New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docker-compose not properly passing seccomp profile #2813

Closed
hairyhenderson opened this Issue Feb 3, 2016 · 18 comments

Comments

Projects
None yet
10 participants
@hairyhenderson

hairyhenderson commented Feb 3, 2016

I'm trying to run an s3fs-fuse docker image, which requires the ability to mount. When running in Docker 1.10, I need to provide my own seccomp profile to allow mounting.

This works fine:

$ docker run -it --cap-add mknod --cap-add sys_admin --device /dev/fuse --security-opt seccomp:./my_seccomp_profile.json myimage

This docker-compose file does not:

service:
  image: myimage
  security_opt:
    - seccomp:./my_seccomp_profile.json
  devices:
    - /dev/fuse
  cap_add:
    - mknod
    - sys_admin
$ docker-compose up
ERROR: Cannot start container 4b13ef917b9f3267546e6bb8d8f226460c903e8f12a1d068aff994653ec12d0b: Decoding seccomp profile failed: invalid character '.' looking for beginning of value

If I provide a full path to the profile, I get the same error (except '/' instead of '.').

environment

$ docker version  
Client:
 Version:      1.10.0-rc3
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   08c24cc
 Built:        Tue Feb  2 23:01:16 2016
 OS/Arch:      darwin/amd64

Server:
 Version:      1.10.0-rc1
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   677c593
 Built:        Fri Jan 15 18:17:17 2016
 OS/Arch:      linux/amd64
$ docker-compose version
docker-compose version 1.6.0rc2, build 695c692
docker-py version: 1.7.0-rc3
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
@sjiveson

This comment has been minimized.

Show comment
Hide comment
@sjiveson

sjiveson Mar 2, 2016

I'm suffering from the same issue and getting the same error output. My environment details in case it's useful;

$ sudo docker version
Client:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:40:35 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:40:35 2016
 OS/Arch:      linux/amd64

$ sudo docker-compose version
docker-compose version 1.6.2, build 4d72027
docker-py version: 1.7.2
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013

sjiveson commented Mar 2, 2016

I'm suffering from the same issue and getting the same error output. My environment details in case it's useful;

$ sudo docker version
Client:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:40:35 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:40:35 2016
 OS/Arch:      linux/amd64

$ sudo docker-compose version
docker-compose version 1.6.2, build 4d72027
docker-py version: 1.7.2
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
@Rucknar

This comment has been minimized.

Show comment
Hide comment
@Rucknar

Rucknar Mar 8, 2016

Seeing this also, similar configuration to the @sjiveson

Rucknar commented Mar 8, 2016

Seeing this also, similar configuration to the @sjiveson

@endophage

This comment has been minimized.

Show comment
Hide comment
@endophage

endophage Mar 30, 2016

Confirmed here too.

endophage commented Mar 30, 2016

Confirmed here too.

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack Mar 30, 2016

Member

The seccomp file is client side, and so compose needs to provide the contents of it to the API call, it is a bit unusual as a config option. See moby/moby#19060 for where this was added in engine.

Member

justincormack commented Mar 30, 2016

The seccomp file is client side, and so compose needs to provide the contents of it to the API call, it is a bit unusual as a config option. See moby/moby#19060 for where this was added in engine.

@Rucknar

This comment has been minimized.

Show comment
Hide comment
@Rucknar

Rucknar Mar 30, 2016

@justincormack Fine with that but how do we achieve this?
If i want to deploy a container through compose and enable a specific syscall, how would i achieve it?

Rucknar commented Mar 30, 2016

@justincormack Fine with that but how do we achieve this?
If i want to deploy a container through compose and enable a specific syscall, how would i achieve it?

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack Mar 30, 2016

Member

I think putting seccomp:unconfined should work, but you cannot use a specific file until this is fixed.

Member

justincormack commented Mar 30, 2016

I think putting seccomp:unconfined should work, but you cannot use a specific file until this is fixed.

@Rucknar

This comment has been minimized.

Show comment
Hide comment
@Rucknar

Rucknar Mar 30, 2016

Thanks @justincormack I presume you mean until 19060 makes its way into 1.11?

Rucknar commented Mar 30, 2016

Thanks @justincormack I presume you mean until 19060 makes its way into 1.11?

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack Mar 30, 2016

Member

No 19060 was just for reference as to what needs implementing, it has been in for ages. Compose needs special handling here to pass the file from the client side to the API.

Member

justincormack commented Mar 30, 2016

No 19060 was just for reference as to what needs implementing, it has been in for ages. Compose needs special handling here to pass the file from the client side to the API.

@CpuID

This comment has been minimized.

Show comment
Hide comment
@CpuID

CpuID Jul 25, 2016

Confirmed here also, any updates on when this will be resolved? Need to be able to allow the mount syscall via a custom seccomp profile for FUSE usage.

