search

cu-ecen-aeld / assignment-autotest

Auto test code for assignments, using the Unity automated test framework
MIT License
3 stars 20 forks source link

docker-desktop on Fedora40 #34

Closed calvarado2004 closed 1 month ago

calvarado2004 commented 1 month ago

Using docker-desktop on Fedora 40, the script fails, it sets gid and uid as 0 (root) which would require --privileged flag on the docker run command on the autotest

Run docker run --rm \ The uid:gid for "/home/carlos/yocto-runner/_work/assignment-6-calvarado2004/assignment-6-calvarado2004" is "0:0". The uid and gid must be non-zero. Please check to make sure the "volume" or "bind" specified using either "-v" or "--mount" to docker, exists and has a non-zero uid:gid.

I only have this or a Mac M1 that is even more difficult, I do not use Windows.

dwalkes commented 1 month ago

@calvarado2004 what script are you referring to? You should not need to run docker scripts when using github actions runners.

calvarado2004 commented 1 month ago

Here, trying to build yocto for first time, using the container. https://github.com/cu-ecen-aeld/assignment-6-calvarado2004/actions/runs/10675687455

I also tried with podman-desktop with the same result.

dwalkes commented 1 month ago

Are you running the actions runners as root? If so, don't, make sure you are running with a user account in the docker group.

calvarado2004 commented 1 month ago

No, when running the container the directory /home/carlos/yocto-runner/_work/assignment-6-calvarado2004/assignment-6-calvarado2004 belongs to me (carlos is uid 1000) at Host OS level.

carlos@asus-tuf:~/yocto-runner$ ls -ld /home/carlos/yocto-runner/_work/assignment-6-calvarado2004/assignment-6-calvarado2004 drwxr-xr-x. 8 carlos carlos 4096 Sep 3 00:18 /home/carlos/yocto-runner/_work/assignment-6-calvarado2004/assignment-6-calvarado2004

However, running the container with the volume mounts the directory with root ownership, that triggers the issue with the directory ownership on the script. As far I remember, that is the default behavior or a bind mount, it belongs to root. Even when running on containers with non-root users.

carlos@asus-tuf:~/yocto-runner$ docker run --rm -it -v /home/carlos/yocto-runner/_work/assignment-6-calvarado2004/assignment-6-calvarado2004:/workdir --user 1000:1000 ubuntu ls -ld /workdir drwxr-xr-x 8 root ubuntu 4096 Sep 3 04:18 /workdir

calvarado2004 commented 1 month ago

According to this https://github.com/crops/poky-container/issues/40#issuecomment-635556165 we have to omit the --workdir option on the docker run command to make it work.

calvarado2004 commented 1 month ago

The problem is that both podman and docker desktop enables userns remap by default in Linux, and on top we still have that issue with workdir, which is a problem only on that specific container (it performs checks with a Python script).

https://docs.docker.com/engine/security/userns-remap/

dwalkes commented 1 month ago

So just to confirm and make sure I understand the issue... can you reproduce with this simple command, running as your local user account?

mkdir foo
docker run --rm -it -v $(pwd)/foo:/workdir cuaesd/aesd-autotest:assignment6-yocto --workdir=/workdir

If so, do you see the same error substituting any of the containers at https://hub.docker.com/r/crops/poky/tags instead of cuaesd/aesd-autotest:assignment6-yocto? For example:

docker run --rm -it -v $(pwd)/foo:/workdir crops/poky:fedora-40 --workdir=/workdir
dwalkes commented 1 month ago

Here's ls -la of /workdir for me on Ubuntu 22.04 and 20.04 hosts

dan@dan-tr:~$ docker run --rm -it -v $(pwd)/foo:/workdir cuaesd/aesd-autotest:assignment6-yocto --workdir=/workdir ls -la /workdir
total 8
drwxrwxr-x 2 pokyuser pokyuser 4096 Sep  3 15:40 .
drwxr-xr-x 1 root     root     4096 Sep  3 15:52 ..
dwalkes commented 1 month ago

Also for reference, here's the docker version on 22.04:

dan@dan-tr:~$ docker --version
Docker version 20.10.21, build baeda1f

The problem is that both podman and docker desktop enables userns remap by default in Linux

This is presumably for a specific docker version used on fedora-40 after 20.10.21?

Have you attempted to disable userns remap in either /etc/docker/daemon.json by passing --userns=host to the run command?

calvarado2004 commented 1 month ago

Yes, and the problem also occurs on MacOS. Well, is actually not a problem, is the intended security configuration for modern Docker/Podman/Containerd, it reduces the vector of attack, even if someone gains root access on a container, is not the real root. The thing is that the image got left behind on that.

Mac M1

carlosalvaradomartinez@macbook-pro ~ % mkdir foo docker run --rm -it -v $(pwd)/foo:/workdir cuaesd/aesd-autotest:assignment6-yocto --workdir=/workdir WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested The uid:gid for "/workdir" is "0:0". The uid and gid must be non-zero. Please check to make sure the "volume" or "bind" specified using either "-v" or "--mount" to docker, exists and has a non-zero uid:gid.

calvarado2004 commented 1 month ago

In Windows is just a layer in between, the subsystem for Linux at the end of the day is not a real full Unix-like OS, it transforms the calls.

dwalkes commented 1 month ago

The results above from Ubuntu are on a physical Linux machine, not WSL.

calvarado2004 commented 1 month ago

I use docker-desktop, the official application from Docker (the company)

carlos@asus-tuf:~$ mkdir foo
docker run --rm -it -v $(pwd)/foo:/workdir cuaesd/aesd-autotest:assignment6-yocto --workdir=/workdir
The uid:gid for "/workdir" is "0:0". The uid and gid must be non-zero. Please check to make sure the "volume" or "bind" specified using either "-v" or "--mount" to docker, exists and has a non-zero uid:gid.
carlos@asus-tuf:~$ docker run --rm -it -v $(pwd)/foo:/workdir crops/poky:fedora-40 --workdir=/workdir
Unable to find image 'crops/poky:fedora-40' locally
fedora-40: Pulling from crops/poky
a2700874f546: Download complete 
f7bb57d05c2a: Download complete 
85f75646daa3: Download complete 
4f4fb700ef54: Download complete 
a9e099a70c33: Download complete 
584563da1979: Download complete 
041f90ca05d5: Download complete 
d0d3f3fcc690: Download complete 
e44ef2354181: Download complete 
9e326ae8ce2e: Download complete 
07486f7ac18c: Download complete 
Digest: sha256:3f126b734af560a1b5f7b763d195cb63941a9d6bdb8a3f336202daf506f0bf65
Status: Downloaded newer image for crops/poky:fedora-40
The uid:gid for "/workdir" is "0:0". The uid and gid must be non-zero. Please check to make sure the "volume" or "bind" specified using either "-v" or "--mount" to docker, exists and has a non-zero uid:gid.
carlos@asus-tuf:~$ docker run --rm -it -v $(pwd)/foo:/workdir cuaesd/aesd-autotest:assignment6-yocto --workdir=/workdir ls -la /workdir
The uid:gid for "/workdir" is "0:0". The uid and gid must be non-zero. Please check to make sure the "volume" or "bind" specified using either "-v" or "--mount" to docker, exists and has a non-zero uid:gid.
carlos@asus-tuf:~$ docker --version
Docker version 27.2.0, build 3ab4256
calvarado2004 commented 1 month ago

Okay, I made it run by getting rid of the official docker desktop app.

To install Docker on Fedora 40, follow these steps:

Step 1: Remove Old Versions (If Any)

If you have an older version of Docker installed, it's good to remove it first to avoid any conflicts:

sudo dnf remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine

Step 2: Set Up Docker Repository

Create a yum repository for Docker:

sudo dnf install -y dnf-plugins-core

Add the Docker repository:

sudo tee /etc/yum.repos.d/docker-ce.repo <<EOF
[docker-ce-stable]
name=Docker CE Stable - \$basearch
baseurl=https://download.docker.com/linux/fedora/\$releasever/\$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
EOF

Step 3: Install Docker

Now you can install Docker:

sudo dnf install docker-ce-* docker-ce-cli-* containerd.io

Step 4: Start and Enable Docker

Start the Docker service and enable it to start on boot:

sudo systemctl start docker
sudo systemctl enable docker

Step 5: Verify Installation

Check that Docker is installed correctly by running:

sudo docker version

Step 6: Post-Installation (Optional)

If you want to use Docker as a non-root user (which is recommended), add your user to the docker group:

sudo usermod -aG docker $USER

Log out and log back in so that your group membership is re-evaluated.

Step 7: Test Docker Installation

Run a test Docker container to ensure everything is set up properly:

carlos@asus-tuf:~$ docker run --rm -it -v $(pwd)/foo:/workdir cuaesd/aesd-autotest:assignment6-yocto --workdir=/workdir ls -la /workdir
total 8
drwxr-xr-x 2 pokyuser pokyuser 4096 Sep  3 17:20 .
drwxr-xr-x 1 root     root     4096 Sep  3 17:41 ..

That’s it!

dwalkes commented 1 month ago

Thanks, I've updated https://github.com/cu-ecen-aeld/aesd-assignments/wiki/Setting-up-Github-Actions to stress installing docker engine instead of docker desktop and added a troubleshooting section for the same.