/usr/lib/systemd error on OS X.

[willfarrell]

$ docker run -it --net host --pid host --cap-add audit_control \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    germanramos/docker-bench-security
docker: Error response from daemon: Mounts denied: 
The path /usr/lib/systemd
is not shared from OS X and does not belong to the system.
You can configure shared paths from Docker -> Preferences...

There is no /usr/lib/systemd on Mac. Is this volume mapping required? The test seem to run fine without it? Maybe the docs need to be updated to reflect this?

[konstruktoid]

Hi @willfarrell, how does PR #160 look?

[willfarrell]

That should cover it. If not, there is this issue to catch any that didn't read the docs.

[meetinthemiddle-be]

Would there be scope for instructing macOS users better on what to do to solve this?

I'm aware that the readme states:

Don't forget to adjust the shared volumes according to your operating system, it may not for example use systemd.

Nevertheless, it would be helpful - would those directories actually exist on macOS - if it was just a matter of adding those paths to the File Sharing Preferences in Docker, as is suggested in the hint that Docker mentions in the error thrown:

docker: Error response from daemon: Mounts denied:
The paths /usr/bin/docker-runc and /usr/bin/docker-containerd
are not shared from OS X and are not known to Docker.
You can configure shared paths from Docker -> Preferences... -> File Sharing.
See https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.

Removing them from the docker run command indeed works (or seems to), but adding that fact to the readme.md in a section "Note for macOS users" might be helpful for some. Also describing what doesn't function when you cut those out (I'm assuming that you miss some functionality when omitting these mounts ?).

[mrdulin]

same issue. macOS

☁  mrdulin  docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
    -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker/docker-bench-security
Unable to find image 'docker/docker-bench-security:latest' locally
latest: Pulling from docker/docker-bench-security
cd784148e348: Pull complete 
48fe0d48816d: Pull complete 
164e5e0f48c5: Pull complete 
378ed37ea5ff: Pull complete 
Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
Status: Downloaded newer image for docker/docker-bench-security:latest
docker: Error response from daemon: Mounts denied: 
The paths /usr/lib/systemd and /usr/bin/docker-runc and /usr/bin/docker-containerd
are not shared from OS X and are not known to Docker.
You can configure shared paths from Docker -> Preferences... -> File Sharing.
See https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.

[konstruktoid]

@mrdulin, I've updated the instructions.