New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker build should support privileged operations #1916
Comments
If we go for this, I'm more in favor of the RUNP option, instead of having On Wed, Sep 18, 2013 at 1:07 PM, Benjamin Podszun
Victor VIEUX |
Actually, we might have to do both — i.e., RUNP + require a "-privileged" If we rely only on RUNP (without requiring "-privileged"), then we would I think a combination of both is the safest way. On Wed, Sep 18, 2013 at 4:07 AM, Benjamin Podszun
@jpetazzo https://twitter.com/jpetazzo |
Sounds reasonable. For me this feature (being able to create device nodes) makes or breaks the ability to create the deployment in Docker. If I can help (testing mostly, I tried looking at the source but failed so far. It seems the available commands in a buildfile are found via reflection, I added a runp command that set the config.privileged to true, but so far I'm unable to build and test -> stuck) I'd gladly invest some time. |
I'd suggest lights up some smoke signals to catch attention of @shykes, @crosbymichael ... And then we'll have to find someone to implement it, of course ☺ |
If the last part was targeted at me: Sure, why not. I'm already messing with the go code (not a language I'm familiar with, but see above: I'm trying to figure out what's going on anyway). With a couple of pointers / someone to ping for some questions I'd certainly give it a try. |
I'm not sold on RUNP or build -privileged. Generally I don't like anything that introduces different possible builds of the same input. That's why you can't pass arguments or env variables to a build. Specifically I don't like introducing dependencies on "privileged" all over the place, because it designates a set of capabilities that is a) very large and b) not clearly spec-ed or defined. That's ok as a coarse mechanism for sysadmins to bypass security in an all-or-nothing way - an "escape hatch" when the standard docker execution environment is not enough. It's similar in that way to bind-mounts and custom lxc-conf. On Fri, Sep 20, 2013 at 3:18 PM, Benjamin Podszun
|
Well, do you agree that it should be possible to build a docker image that - for example - runs fuse? The way I see it, there's no way these builds could be different depending on parameters: The build will work (caps are not / less restricted than now) or fail (status quo). There's little to no risk of different 'versions' of the same build file, right? |
I'm running into this issue now. To build the image I need, I have to perform a series of |
Is it also related to mknod operations? |
Hey @jpetazzo, from the mailing list, here is the issue I'm facing: https://groups.google.com/forum/#!topic/docker-user/1pFhqlfbqQI I'm trying to |
If I understand correctly, during the installation process, you need a non-AUFS directory — or rather, something that supports |
+1 for this as well. Installing packages that require change to memory settings and kernel configuration (e.g. Vertica DB, WebSphere MQ) can only be done in privileged mode. |
Let's try to separate concerns when it comes to running / building with "privileged": it can be required just during the build, just during execution via It should be possible to allow a build to do something requiring a bit more permissions for a step (or more) if that's necessary. I needed this for a project and had to convert half of a Dockerfile to a shell script which invoked the build and continued to build things in privileged mode, so having a "privileged" build would be useful. However, we shouldn't go all the way down to privileged mode by default just so we can use sysctl to change some settings. This should be done via image configuration or via command line args to be passed to |
Right. @orikremer, do you have details on the parameters that Vertica DB and WebSphere MQ were trying to change? If it's stuff in /sys or /proc, the best solution might be to put some mock up there instead, rather than switching to privileged mode (since the changes won't be persisted anyway). In the long run, a mock filesystem might capture the change and convert them to Dockerfile directives, instructing the runtime that "hey, this container needs such or such tweak". |
@jpetazzo It's been a couple of days since I created the image. AFAIR Vertica was complaining that it doesn't have enough memory and both were trying to change max open files. |
Noting issue #2080 as it is related. |
@jpetazzo started recreating the image without -privileged. Two issues so far:
|
How does the switch happen? I don't understand how
If I understand correctly, the Vertical installer tries to set the max number of open files to a very high number, and that only works if Docker was started with such a high number or with the |
switching user -
max open files - correct. the installer tries to set to a number higher than the host has. Only by increasing the hosts setting or starting -privileged does this work. |
I just tried with the following Dockerfile:
And it works fine. What's the exact name of the image you're using? |
@lukewpatterson Can you share how you got the loop filesystem working inside your container? |
@jpetazzo Running this docker file
failed with:
|
I turned on debugging for the PAM module (by adding Oct 7 14:12:23 8be1e7bc5590 su: pam_limits(su:session): reading settings from '/etc/security/limits.conf' Then I
This, in turn, causes the Now, why is I think I would just comment out that Note: since you already increased the limit for number of open files for Docker, you could also raise the limit for the max priority; that should work as well! I hope this helps. |
In that Dockerfile, you've got the following line by itself:
There's no command to go with this (and it won't apply any resulting shell to subsequent RUN commands), so I wouldn't be surprised if it's really failing at trying to open a shell and not being somewhere interactive that doing so makes sense (since |
@jpetazzo Thanks for the detailed description. I will try raising the max priority for Docker and see if that helps.
Agreed, but as this is the Vertica installer code that's putting it there I am trying work around that. @tianon The same happens if I run this in an interactive shell (/bin/bash). |
My apologies, I think it was still worth a try. The point about that line not making much sense in the Dockerfile still does apply though. You probably wanted something more like this (after you figure out the limits issues):
|
@tianon you're right, it doesn't make much sense. That was merely to demonstrate that the su itself fails. |
To get back to the original discussion: I believe it is fine from a security standpoint (and useful!) to allow |
@jpetazzo Quite the opposite! It would solve many problems I'm encountering. I think this is necessary for people who want to run Docker containers that act/look more like a real machine. |
Hi Randomly the docker build choose an hostname starting zero '0' which breaks our application, I tried to run "hostname" in such case inside my DockerFile but faced the same issue. I also would like to have an option to run the docker build with RUNP or get an option to choose the hostname during build. |
Has anybody tried building these kinds of images with Kaniko? I just did it with @maneamarius 's Dockerfile on Docker for Mac and it seems to build successfully once you call Kaniko's
|
Having this feature would greatly help efforts to build Docker images via Puppet on Redhat/CentOS base images. |
Since I last posted, I've followed back up with the changes in Kaniko. They are no longer tarballing in memory and are tarballing onto the disk which means support for Dockerfiles describing big images. Layer caching is still a WIP but they have an option for caching the base images for the moment (That means currently no fast It's at a state where I've been successful in building @maneamarius's Dockerfile that emerges Golang in a Gentoo image in this project/demo without modifying @maneamarius 's Dockerfile or chopping it up in any way (EDIT: I've since had to modify the https://github.com/nelsonjchen/kaniko-privileged-maneamarius-moby-1916 I've also configured Azure Pipelines to build the Dockerfile into an image with Kaniko with |
Use buildah Luke |
I'm closing this issue, because the feature is now available as https://github.com/docker/buildx/blob/master/README.md#--allowentitlement |
@AkihiroSuda I have updated my docker to version 19.03 to try
|
buildx docs: |
Thanks @AkihiroSuda . It worked now. |
just to add another use case. I have to ask like https://github.com/maneamarius in #1916 (comment) Why is it such a big deal to support this? The build does execute a run under the hood. In this specific use case a privileged build option would support a kind of "backward compatibility" and I know I am not the only one who had this issue after my web research. |
@uvwild I'm not sure if this helps your use case but you can give a try to build with kaniko Your image will be built without a docker deamon and you can extract the image once its done and using kaniko is jus like running a container you can use I accept its not a complete solution you were expecting but an easier workaround which may fit in your build pipeline. EDIT: As @alexey-vostrikov said |
In their infinite wisdom, the docker devs decided in moby/moby#1916 that adding support for --cap-add=SYS_PTRACE for `docker build` is not a priority or that they just don't want to do that. So we have to work around this limitation by creating a temporary base image, then run the install script with `docker run`. Next, the resulting container is converted to an image with `docker commit`. Finally we clean up the mess we have made.
In their infinite wisdom, the docker devs decided in moby/moby#1916 that adding support for --cap-add=SYS_PTRACE for `docker build` is not a priority or that they just don't want to do that. So we have to work around this limitation by creating a temporary base image, then run the install script with `docker run`. Next, the resulting container is converted to an image with `docker commit`. Finally we clean up the mess we have made.
Docker deamon doesn't work with --fixed-cidr on windows
What does this mean? Where is this done? I can't find documentation on this anywhere. |
I was able to get past the Dockerfile:
see: https://docs.docker.com/engine/reference/builder/#run---securityinsecure commands
see: https://docs.docker.com/engine/reference/commandline/buildx_build/#allow I don't totally understand all of these settings or if they're wise to use, so beware! Definitely wish there was an easier way to do this! |
Currently there seems to be no way to run privileged operations outside of docker run -privileged.
That means that I cannot do the same things in a Dockerfile. My recent issue: I'd like to run fuse (for encfs) inside of a container. Installing fuse is already a mess with hacks and ugly workarounds (see [1] and [2]), because mknod fails/isn't supported without a privileged build step.
The only workaround right now is to do the installation manually, using run -privileged, and creating a new 'fuse base image'. Which means that I cannot describe the whole container, from an official base image to finish, in a single Dockerfile.
I'd therefor suggest adding either
this should do the same thing as run -privileged, i.e. removing all caps limitations
or
this should .. well .. RUN, but with _P_rivileges
I tried looking at the source, but I'm useless with go and couldn't find a decent entrypoint to attach a proof of concept, unfortunately. :(
1: https://github.com/rogaha/docker-desktop/blob/master/Dockerfile#L40
2: #514 (comment)
The text was updated successfully, but these errors were encountered: