-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
readlink /proc/self/exe permission denied inside created thread of container entry point #18883
Comments
Thanks, I've updated the bug report above; happy to answer any additional questions. |
Thanks @thaJeztah . We saw #11462 as well and wondered if it might be related. It should be noted that I also see permission denied when calling readlink() on /proc/self/fd/* -- not just for the ttys, but even for files my process (in my "real" program -- not this test program) opens. I thought boiling it down to this simple test case with /proc/self/exe might help debugging though. |
I believe this is fixed in newer kernels where there is a "same thread group" check not just a same pid check http://lxr.free-electrons.com/source/fs/proc/fd.c#L304 I am not sure exactly when this changed. (Found this issue while searching for a probably unrelated thing!) |
Going to close this as I believe it is fixed. Please comment or reopen if this is not the case. |
It looks like the issue I have in MariaDB under CentOS 7.4: So when mysql client queries
The container starts as root, but The kernel version is Does it look related? |
Speculative findings: |
To illustrate the difference better: Good (v4.14): Bad (v3.10): |
The earliest version of linux kernel the fix is included in is 4.4 |
@Vanuan did you make any progress on this? I have exactly this problem with opendkim in an Alpine container running on CentOS 7. |
@raarts I've outlined solutions and workarounds in the stackoverflow answer above:
|
@Vanuan, just hoping you put in a ticket in redhat's bugzilla. Thanks for tracking this down though. For the moment I dropped alpine for this container. |
Docker Version:
Docker info
uname -a
Additional environment details: physical box
The results I received:
Calls to readlink() on anything that's a link inside of /proc/self return permission denied, for my entrypoint process in a docker container (using the ubuntu container as a base), and if I'm calling it from a thread other than the main thread.
The results I expected:
Calls to readlink() on valid links inside /proc/self work correctly from any thread in my process, even if my process is a docker entrypoint.
Additional info I think is important:
Here's a simple test program that uses /proc/self/exe:
Here's how I compile and run it on my host (centos 7)
Here's what I see as output:
If I just run the program on my host, or anywhere else, or even with
docker run -ti -v``pwd``:/host --entrypoint /bin/bash ubuntu -c /host/a.out
, it works:Thanks, -David
The text was updated successfully, but these errors were encountered: