container","start-time":"2024-07-01T10:57:21.433755984Z","req-cgroups":"/kubepods/besteffort/podd4e74de2-0db8-4143-ae55-695b2489c727/crio-828977b42e3149b502b31708778d0c057efbce038af80d0882ed3e0cb0ff8796","req-rootdir":"/run/containers/storage/overlay-containers/828977b42e3149b502b31708778d0c057efbce038af80d0882ed3e0cb0ff8796/userdata","req-containerName":"test"}
 ```
+
+## Containerd
+
+### Setup Minikube
+
+```shell-session
+$ minikube start --driver=kvm2 --container-runtime=containerd
+$ minikube image load cilium/tetragon:latest
+$ minikube image load cilium/tetragon-operator:latest
+$ minikube image load cilium/tetragon-rthooks:latest
+$ minikube image ls | grep tetragon
+docker.io/cilium/tetragon:latest
+docker.io/cilium/tetragon-rthooks:latest
+docker.io/cilium/tetragon-operator:latest
+```
+
+Tetragon Runtime Hooks use [NRI](https://github.com/containerd/nri). NRI is [enabled by
+default](https://github.com/containerd/containerd/blob/main/docs/NRI.md#disabling-nri-support-in-containerd)
+starting from containerd version 2.0. For version 1.7, however, it needs to be enabled in the
+configuration.
+
+```shell-session
+$ minikube ssh cat /etc/containerd/config.toml > /tmp/old-config.toml
+$ ./contrib/tetragon-rthooks/tetragon-oci-hook-setup patch-containerd-conf enable-nri --config-file=/tmp/old-config.toml --output=/tmp/new-config.toml
+time=2024-07-02T11:51:52.843+02:00 level=INFO msg="written output" filename=/tmp/new-config.toml
+$ diff -u /tmp/old-config.toml /tmp/new-config.toml
+--- /tmp/old-config.toml        2024-07-02 11:51:23.893382357 +0200
++++ /tmp/new-config.toml        2024-07-02 11:51:52.841533035 +0200
+@@ -67,3 +67,11 @@
+     mutation_threshold = 100
+     schedule_delay = "0s"
+     startup_delay = "100ms"
++  [plugins."io.containerd.nri.v1.nri"]
++    disable = false
++    disable_connections = false
++    plugin_config_path = "/etc/nri/conf.d"
++    plugin_path = "/opt/nri/plugins"
++    plugin_registration_timeout = "5s"
++    plugin_request_timeout = "2s"
++    socket_path = "/var/run/nri/nri.sock"
+$ minikube cp /tmp/new-config.toml /etc/containerd/config.toml
+$ minikube ssh sudo systemctl restart containerd
+```
+
+### Install Tetragon
+
+```shell-session
+$ helm install \
+   --namespace kube-system \
+   --set tetragon.image.override=docker.io/cilium/tetragon:latest \
+   --set tetragonOperator.image.override=docker.io/cilium/tetragon-operator:latest \
+   --set rthooks.enabled=true \
+   --set rthooks.interface=nri-hook \
+   --set rthooks.image.override=docker.io/cilium/tetragon-rthooks:latest \
+   tetragon ./install/kubernetes/tetragon
+```
+
+```shell-session
+$ kubectl -n kube-system get pods | grep tetragon
+tetragon-operator-754b85cfd4-2mdd7   1/1     Running   0              24m
+tetragon-pjrsf                       2/2     Running   0              24m
+tetragon-rthooks-6g8cq               1/1     Running   0              24m
+```
+
+### Test
+
+Start a pod:
+
+```shell-session
+$ kubectl run test --image=debian  --rm -it -- /bin/bash
+```
+
+```
+$ minikube ssh 'tail -1 /opt/tetragon/tetragon-oci-hook.log'
+{"time":"2024-07-02T12:02:02.823291054Z","level":"INFO","msg":"hook request to agent succeeded","hook":"createRuntime","start-time":"2024-07-02T12:02:02.816185835Z","req-cgroups":"/kubepods/besteffort/pod9305570c-ac68-4f95-96d8-afbb138bd0b0/42469ae2c52d0ee340b550b8a07a142c9b8cc709aa8ca75b777bb00812149621","req-rootdir":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/42469ae2c52d0ee340b550b8a07a142c9b8cc709aa8ca75b777bb00812149621","req-containerName":"test"}
+```