Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

statx syscalls inside a docker container #208

Closed
2 of 3 tasks
mettke opened this issue Jan 28, 2018 · 13 comments
Closed
2 of 3 tasks

statx syscalls inside a docker container #208

mettke opened this issue Jan 28, 2018 · 13 comments

Comments

@mettke
Copy link

mettke commented Jan 28, 2018

  • This is a bug report
  • This is a feature request
  • I searched existing issues before opening this one

Description

statx syscalls are only allowed in privileged containers and can not be allowed using linux-capabilities. It would be nice to have a capability which allows those calls, as for example qt is using them in its build process.

Expected behavior

docker run --cap-add=ALL

or

docker run --cap-add=<NEW CAPABILITY>

should allow statx syscalls inside of docker

Actual behavior

docker run --cap-add=ALL

does not allow statx syscalls as there is no capability which allows such a system call

docker run --privileged

however does allow a statx syscalls

Steps to reproduce the behavior

docker run --rm -it base/devel /bin/bash -c "
   sudo pacman -Sy --noconfirm wget
   echo -e '\nTesting statx call\n'
   wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c
   gcc test-statx.c -o test-statx
   touch test-file
   ./test-statx test-file
"

Output of docker version:

Client:
 Version:	18.01.0-ce
 API version:	1.35
 Go version:	go1.9.2
 Git commit:	03596f51b1
 Built:	Sun Jan 14 23:10:39 2018
 OS/Arch:	linux/amd64
 Experimental:	false
 Orchestrator:	swarm

Server:
 Engine:
  Version:	18.01.0-ce
  API version:	1.35 (minimum version 1.12)
  Go version:	go1.9.2
  Git commit:	03596f51b1
  Built:	Sun Jan 14 23:11:14 2018
  OS/Arch:	linux/amd64
  Experimental:	false

Output of docker info:

Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 4
Server Version: 18.01.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.78-1-lts
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.666GiB
Name: ArchLinux
ID: 6DOA:O7FZ:NXOY:CL6B:D7GK:YBLH:SMGX:PAEW:IBZT:CA4F:BEYT:ERGL
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: toendeavour
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
plfiorini added a commit to liri-infra/buildbot-config that referenced this issue Feb 10, 2018
qbs misbehave inside Docker containers ever since Arch Linux builds
of Qt activated statx again.

This is due to the fact that statx doesn't work on non-privileged
containers, see docker/for-linux#208

The solution is to enable privileged mode.
@xantares
Copy link

Seems a PR is pending:
moby/moby#36417

@xantares
Copy link

See last comment it should be in 18.04

@thaJeztah
Copy link
Member

Ah, yes, this is now addressed on master, and will be in Docker 18.04 moby/moby#36417

Closing the issue here 👍

@seemethere
Copy link

@xantares @mettke if you'd like to try this out before the release of 18.04 feel free to use the Docker CE nightly builds with:

curl -fsSL get.docker.com | CHANNEL=nightly sh

@endrift
Copy link

endrift commented Sep 18, 2018

I seem to still be having this on Ubuntu 18.04.1 with docker-ce 18.06.1~ce~3-0~ubuntu.

Setting the seccomp profile manually doesn't work either.

@emmenlau
Copy link

emmenlau commented Nov 22, 2018

I can not get this to work in docker-ce:amd64 5:18.09.0~3-0~ubuntu-bionic.
Is there a specific capability that needs to be added? I have cap_add = ["NET_ADMIN"] but nothing else, and use docker from gitlab-runner.
Can someone help?

@simonschmeisser
Copy link

Sorry but I'm still confused as well. I have docker Docker version 18.09.0, build 4d60db4 but still statx does not seem to be enabled by default? Do I need to enable it manually? What command to use? Are moby version numbers and docker version numbers synced?

@endrift
Copy link

endrift commented Nov 29, 2018

I solved this by updating libseccomp. The version bionic has is not new enough, so I just took the .deb from cosmic, which installed cleanly and works fine.

@thaJeztah
Copy link
Member

@endrift that would explain the issue; see moby/moby#36417 (comment)

Thats fine but note that you will need to install libseccomp-2.3.3 on the host for this to work, as I think that is the first version with statx support.

@dawagner
Copy link

dawagner commented Dec 4, 2018

I'm having the same issue as @simonschmeisser, on Fedora 27.

@thaJeztah
Copy link
Member

@dawanger see my comment above yours #208 (comment) if an older version of libseccomp is present on the host, it won't work

@dawagner
Copy link

dawagner commented Dec 5, 2018

@thaJeztah : basic PEBKAC case: I did read your explanation and I thought I had checked that the correct version was installed but apparently, I did not... Thanks.

Karry added a commit to Karry/libosmscout that referenced this issue Feb 11, 2019
Current Qt tools is not possible to run with old Docker.
See the issue: docker/for-linux#208
We need to temporary disable building of Client/Qt library
until Oracle update its Docker in Wercker service.
hantoine added a commit to GostCryptTeam/gostcrypt that referenced this issue Feb 17, 2019
@chuanchang
Copy link

@mettke Where I can get base/devel container image? thanks.

raxod502 added a commit to raxod502/intuitive-explanations that referenced this issue Nov 4, 2020
Tracked down an incredibly obscure error where Ubuntu Groovy
apparently packages a version of libpaper1:amd64 that uses a configure
script that uses the statx system call which apparently cannot be run
inside Docker without libseccomp>=2.3.3 on the host machine, which is
more recent than what is shipped on the 16.04 machine image.

docker/for-linux#208 (comment)
raxod502 added a commit to raxod502/intuitive-explanations that referenced this issue Mar 28, 2021
Tracked down an incredibly obscure error where Ubuntu Groovy
apparently packages a version of libpaper1:amd64 that uses a configure
script that uses the statx system call which apparently cannot be run
inside Docker without libseccomp>=2.3.3 on the host machine, which is
more recent than what is shipped on the 16.04 machine image.

docker/for-linux#208 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants