search

clearcontainers / runtime

OCI (Open Containers Initiative) compatible runtime using Virtual Machines
Apache License 2.0
590 stars 70 forks source link

Container filesystem always writeable by all #614

Open dato opened 7 years ago

dato commented 7 years ago

In a nutshell, I can successfully touch /root/foo.txt in the container in the following two scenarios, when it shouldn’t be allowed:

I can reproduce it in two different machines, one using overlay2 and the other devicemapper.

--read-only

# docker run --rm -ti --runtime=cc --read-only \
    alpine sh -c 'ls -ld /root; touch /root/foo.txt && ls -l /root/foo.txt'
drwx------    2 root     root          4096 Jun 25 17:52 /root
-rw-r--r--    1 root     root             0 Sep 24 00:44 /root/foo.txt

Whereas with runc:

# docker run --rm -ti --runtime=runc --read-only \
    alpine sh -c 'ls -ld /root; touch /root/foo.txt && ls -l /root/foo.txt'         
drwx------    2 root     root          4096 Jun 25 17:52 /root
touch: /root/foo.txt: Read-only file system

--user nobody:nogroup

# docker run --rm -ti --runtime=cc --user nobody:nogroup \
    alpine sh -c 'id; touch /root/foo.txt && ls -l /root/foo.txt'         
uid=65534(nobody) gid=65533(nogroup)
-rw-r--r--    1 nobody   nogroup          0 Sep 24 00:44 /root/foo.txt

With runc:

# docker run --rm -ti --runtime=runc --user nobody:nogroup \
    alpine sh -c 'id; touch /root/foo.txt && ls -l /root/foo.txt'         
uid=65534(nobody) gid=65533(nogroup)
touch: /root/foo.txt: Permission denied

Machine info

# cc-runtime cc-check                        
INFO[0000] Found CPU attribute "Intel Architecture CPU" (GenuineIntel)  
INFO[0000] Found CPU flag "SSE4.1" (sse4_1)
INFO[0000] Found CPU flag "Virtualization support" (vmx)
INFO[0000] Found CPU flag "64Bit CPU" (lm)
INFO[0000] Found kernel module "Kernel-based Virtual Machine" (kvm)
INFO[0000] Found kernel module "Intel KVM" (kvm_intel)
INFO[0000] Kernel module "Intel KVM" parameter "nested" has correct value
INFO[0000] Kernel module "Intel KVM" parameter "unrestricted_guest" has correct value
INFO[0000] Found kernel module "Host kernel accelerator for virtio" (vhost)
INFO[0000] Found kernel module "Host kernel accelerator for virtio network" (vhost_net)
INFO[0000]       
INFO[0000] System is capable of running Intel® Clear Containers

# cc-runtime cc-env
[Meta]
  Version = "1.0.3"

[Runtime]                
  [Runtime.Version]
    Semver = "3.0.0"                                                                             
    Commit = "7fc11d5"                                                                       
    OCI = "1.0.0-rc5" 
  [Runtime.Config]           
    GlobalLogPath = ""                                 
    [Runtime.Config.Location]                              
      Path = "/etc/clear-containers/configuration.toml"
      Resolved = "/etc/clear-containers/configuration.toml"

[Hypervisor]                                                               
  MachineType = "pc"                                              
  Version = "QEMU emulator version 2.7.1(2.7.1+git.741f430a96-8.cc)…"
  [Hypervisor.Location]                          
    Path = "/usr/bin/qemu-lite-system-x86_64"
    Resolved = "/usr/bin/qemu-lite-system-x86_64"

[Image]
  Path = "/usr/share/clear-containers/clear-containers.img"
  Resolved = "/usr/share/clear-containers/clear-17270-containers.img"

[Kernel]
  Parameters = ""
  [Kernel.Location]
    Path = "/usr/share/clear-containers/vmlinuz.container"
    Resolved = "/usr/share/clear-containers/vmlinuz-4.9.47-77.container"

[Proxy]
  Type = "ccProxy"
  Version = "Version: 3.0.0+git.c66f21e"
  URL = "unix:///var/run/clear-containers/proxy.sock"

[Shim]
  Type = "ccShim"
  Version = "shim version: 3.0.0-alpha.4 (commit: 739e5e2)"
  [Shim.Location]
    Path = "/usr/libexec/clear-containers/cc-shim"
    Resolved = "/usr/libexec/clear-containers/cc-shim"

[Agent]
  Type = "hyperstart"
  Version = "<<unknown>>"
  [Agent.PauseBin]
    Path = "/var/lib/clear-containers/runtime/bundles/pause_bundle/bin/pause"
    Resolved = "/var/lib/clear-containers/runtime/bundles/pause_bundle/bin/pause"

[Host]
  Kernel = "4.9.0-3-amd64"
  CCCapable = true
  [Host.Distro]
    Name = "Debian GNU/Linux"
    Version = "9"
  [Host.CPU]
    Vendor = "GenuineIntel"
    Model = "Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz"

# docker info
Containers: 0              
 Running: 0
 Paused: 0    
 Stopped: 0
Images: 3
Server Version: 17.06.2-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: cc runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 6e23458c129b551d5c9871e5174f6b1b7f6d1170
runc version: 810190ceaa507aa2727d7ae6f4790c76ec150bd2
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.9.0-3-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.38GiB
Name: geertz.rel
ID: H2JT:UWV2:ERA5:DVSQ:RZTH:GLLK:S7CY:YS7A:OVJC:WG4F:D43V:37JZ
Docker Root Dir: /srv/var/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
sameo commented 7 years ago

@dato Thanks for the report. The --read-only part will be fixed with a vircontainer PR and we're looking at the uid/gid issue as well.