Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update documentation to clarify REPL usage and security implications #9

Open
3 tasks
swizzlr opened this issue Dec 3, 2015 · 71 comments
Open
3 tasks
Assignees

Comments

@swizzlr
Copy link
Contributor

swizzlr commented Dec 3, 2015

Overview

Swift REPL requires LLDB. LLDB requires some elevated privileges.

Objectives

  • Clearly define the elevated privileges required by LLDB's REPL
  • Provide clear and simple documentation in the README on how to access the REPL, including an explanation of the rationale required
  • Provide alternative examples of using the docker image that don't involve the REPL/elevated privileges (e.g. Dockerfiles, invoking scripts in Swift)
@hamin
Copy link
Contributor

hamin commented Dec 3, 2015

The real was definitely working for me, but I was installing all the deps that apple was suggesting. Should we put those deps back for completeness sake? We might be breaking other parts of the toolchain without knowing it but not having deps apple details in their docs. Perhaps revert that commit and see what happens?

@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 3, 2015

@hamin When they say "development dependencies" I assume they mean for building the swift toolchain itself. (right, @jckarter)? I'll work backwards from the list of dependencies and find which libraries are necessary; then I'll open a PR to the swift repo updating their docs.

@hamin
Copy link
Contributor

hamin commented Dec 3, 2015

@swizzlr yeah what you're saying makes sense, checking it out

@hamin hamin added the bug label Dec 3, 2015
@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 3, 2015

@hamin just tried "reverting" those changes and no dice. are you sure it worked for you, back then? maybe it's flaky?

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

So its working for me right now. I'm running latest master:

screen shot 2015-12-03 at 7 06 51 pm

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@swizzlr its working for me. I'm running latest master

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@swizzlr what were you trying to run exactly?

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@swizzlr argh sorry its not running for me...i was running my old docker image...gimme a few

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@swizzlr confirmed this master is not working for me...the above screenshot was from my original repo. It definitely worked

@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 4, 2015

Does this commit work 369c495 ?

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@swizzlr checking it out. Meanwhile do a docker pull from here https://hub.docker.com/r/harisamin/docker-swift/

docker pull harisamin/docker-swift

Try that and see if it works there

@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 4, 2015

Nope, not working on this (digital ocean VM hooked up with docker-machine).

docker run -it harisamin/docker-swift bash

@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 4, 2015

error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

wtf how is it working for me then from my original image. you're just typing swift right? I know there's a swift_repl not sure what exactly that one does

@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 4, 2015

We need a third person to try this out to figure out which of our machines is wrong. The image ID is c9f6b5fece4f, what's yours?

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

The one I pushed to Docker Hub earlier today was this: harisamin/docker-swift latest 48660452cc49

screen shot 2015-12-03 at 7 25 46 pm

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

Again from original one I had.

screen shot 2015-12-03 at 7 28 35 pm

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@swizzlr master on our repo:

Step 7 : RUN wget https://swift.org/builds/ubuntu1404/swift-2.2-SNAPSHOT-2015-12-01-b/swift-2.2-SNAPSHOT-2015-12-01-b-ubuntu14.04.tar.gz
 ---> Running in 0e5501001ce0
--2015-12-04 00:32:30--  https://swift.org/builds/ubuntu1404/swift-2.2-SNAPSHOT-2015-12-01-b/swift-2.2-SNAPSHOT-2015-12-01-b-ubuntu14.04.tar.gz
Resolving swift.org (swift.org)... 169.45.67.140
Connecting to swift.org (swift.org)|169.45.67.140|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-12-04 00:32:30 ERROR 404: Not Found.

Checking if there's a new tar, maybe apple removed the old one

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@lxcid
Copy link

lxcid commented Dec 4, 2015

On my own docker implementation I had user reporting the same issue. Funny thing is it work for my docker on VM.

@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 4, 2015

@lxcid That's fascinating! Do you think you could find out what the implementations are?

Maybe this is a TTY thing?


I was interested in creating a latest image that would provide the most recent version built from source. Perhaps if we try building from scratch inside the container we might unearth the dependencies that are not present?

@lxcid
Copy link

lxcid commented Dec 4, 2015

I'm trying to build from source at the moment though. Its painfully slow, maybe its because I'm building a release build.

Use the following python (2.7) script https://github.com/apple/swift/blob/master/utils/build-script

I'm not sure if I can wait until it complete but I'll keep you updated on my finding.

@lxcid
Copy link

lxcid commented Dec 4, 2015

root@ab75a4cb7eff:/usr/src/swift# ./build/Ninja-ReleaseAssert/swift-linux-x86_64/bin/swift --version
Swift version 2.2-dev (LLVM 46be9ff861, Clang 4deb154edc, Swift c959ce2c83)
Target: x86_64-unknown-linux-gnu
root@ab75a4cb7eff:/usr/src/swift# ./build/Ninja-ReleaseAssert/swift-linux-x86_64/bin/swift          
LLVM ERROR: Compiler-internal integrated REPL unimplemented for this platform

This is the output of the release build.

I'm doing another debug build at the moment.

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

@lxcid do u mind trying the latest master? I've tested the current master on my local docker instances and am able to launch the repl without issue. Let us know :)

@lxcid
Copy link

lxcid commented Dec 4, 2015

I just tried the latest master fb7ff42 but it still have the same error in Digital Ocean docker.

I suspect it is the binary that have issue.

@swizzlr
Copy link
Contributor Author

swizzlr commented Dec 4, 2015

@hamin you running it on your MB in boot2docker?

@hamin
Copy link
Contributor

hamin commented Dec 4, 2015

I installed docker via their official mac DMG.

sh --login '/Applications/Docker/Docker Quickstart Terminal.app/Contents/Resources/Scripts/start.sh'

That's how i start it its funny because looking at #12 seems like @sosedoff was able to deploy our image and it seems to be running.

@sosedoff
Copy link

sosedoff commented Dec 4, 2015

Im running swift docker image: swiftdocker/swift:836d5b4ca56e and it works fine on both linux and osx machines. Locally (on osx) im using docker-machine and can run REPL with this command:

$ docker run -it swiftdocker/swift swift
Welcome to Swift version 2.2-dev (LLVM 46be9ff861, Clang 4deb154edc, Swift 778f82939c). Type :help for assistance.
  1>

@hamin
Copy link
Contributor

hamin commented Sep 8, 2017

this one is tough and has been haunting us forever :) . Not sure what to do here, in the Github readme we have privileged noting that ppl use containers locally for development too and not just for deployments, places where a Swift repl is more needed or helpful. I think we decided to exclude them from the Docker hub documentation specifically for containers on linux servers concern. I think this was also pointed to us out by Docker team when we were merging the project in the official images section that they maintain.

@aduermael
Copy link

@tianon

Sounds like more caps are now required than before

Unfortunately, even with --cap-add=ALL, I can't make it work... 😕

@tianon
Copy link

tianon commented Sep 8, 2017 via email

@tianon
Copy link

tianon commented Sep 8, 2017 via email

@tianon
Copy link

tianon commented Sep 8, 2017

Ok, here's what I've had success with: (where default.json comes from https://raw.githubusercontent.com/docker/docker-ce/v17.06.2-ce/components/engine/profiles/seccomp/default.json)

--- default.json	2017-09-08 15:02:37.061507178 -0700
+++ swift.json	2017-09-08 15:02:54.821989684 -0700
@@ -216,6 +216,7 @@
 				"open",
 				"openat",
 				"pause",
+				"personality",
 				"pipe",
 				"pipe2",
 				"poll",
$ docker run -it --rm --security-opt seccomp=swift.json --cap-add sys_ptrace swift swift
Welcome to Swift version 3.1 (swift-3.1-RELEASE). Type :help for assistance.
  1>  

@Khalian
Copy link
Contributor

Khalian commented Sep 11, 2017

Should we even be supporting repl in the official image? If things like text editors are excluded, everything except the core compiler and runtime should be excluded right? The purpose of this image is execution, not dev support.

