New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.10] --cap-add=SYS_ADMIN change of behavior? #20082
Comments
Docker 1.10 includes a default seccomp profile which is likely blocking the syscalls you are wanting to make. |
Perhaps we should document this; it is a change in behavior |
ping @jfrazelle I'll assign this one to you; to decide if the default profile needs changes, or the documentation. |
This is behaving as expected On Sunday, February 7, 2016, Sebastiaan van Stijn notifications@github.com
Jessie Frazelle |
@jfrazelle if it's indeed a change in behavior due to the seccomp profiles, I think we should add a note to the docs, explaining that besides adding capabilities, they may have to pass a custom seccomp profile? |
Ya agreed will do On Sunday, February 7, 2016, Sebastiaan van Stijn notifications@github.com
Jessie Frazelle |
docs are updated here #20245 |
Confirmed working. To wrap up, anyone previously using Unclear to me if this has any serious security implications, but my guess is that it is as secure as in 1.9.1. /b3 |
It's the same as 1.9.1 but better would be to make a custom seccomp profile On Saturday, February 13, 2016, beetree notifications@github.com wrote:
Jessie Frazelle |
With SELinux I attempted to avoid control of capability checks and leave this to capabilities. I am not sure if this is possible with seccomp. Do we have any idea what seccomp block was blocking this access from happening? Turning off all of seccomp for any use of capabilities is a usability problem. |
Is the problem the capability, or the fact that systemd inside the container is trying to do mount virtual filesystems and seccomp is blocking it. I'm guessing the capability thing is (largely) unrelated... Only option if you need to call mount inside the container is to have seccomp allow the mount syscall.... |
Right, I don't think the mount syscall should be blocked by default if it is blocked by a different security mechanism. I just think that if we have multiple security mechanisms blocking access, users are not going to easily figure out why, and they will start killing all security. --privileged Since we don't have FRIENDLY eperm, there is no easy way to know mount is blocked by SELinux, Capabilities or SECCOMP. |
@beetree I tried the following options on my docker 1.12.3, but systemctl still says
|
@beetree Did you mount tmpfs on /run? docker run -ti --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro INITCONTIANER Should work, (You must have container=oci or something in environment). Or just use projectatomic/docker with oci-systemd-hook and it will work with no options required. |
Hey,
I'm running an image with systemd. I pass
--cap-add=SYS_ADMIN --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro
todocker run
. I've been running it in 1.9.1 without problems, but now that I update to 1.10 it throws the error (when trying to usesystemctl
):Passing
--privileged
instead of--cap-add=SYS_ADMIN
solves the problem in 1.10.Here's the base info on the 1.10 that throws the errors:
The systemd image Dockerfile is:
Here's a full session to recreate the issue (in 1.10):
And here is the same with
--privileged
:And the
SYS_ADMIN
for 1.9.1:I realize that this may not be a bug in Docker, and I realize that running
systemd
in a docker container isn't really the ideal usage of containers. That said, I would really appreciate any help!EDIT:
Adding full background information on the 1.9.1 setup:
EDIT2:
Same issue using ubuntu 15.10 as base image (on docker 1.10 with SYS_ADMIN).
/beetree
The text was updated successfully, but these errors were encountered: