write sysctl key kernel.domainname: open /proc/sys/kernel/domainname: permission denied: unknown

[mfriedenhagen]

I am unable to set the domainname. Actually I use docker-compose but I could reproduce this with docker itself.

Expected outcome:

On a host without sysbox (and especially without usernsmap)

# docker container run --rm --hostname=alpine-test --domainname=example.com --runtime=runc alpine hostname -f
alpine-test.example.com

# uname -a
Linux XXXXX 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
# cat /etc/docker/daemon.json
{

  "registry-mirrors": [
    "https://docker.company.org/"
  ],

  "metrics-addr": "0.0.0.0:9323",
  "experimental": true
}

What I get with sysbox

I am a colleague of @nudgegoonies and we use a version with some patches from your side (concerning #266 etc.)

# docker container run --rm --hostname=alpine-test --domainname=sample.com --runtime=sysbox-runc alpine hostname -f
docker: Error response from daemon: OCI runtime create failed: container_linux.go:392: starting container process caused: process_linux.go:592: container init caused: write sysctl key kernel.domainname: open /proc/sys/kernel/domainname: permission denied: unknown.

Same happens if I use runc. Maybe related to userns-remap, see this moby-issue??

# docker container run --rm --hostname=alpine-test --domainname=sample.com --runtime=runc alpine hostname -f
docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: write sysctl key kernel.domainname: open /proc/sys/kernel/domainname: permission denied: unknown.

# cat /etc/docker/daemon.json
{

  "registry-mirrors": [
    "https://docker.company.org/"
  ],

  "metrics-addr": "0.0.0.0:9323",
  "experimental": true,
  "runtimes": {
    "sysbox-runc": {
      "path": "/usr/bin/sysbox-runc"
    }
  },
  "default-runtime": "sysbox-runc",
  "userns-remap": "sysbox",
  "fixed-cidr": "100.64.0.0/23",
  "default-address-pools": [
    {
      "base": "100.96.0.0/11",
      "size": 26
    }
  ]
}
# uname -a
Linux XXXX 5.10.0-0.bpo.5-amd64 #1 SMP Debian 5.10.24-1~bpo10+1 (2021-03-29) x86_64 GNU/Linux

# dpkg -l docker-ce
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version                     Architecture Description
+++-==============-===========================-============-====================================================
ii  docker-ce      5:20.10.6~3-0~debian-buster amd64        Docker: the open-source application container engine

# dpkg -l sysbox-ce
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version                    Architecture Description
+++-==============-==========================-============-=====================================================================
ii  sysbox-ce      0.3.0-0~ui01.debian-buster amd64        Sysbox Community Edition (CE) is a next-generation container runtime,

[rodnymolina]

Hi @mfriedenhagen, that's right, I would expect this problem to be only reproduced when operating in userns-remap, and not when shiftfs is in the picture. Will take a look at this moby issue that you pointed us to as it's probably the same problem.

[rodnymolina]

@mfriedenhagen just to let you know that I have fixed this one as part of various enhancements that I've been making to sysbox-fs. I expect to have all those merged within the next few days, so you should have a fix for this one soon.

[rodnymolina]

Fixed for this one was merged a while ago as part of Sysbox v0.4.0 release. Please let us know if have any other question on this matter.

[felipecrs]

My understanding is that this issue was resolved by sysbox when running the system container with --domainname. However, I stumbled upon this issue when running inner containers with --domainname from within the system container:

• Support writing to /proc/sys/kernel/dmesg_restrict inside system containers #599 (comment)

I just wonder if I should create a separate issue to track it.

[rodnymolina]

Hi @felipecrs!

In regards to the first issue, Sysbox is working as expected here by preventing the user from writing to this procfs' system-wide resource (/proc/sys/kernel/dmesg_restric). However, we could relax this behavior to allow apps to write to this node, even though that change would be only done superficially (it wouldn't be pushed down to kernel to avoid impacting the system as this resource is not namespaced).

Btw, there's already a few other sysbox-fs handlers doing something very similar -- /proc/sys/kernel/kptr_restric in particular, so if you want, you could fix this one by mimicking the behavior of kptr_restric in this file. Otherwise, let me know and we'll fix it when we have a chance.

Will look at the other issue you raised (--domainname) later on.

[felipecrs]

However, we could relax this behavior to allow apps to write to this node, even though that change would be only done superficially (it wouldn't be pushed down to kernel to avoid impacting the system as this resource is not namespaced).

Btw, there's already a few other sysbox-fs handlers doing something very similar -- /proc/sys/kernel/kptr_restric in particular, so if you want, you could fix this one by mimicking the behavior of kptr_restric in this file. Otherwise, let me know and we'll fix it when we have a chance.

Sounds awesome! I'll try and let you know how it works. Thanks a lot.

Will look at the other issue you raised (--domainname) later on.

I wonder if it's reasonable to do the same for the /proc/sys/kernel/domainname. Anyway, I'll try and let you know. NVM, I just realized it's already there.

[rodnymolina]

NVM, I just realized it's already there.

👍

[felipecrs]

@rodnymolina please disregard my concern about domainname. Sysbox seems to be working just fine, except when not running as a devcontainer in VS Code. I'll open a separate issue for investigation.