New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix docker-worker-chunk-2 #5800
Conversation
The additional logs reveal:
|
great find @petemoore . looks like we were missing a deployment documentation for this |
Inside docker container, task is running as
If so, I suspect the first option is probably the better one (principle of least privilege). |
Additionally: it looks like the disableSeccomp docker-worker capability is a pretty open-door, perhaps seccomp profiles might be better for fine-grained access? In any case, this shouldn't be too much of an issue when moving to generic-worker, as task users are generally non-privileged and ioslated from each other. |
I reproduced on an AWS machine:
Then from the three options I mentioned earlier:
I tried the first one:
which led me to docker/docs#13731 which told me that it isn't yet possible to run docker with this additional privilege (afaict). I can cheat with full privilege:
Note, here I am not running with |
So indeed, using the @jschwartzentruber can you confirm? If so, I think this (currently) leaves us with the only option being to modify |
Note, setting to Not working:
Check current value:
Reduce to
Check change was effective:
Try again:
Worked! |
This might be a combination I never tested. I was going from the rr wiki Docker page, which recommends |
fwiw
so indeed if you are ok with using |
8a51d9b
to
6da6c15
Compare
Successful rerun of docker worker chunk 4 here https://community-tc.services.mozilla.com/tasks/G-b1mZ_rTbyrTCFJl3KPUw |
Not sure what is causing #5799 at the moment, so will troubleshoot in this PR. Will keep in PR in DRAFT status until I've worked out what is going on and made an appropriate fix.