Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker for mac uses Linux kernel without CONFIG_FANOTIFY_ACCESS_PERMISSIONS #6915

Open
Tracked by #1604
alban opened this issue Jul 13, 2023 · 1 comment
Open
Tracked by #1604

Docker for mac uses Linux kernel without CONFIG_FANOTIFY_ACCESS_PERMISSIONS #6915

alban opened this issue Jul 13, 2023 · 1 comment
Labels
needs-triage

Comments

@alban
Copy link

alban commented Jul 13, 2023
edited
Loading

Description

Docker for mac uses a Linux kernel compiled with this option:

CONFIG_FANOTIFY=y
# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set

Unfortunately, my software needs both CONFIG_FANOTIFY and CONFIG_FANOTIFY_ACCESS_PERMISSIONS.

This results in the following error when using the fanotify_mark syscall with with FAN_ACCESS_PERM or FAN_OPEN_EXEC_PERM flags:

failed to fanotify mark: fanotify: mark error, invalid argument

Reproduce

Run ig as explained in the instructions:

$ docker run -ti --rm --privileged -v /run:/run -v /:/host ghcr.io/inspektor-gadget/ig list-containers --auto-mount-filesystems
failed to fanotify mark: fanotify: mark error, invalid argument

Expected behavior

fanotify_mark syscall with FAN_ACCESS_PERM and FAN_OPEN_EXEC_PERM should work fine.

docker version

> docker version
Client:
Cloud integration: v1.0.35
Version:           24.0.2
API version:       1.43
Go version:        go1.20.4
Git commit:        cb74dfc
Built:             Thu May 25 21:51:16 2023
OS/Arch:           darwin/arm64
Context:           desktop-linux

Server: Docker Desktop 4.21.1 (114176)
Engine:
  Version:          24.0.2
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       659604f
  Built:            Thu May 25 21:50:59 2023
  OS/Arch:          linux/arm64
  Experimental:     false
containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Linux version 5.15.49-linuxkit (root@buildkitsandbox) (gcc (Alpine 10.2.1_pre1) 10.2.1 20201203, GNU ld (GNU Binutils) 2.35.2) #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022

> docker info
Client:
Version:    24.0.2
Context:    desktop-linux
Debug Mode: false
Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.0
    Path:     /Users/user/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.19.1
    Path:     /Users/user/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/user/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     /Users/user/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.6
    Path:     /Users/user/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/user/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/user/.docker/cli-plugins/docker-scan
  scout: Command line tool for Docker Scout (Docker Inc.)
    Version:  0.16.1
    Path:     /Users/user/.docker/cli-plugins/docker-scout

Server:
Containers: 12
  Running: 1
  Paused: 0
  Stopped: 11
Images: 90
Server Version: 24.0.2
Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc version: v1.1.7-0-g860f061
init version: de40ad0
Security Options:
  seccomp
   Profile: builtin
  cgroupns
Kernel Version: 5.15.49-linuxkit-pr
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 5
Total Memory: 7.765GiB
Name: docker-desktop
ID: 7fc64535-7c0f-4b06-b586-6094ab8f5455
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Experimental: false
Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
Live Restore Enabled: false

Diagnostics ID

No access to diagnostics ID at the moment

Additional Info

The fanotify_mark syscall with FAN_ACCESS_PERM and FAN_OPEN_EXEC_PERM works fine with Docker Desktop for Windows (WSL2) or with Docker on common Linux distributions.
This was referenced Jul 13, 2023
Closed
Open
@alban
Copy link
Author

alban commented Jul 13, 2023

I filed the issue on linuxkit: linuxkit/linuxkit#3941

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alban