@jonauz
Copy link

jonauz commented Oct 14, 2017

So what is the way to make this docker work? As I keep getting error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8 no matter what I try to copy from here to my terminal.
Can't pass even first step to install this docker. I'm not familiar with REPL, so definitely have no clue how to set up it, just following readme, which is not working.

@swizzlr
Copy link
Contributor Author

swizzlr commented Nov 10, 2017

@jonauz If the Readme instructions aren't working for you, please open a separate issue. This issue tracks the fact that the REPL fails without elevated security privileges.

@swizzlr swizzlr changed the title REPL doesn't work without without --cap-add sys_ptrace Update documentation to clarify REPL usage and security implications Nov 10, 2017
@swizzlr
Copy link
Contributor Author

swizzlr commented Nov 10, 2017

Action item: me to update Readme and sync it with official repo README.

@fekerr
Copy link

fekerr commented Oct 27, 2018

I get this:

docker run --cap-add sys_ptrace -it --rm swift swift
error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8

I see from above I should perhaps open a new issue?

@tianon
Copy link

tianon commented Oct 28, 2018

@fekerr it likely also needs a slightly customised seccomp profile, as I noted above (#9 (comment))

@shahmishal
Copy link
Member

@swizzlr We are moving Swift Docker issues to https://bugs.swift.org Component: Docker. Can you please file your issue on bugs.swift.org?

We are planning on closing GitHub swift-docker issues on Dec 20th, 2018 (PST).

@CarlitosDroid
Copy link

In the same way as @LoiKos and @andradei
I had to add --privileged
docker run --privileged --cap-add sys_ptrace -it --rm swift:5.0-xenial swift
I have Docker running on macOS Mojave. We are in 2019 and they still don't update the README in docker Hub.

@tianon
Copy link

tianon commented Apr 20, 2019

Adding --privileged is a huge hammer with broad security implications. What should be documented is the specific security features that need to be disabled, add I already noted above: #9 (comment)

@1oo7
Copy link

1oo7 commented Jul 21, 2020

When I add --cap-add sys_ptrace the image never gets created.

@DrSajid
Copy link

DrSajid commented Jul 26, 2020

Hi,

I just tried today and this worked for me!
docker run --privileged --cap-add sys_ptrace -it --name swiftfun swift /bin/bash

@Guang1234567
Copy link

As @tianon comment for --privileged

maybe

docker run --cap-add sys_ptrace --security-opt seccomp=unconfined -it --rm swift swift

better than

docker run --privileged --cap-add sys_ptrace -it --name swiftfun swift /bin/bash

@Guang1234567
Copy link

image

@NHellFire
Copy link

NHellFire commented Sep 20, 2023

I've gotten it working with only one change to the seccomp profile.

root@2b7a2030895e:~# strace -f swift repl 2>&1 | grep EPERM
[pid   436] setsid()                    = -1 EPERM (Operation not permitted)
[pid   439] personality(PER_LINUX|ADDR_NO_RANDOMIZE) = -1 EPERM (Operation not permitted)

My change to the default seccomp profile:

--- seccomp.json.orig  2023-08-31 03:56:06.480864664 +0100
+++ seccomp.json  2023-08-31 03:56:51.149223795 +0100
@@ -824,6 +824,19 @@
           "CAP_PERFMON"
         ]
       }
+    },
+    {
+      "names": [
+        "personality"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "args": [
+        {
+          "index": 0,
+          "value": 262144,
+          "op": "SCMP_CMP_EQ"
+        }
+      ]
     }
   ]
 }
\ No newline at end of file
$ docker run --rm -it --security-opt seccomp=seccomp.json swift swift repl
Welcome to Swift version 5.8.1 (swift-5.8.1-RELEASE).
Type :help for assistance.
  1> import Foundation
  2> Date()
$R0: Foundation.Date = 2023-08-31 02:43:28 GMT
  3> ^D

Allowing ADDR_NO_RANDOMIZE by default was requested in moby/moby#43011, but the answer was to maintain your own seccomp profile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests