Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not use docker socket as read-only volume in rootless mode #40313

Closed
hanachin opened this issue Dec 16, 2019 · 8 comments
Closed

Can not use docker socket as read-only volume in rootless mode #40313

hanachin opened this issue Dec 16, 2019 · 8 comments
Labels
area/rootless Rootless mode version/19.03

Comments

@hanachin
Copy link

Description

Steps to reproduce the issue:

  1. mount docker socket with read-only option
% docker run -ti -v /run/user/1000/docker.sock:/tmp/docker.sock:ro bash ls -al /tmp/docker.sock
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/run/user/1000/docker.sock\\\" to rootfs \\\"/home/sei/.local/share/docker/vfs/dir/74964046ceb671a408a2aed046f1f86e258e0ad1b84d4befaaa854e6490d0387\\\" at \\\"/home/sei/.local/share/docker/vfs/dir/74964046ceb671a408a2aed046f1f86e258e0ad1b84d4befaaa854e6490d0387/tmp/docker.sock\\\" caused \\\"operation not permitted\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled

Describe the results you received:

error

Describe the results you expected:

Same as mount docker socket without read-only option

% docker run -ti -v /run/user/1000/docker.sock:/tmp/docker.sock bash ls -al /tmp/docker.sock
srw-rw---T    1 root     970              0 Dec 16 15:19 /tmp/docker.sock

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:           19.03.5-ce
 API version:       1.40
 Go version:        go1.13.4
 Git commit:        633a0ea838
 Built:             Fri Nov 15 03:19:09 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          19.03.5-ce
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.4
  Git commit:       633a0ea838
  Built:            Fri Nov 15 03:17:51 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.3.2.m
  GitCommit:        d50db0a42053864a270f648048f9a8b4f24eced3.m
 runc:
  Version:          1.0.0-rc9
  GitCommit:        d736ef14f0288d6993a1845745d6756cfc9ddd5a
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 17
  Running: 4
  Paused: 0
  Stopped: 13
 Images: 16
 Server Version: 19.03.5-ce
 Storage Driver: vfs
 Logging Driver: json-file
 Cgroup Driver: none
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: d50db0a42053864a270f648048f9a8b4f24eced3.m
 runc version: d736ef14f0288d6993a1845745d6756cfc9ddd5a
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 5.4.2-arch1-1
 Operating System: Arch Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 31.29GiB
 Name: TracePoint
 ID: HZEQ:KR5K:POMA:S4M4:NODH:4J73:VE5O:YGXU:5XCI:NG3U:F3ZF:5U3R
 Docker Root Dir: /home/sei/.local/share/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

physical machine with ArchLinux, using this AUR package to run Docker in rootless mode
https://aur.archlinux.org/packages/docker-rootless/
@thaJeztah
Copy link
Member

/cc @AkihiroSuda

@AkihiroSuda
Copy link
Member

How is "read-only socket" useful?

@hanachin
Copy link
Author

I setup nginx-proxy, in the README the :ro option is specified, I tried it in rootless mode but it did not work.

    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro

https://github.com/jwilder/docker-gen use read-only socket to generate middleware (e.g. nginx) configurations from docker container meta-data.

@AkihiroSuda
Copy link
Member

The doc seems wrong. Read-only socket doesn't make sense.

@AkihiroSuda
Copy link
Member

Maybe we should modify runc to ignore ro flag for bind-mounting socket files.

@AkihiroSuda
Copy link
Member

A workaround is docker run --runtime=crun.

@sifotes
Copy link

sifotes commented Apr 5, 2021
edited

I don't think this should have been closed. Acknowledging that mounting docker.sock is generally bad, mounting it as read only still
has a number of uses, including the one that @hanachin linked. If Moby doesn't support that, it's the Moby docs that should be updated.

@AkihiroSuda
Copy link
Member

Fixed in #42233

Will be included in v20.10.6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rootless Rootless mode version/19.03
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hanachin @thaJeztah @AkihiroSuda @sifotes