statx syscalls inside a docker container

[mettke]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Description

statx syscalls are only allowed in privileged containers and can not be allowed using linux-capabilities. It would be nice to have a capability which allows those calls, as for example qt is using them in its build process.

Expected behavior

docker run --cap-add=ALL

or

docker run --cap-add=<NEW CAPABILITY>

should allow statx syscalls inside of docker

Actual behavior

docker run --cap-add=ALL

does not allow statx syscalls as there is no capability which allows such a system call

docker run --privileged

however does allow a statx syscalls

Steps to reproduce the behavior

docker run --rm -it base/devel /bin/bash -c "
   sudo pacman -Sy --noconfirm wget
   echo -e '\nTesting statx call\n'
   wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c
   gcc test-statx.c -o test-statx
   touch test-file
   ./test-statx test-file
"

Output of docker version:

Client:
 Version:	18.01.0-ce
 API version:	1.35
 Go version:	go1.9.2
 Git commit:	03596f51b1
 Built:	Sun Jan 14 23:10:39 2018
 OS/Arch:	linux/amd64
 Experimental:	false
 Orchestrator:	swarm

Server:
 Engine:
  Version:	18.01.0-ce
  API version:	1.35 (minimum version 1.12)
  Go version:	go1.9.2
  Git commit:	03596f51b1
  Built:	Sun Jan 14 23:11:14 2018
  OS/Arch:	linux/amd64
  Experimental:	false

Output of docker info:

Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 4
Server Version: 18.01.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.78-1-lts
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.666GiB
Name: ArchLinux
ID: 6DOA:O7FZ:NXOY:CL6B:D7GK:YBLH:SMGX:PAEW:IBZT:CA4F:BEYT:ERGL
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: toendeavour
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

[xantares]

Seems a PR is pending:
moby/moby#36417

[xantares]

See last comment it should be in 18.04

[thaJeztah]

Ah, yes, this is now addressed on master, and will be in Docker 18.04 moby/moby#36417

Closing the issue here 👍

[seemethere]

@xantares @mettke if you'd like to try this out before the release of 18.04 feel free to use the Docker CE nightly builds with:

curl -fsSL get.docker.com | CHANNEL=nightly sh

[endrift]

I seem to still be having this on Ubuntu 18.04.1 with docker-ce 18.06.1~ce~3-0~ubuntu.

Setting the seccomp profile manually doesn't work either.

[emmenlau]

I can not get this to work in docker-ce:amd64 5:18.09.0~3-0~ubuntu-bionic.
Is there a specific capability that needs to be added? I have cap_add = ["NET_ADMIN"] but nothing else, and use docker from gitlab-runner.
Can someone help?

[simonschmeisser]

Sorry but I'm still confused as well. I have docker Docker version 18.09.0, build 4d60db4 but still statx does not seem to be enabled by default? Do I need to enable it manually? What command to use? Are moby version numbers and docker version numbers synced?

[endrift]

I solved this by updating libseccomp. The version bionic has is not new enough, so I just took the .deb from cosmic, which installed cleanly and works fine.

[thaJeztah]

@endrift that would explain the issue; see moby/moby#36417 (comment)

Thats fine but note that you will need to install libseccomp-2.3.3 on the host for this to work, as I think that is the first version with statx support.

[dawagner]

I'm having the same issue as @simonschmeisser, on Fedora 27.

[thaJeztah]

@dawanger see my comment above yours #208 (comment) if an older version of libseccomp is present on the host, it won't work

[dawagner]

@thaJeztah : basic PEBKAC case: I did read your explanation and I thought I had checked that the correct version was installed but apparently, I did not... Thanks.

[chuanchang]

@mettke Where I can get base/devel container image? thanks.