Open dato opened 7 years ago
In a nutshell, I can successfully touch /root/foo.txt in the container in the following two scenarios, when it shouldn’t be allowed:
touch /root/foo.txt
docker run --read-only
docker run --user nobody:nogroup
I can reproduce it in two different machines, one using overlay2 and the other devicemapper.
# docker run --rm -ti --runtime=cc --read-only \ alpine sh -c 'ls -ld /root; touch /root/foo.txt && ls -l /root/foo.txt' drwx------ 2 root root 4096 Jun 25 17:52 /root -rw-r--r-- 1 root root 0 Sep 24 00:44 /root/foo.txt
Whereas with runc:
# docker run --rm -ti --runtime=runc --read-only \ alpine sh -c 'ls -ld /root; touch /root/foo.txt && ls -l /root/foo.txt' drwx------ 2 root root 4096 Jun 25 17:52 /root touch: /root/foo.txt: Read-only file system
# docker run --rm -ti --runtime=cc --user nobody:nogroup \ alpine sh -c 'id; touch /root/foo.txt && ls -l /root/foo.txt' uid=65534(nobody) gid=65533(nogroup) -rw-r--r-- 1 nobody nogroup 0 Sep 24 00:44 /root/foo.txt
With runc:
# docker run --rm -ti --runtime=runc --user nobody:nogroup \ alpine sh -c 'id; touch /root/foo.txt && ls -l /root/foo.txt' uid=65534(nobody) gid=65533(nogroup) touch: /root/foo.txt: Permission denied
# cc-runtime cc-check INFO[0000] Found CPU attribute "Intel Architecture CPU" (GenuineIntel) INFO[0000] Found CPU flag "SSE4.1" (sse4_1) INFO[0000] Found CPU flag "Virtualization support" (vmx) INFO[0000] Found CPU flag "64Bit CPU" (lm) INFO[0000] Found kernel module "Kernel-based Virtual Machine" (kvm) INFO[0000] Found kernel module "Intel KVM" (kvm_intel) INFO[0000] Kernel module "Intel KVM" parameter "nested" has correct value INFO[0000] Kernel module "Intel KVM" parameter "unrestricted_guest" has correct value INFO[0000] Found kernel module "Host kernel accelerator for virtio" (vhost) INFO[0000] Found kernel module "Host kernel accelerator for virtio network" (vhost_net) INFO[0000] INFO[0000] System is capable of running Intel® Clear Containers # cc-runtime cc-env [Meta] Version = "1.0.3" [Runtime] [Runtime.Version] Semver = "3.0.0" Commit = "7fc11d5" OCI = "1.0.0-rc5" [Runtime.Config] GlobalLogPath = "" [Runtime.Config.Location] Path = "/etc/clear-containers/configuration.toml" Resolved = "/etc/clear-containers/configuration.toml" [Hypervisor] MachineType = "pc" Version = "QEMU emulator version 2.7.1(2.7.1+git.741f430a96-8.cc)…" [Hypervisor.Location] Path = "/usr/bin/qemu-lite-system-x86_64" Resolved = "/usr/bin/qemu-lite-system-x86_64" [Image] Path = "/usr/share/clear-containers/clear-containers.img" Resolved = "/usr/share/clear-containers/clear-17270-containers.img" [Kernel] Parameters = "" [Kernel.Location] Path = "/usr/share/clear-containers/vmlinuz.container" Resolved = "/usr/share/clear-containers/vmlinuz-4.9.47-77.container" [Proxy] Type = "ccProxy" Version = "Version: 3.0.0+git.c66f21e" URL = "unix:///var/run/clear-containers/proxy.sock" [Shim] Type = "ccShim" Version = "shim version: 3.0.0-alpha.4 (commit: 739e5e2)" [Shim.Location] Path = "/usr/libexec/clear-containers/cc-shim" Resolved = "/usr/libexec/clear-containers/cc-shim" [Agent] Type = "hyperstart" Version = "<<unknown>>" [Agent.PauseBin] Path = "/var/lib/clear-containers/runtime/bundles/pause_bundle/bin/pause" Resolved = "/var/lib/clear-containers/runtime/bundles/pause_bundle/bin/pause" [Host] Kernel = "4.9.0-3-amd64" CCCapable = true [Host.Distro] Name = "Debian GNU/Linux" Version = "9" [Host.CPU] Vendor = "GenuineIntel" Model = "Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz" # docker info Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 3 Server Version: 17.06.2-ce Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog Swarm: inactive Runtimes: cc runc Default Runtime: runc Init Binary: docker-init containerd version: 6e23458c129b551d5c9871e5174f6b1b7f6d1170 runc version: 810190ceaa507aa2727d7ae6f4790c76ec150bd2 init version: 949e6fa Security Options: apparmor seccomp Profile: default Kernel Version: 4.9.0-3-amd64 Operating System: Debian GNU/Linux 9 (stretch) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 15.38GiB Name: geertz.rel ID: H2JT:UWV2:ERA5:DVSQ:RZTH:GLLK:S7CY:YS7A:OVJC:WG4F:D43V:37JZ Docker Root Dir: /srv/var/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
@dato Thanks for the report. The --read-only part will be fixed with a vircontainer PR and we're looking at the uid/gid issue as well.
--read-only
In a nutshell, I can successfully
touch /root/foo.txt
in the container in the following two scenarios, when it shouldn’t be allowed:docker run --read-only
docker run --user nobody:nogroup
I can reproduce it in two different machines, one using overlay2 and the other devicemapper.
--read-only
Whereas with runc:
--user nobody:nogroup
With runc:
Machine info