CpuID commented Jul 25, 2016

Confirmed here also, any updates on when this will be resolved? Need to be able to allow the mount syscall via a custom seccomp profile for FUSE usage.

@aanand aanand added the kind/parity label Jul 25, 2016

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack Jul 25, 2016

Member

If you use docker 1.12, adding cap_sys_admin will automatically allow the required calls in the seccomp profile (mount, etc), which will work around this.

Member

justincormack commented Jul 25, 2016

If you use docker 1.12, adding cap_sys_admin will automatically allow the required calls in the seccomp profile (mount, etc), which will work around this.

@sjiveson

This comment has been minimized.

Show comment
Hide comment
@sjiveson

sjiveson Dec 19, 2016

Is that actually documented anywhere please @justincormack? Also, can we ever expect real compose support rather than a workaround?

sjiveson commented Dec 19, 2016

Is that actually documented anywhere please @justincormack? Also, can we ever expect real compose support rather than a workaround?

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack Dec 19, 2016

Member

@sjiveson hmm, I thought it was documented but I cant find the docs now, will have to check and open a docs PR. Generally it is better to use this feature than to try to modify the seccomp profile, which is complicated and error prone. Since 1.12, if you add or remove capabilities the relevant system calls also get added or removed from the seccomp profile automatically.

Member

justincormack commented Dec 19, 2016

@sjiveson hmm, I thought it was documented but I cant find the docs now, will have to check and open a docs PR. Generally it is better to use this feature than to try to modify the seccomp profile, which is complicated and error prone. Since 1.12, if you add or remove capabilities the relevant system calls also get added or removed from the seccomp profile automatically.

@sjiveson

This comment has been minimized.

Show comment
Hide comment
@sjiveson

sjiveson Dec 19, 2016

Thank you. Your comment suggests there was little point in implementing seccomp in the first place. Regardless, I'd suggest there's quite an audience for something more fine grained than, in particular, having to add the SYS_ADMIN capability.

sjiveson commented Dec 19, 2016

Thank you. Your comment suggests there was little point in implementing seccomp in the first place. Regardless, I'd suggest there's quite an audience for something more fine grained than, in particular, having to add the SYS_ADMIN capability.

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack Dec 19, 2016

Member

@sjiveson no its pretty useful, and protected against several exploits, but the format is not user friendly. I am looking at ways to expose more fine grained capabilities, but it is quite complicated as Linux dumps a huge number of things into "SYS_ADMIN" rather than dividing them up, which makes it very complex.

Member

justincormack commented Dec 19, 2016

@sjiveson no its pretty useful, and protected against several exploits, but the format is not user friendly. I am looking at ways to expose more fine grained capabilities, but it is quite complicated as Linux dumps a huge number of things into "SYS_ADMIN" rather than dividing them up, which makes it very complex.

@sjiveson

This comment has been minimized.

Show comment
Hide comment
@sjiveson

sjiveson Dec 19, 2016

Indeed, quite the dumping ground. Makes for a good example of technical debt.

sjiveson commented Dec 19, 2016

Indeed, quite the dumping ground. Makes for a good example of technical debt.

@asarkar

This comment has been minimized.

Show comment
Hide comment
@asarkar

asarkar Dec 19, 2016

I'm having real issues with seccomp and Couchbase (CB), so much so that I'd to revert to using an older version of CB. CB 4.5 crashes constantly after upgrading to Docker 2.13 and Compose 1.8. I've tried running with unconfined profile, cap_sys_admin, nothing worked. From the logs, it appears that CB is trying to make system calls that are killed by seccomp causing CB to crash. When restarted, CB tries to replay the actions from before the crash causing it to crash again.
IT won't let me share the logs on a public forum but I'm now beginning to question if the introduction of seccomp warranted more thought than was allotted.

asarkar commented Dec 19, 2016

I'm having real issues with seccomp and Couchbase (CB), so much so that I'd to revert to using an older version of CB. CB 4.5 crashes constantly after upgrading to Docker 2.13 and Compose 1.8. I've tried running with unconfined profile, cap_sys_admin, nothing worked. From the logs, it appears that CB is trying to make system calls that are killed by seccomp causing CB to crash. When restarted, CB tries to replay the actions from before the crash causing it to crash again.
IT won't let me share the logs on a public forum but I'm now beginning to question if the introduction of seccomp warranted more thought than was allotted.

@shin-

This comment has been minimized.

Show comment
Hide comment
@shin-

shin- Feb 13, 2018

Member

Closing in favor of #5574

Member

shin- commented Feb 13, 2018

Closing in favor of #5574

@shin- shin- closed this Feb 13, 2018

@shin- shin- added this to the 1.20.0 milestone Feb 26, 2018

@shin-

This comment has been minimized.

Show comment
Hide comment
@shin-

shin- Feb 26, 2018

Member

Fixed by #5701

Member

shin- commented Feb 26, 2018

Fixed by #5701

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment