security_opt seems to be doing nothing

[Dragon-Creature]

I need to be able fork a process. As i understand it i need to set the security-opt. I have tried doing this with docker command and it works fine. However when i do this in a docker-compose file it seem to do nothing, maybe I'm not using compose right.

Docker

docker run --security-opt=seccomp:unconfined <id> dlv debug --listen=:2345 --headless --log ./cmd/main.go

Docker-compose

Setup

docker-compose.yml

networks:
  backend:

services:
  example:
    build: .
    security_opt:
      - seccomp:unconfined
    networks:
      - backend
    ports:
      - "5002:5002"

Dockerfile

FROM golang:1.8

RUN go get -u github.com/derekparker/delve/cmd/dlv
RUN dlv debug --listen=:2345 --headless --log ./cmd/main.go

command
docker-compose -f docker-compose.yml up --build --abort-on-container-exit

Result

2017/09/04 15:58:33 server.go:73: Using API v1
2017/09/04 15:58:33 debugger.go:97: launching process with args: [/go/src/debug]
could not launch process: fork/exec /go/src/debug: operation not permitted

[shin-]

This example works fine for me:

version: '2.3'
networks:
  backend:

services:
  example:
    build: .
    command: "dlv debug --listen=:2345 --headless --log /cmd/main.go"
    security_opt:
      - seccomp:unconfined
    networks:
      - backend
    ports:
      - "5002:5002"

$ docker-compose up --build
Building example
Step 1/3 : FROM golang:1.8
 ---> ec1b36e59395
Step 2/3 : RUN go get -u github.com/derekparker/delve/cmd/dlv
 ---> Using cache
 ---> 2b1b7437a07b
Step 3/3 : COPY . /
 ---> fdedd0dac806

Successfully built fdedd0dac806
Successfully tagged repro5169_example:latest
Recreating repro5169_example_1 ... 
Recreating repro5169_example_1 ... done
Attaching to repro5169_example_1
example_1  | 2017/09/05 19:44:51 server.go:73: Using API v1
example_1  | 2017/09/05 19:44:51 debugger.go:97: launching process with args: [/go/debug]
example_1  | API server listening at: [::]:2345

Try checking the output of docker inspect on your container - is the SecurityOpt field set properly?

[shin-]

Closing, but feel free to update if you're still having issues.

[trevorglick]

@shin- I am trying to run strace within a docker container and this used to work, but now I am getting
strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted +++ exited with 1 +++

When I inspect the container I do see that it's set properly:
"SecurityOpt": [ "seccomp:unconfined" ],

I have this on my containers block under docker-compose.yml:
security_opt:
- seccomp:unconfined

Thoughts?

[shin-]

@Hudspeth You might need

cap_add:
  - SYS_PTRACE

as well, according to moby/moby#21051

[trevorglick]

Now I have:

core-app:
    environment:
      <<: *default_environment
    expose:
      - '5005'
    ports:
      - '5019:5005'
    cap_add:
      - SYS_PTRACE
    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined`

docker inspect showing:

       "CapAdd": [
            "SYS_PTRACE"
        ],
        "SecurityOpt": [
            "apparmor:unconfined",
            "seccomp:unconfined"
        ],

Still same error as above.

[shin-]

The following works fine for me:

# cat docker-compose.yml 
version: '2.3'
services:
  foo:
    command: strace /bin/ls
    build: .
    cap_add:
      - SYS_PTRACE
    security_opt:
      - seccomp:unconfined

$ docker-compose up
Starting repro5169_foo_1 ... done
Attaching to repro5169_foo_1
foo_1  | execve("/bin/ls", ["/bin/ls"], [/* 7 vars */]) = 0
foo_1  | brk(NULL)                               = 0x1047000
[lots more stuff]
foo_1  | +++ exited with 0 +++
repro5169_foo_1 exited with code 0

Based on the official ubuntu image with strace installed. Maybe this is an issue with your host system or the image's configuration?

[trevorglick]

Ya I think what I was expecting was for this to work at build time on the images. But this setting is for live containers that are actively running. All good.

[xghongbin]

Error response from daemon: error while creating mount source path '/host_mnt/Users/xxxxx/server/redis': mkdir /host_mnt/Users/hunaghongbin: operation not permitted
I hope to solve this song problem
my docker-composer file

version: "2"
services:
  mydb:
    container_name: "mydb"
    restart: always
    cap_add:
      - SYS_PTRACE
    # docker安全验证
    security_opt:
      - seccomp:unconfined
    ports:
      - "3306:3306"
    volumes: #挂载目录写这里
      - /Users/hunaghongbin/server/mysql/conf:/etc/mysql
      - /Users/hunaghongbin/server/mysql/data:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    environment: #自定义环境变量
      MYSQL_ROOT_PASSWORD: qweasd
    image: mysql:5.7 #容器引用镜像
  myredis:
    container_name: "myredis"
    restart: always
    # docker安全验证
    security_opt:
      - seccomp:unconfined
    cap_add:
      - SYS_PTRACE
    ports:
      - "6379:6379"
    volumes:
      - /Users/hunaghongbin/server/redis:/data
      - /etc/localtime:/etc/localtime:ro
    image: redis:3.2
  myphp:
    container_name: "myphp"
    restart: always
    # docker安全验证
    security_opt:
      - seccomp:unconfined
    cap_add:
      - SYS_PTRACE
    ports:
      - "9000:9000"
    volumes:
      - /Users/hunaghongbin/server/www:/var/www/html
      - /Users/hunaghongbin/server/php:/usr/local/etc/php
      - /etc/localtime:/etc/localtime:ro
    links:
      - "mydb"
      - "myredis"
    image: php:7.2-fpm
  mynginx:
    container_name: "mynginx"
    restart: always
    # docker安全验证
    security_opt:
      - seccomp:unconfined
    cap_add:
      - SYS_PTRACE
    ports:
      - "80:80"
    links:
      - "myphp"
    volumes:
      - /Users/hunaghongbin/server/www:/usr/share/nginx/html
      - /Users/hunaghongbin/server/nginx:/etc/nginx
      - /Users/hunaghongbin/server/logs/nginx.logs:/var/log/nginx
      - /etc/localtime:/etc/localtime:ro
    image: nginx:latest

I hope to solve this song problem，think！