search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.83k stars 13.92k forks source link

seccomp profiles are not supported on this docker daemon #24550

Open rdesfo opened 7 years ago

rdesfo commented 7 years ago

Issue description

Unable to use seccomp profiles with docker

Steps to reproduce

download default seccomp profile and try to run it

wget https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json -O /tmp/default.json 2>&1 

--2017-04-01 12:45:58--  https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.116.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.116.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14152 (14K) [text/plain]
Saving to: ‘/tmp/default.json’

     0K .......... ...                                        100%  473K=0.03s

2017-04-01 12:45:58 (473 KB/s) - ‘/tmp/default.json’ saved [14152/14152]

$ docker run --rm  --security-opt seccomp=/tmp/default.json alpine sh

/nix/store/kdq94vmln4ybyxs86wjp85gb2pfaf261-docker-17.03.0-ce/libexec/docker/docker:
Error response from daemon: linux seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile.

check kernel to see if =CONFIG_SECCOMP= is enabled

zcat /proc/config.gz | grep SECCOMP

: CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
: CONFIG_SECCOMP_FILTER=y
: CONFIG_SECCOMP=y

check process is sandboxed by seccomp

$ for i in $(ps -aux | grep [d]ocker | awk '{print $2}'); do grep -r Seccomp /proc/$i/status; done
: Seccomp:  0
: Seccomp:  0
: Seccomp:  0

Technical details

$ nixos-version
17.09pre104652.08c87ee (Hummingbird)
mmahut commented 5 years ago

Any news on this issue?

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.