search

debuerreotype / docker-debian-artifacts

Official builds of debuerreotype-generated Debian tarballs for use in Docker
https://docker.debian.net
Apache License 2.0
317 stars 104 forks source link

Permissions in debian:bullseye based images not working in docker 19 versions #141

Closed tamagoko closed 3 years ago

tamagoko commented 3 years ago

Hi I'm looking to see if this is something we can fix. We are running into an issues with any image based on bullseye. When starting up the permissions aren't getting set unless we run in privileged mode. this makes it so we can't even do a stat or an ls which essentially renders the container useless.

here is an example shortened for brevity when running debian:bullseye. 

root@24d86e9c764d:/# ls -lah
ls: cannot access 'root': Operation not permitted
ls: cannot access '.dockerenv': Operation not permitted
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
-????????? ? ? ? ?            ? .dockerenv
d????????? ? ? ? ?            ? root

This is the current Docker info 

Server:
 Containers: 20
  Running: 17
  Paused: 0
  Stopped: 3
 Images: 295
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-1062.4.1.el7.x86_64
 Operating System: CentOS Linux 7 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.638GiB
 Name: xxxxxxxxxx
 ID: VS3M:XSG2:WL53:3IDK:HTUM:OJYG:EBRR:IIDG:VE23:ZVTH:J3J6:JRED
 Docker Root Dir: /raid/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

We can fix this by upgrading docker, however, we have other issues that are blocking us from being able to successfully upgrade to 20.x at this point. We've also tried upgrading to a newer version of 19 without success.

Any help here is greatly appreciated.

tianon commented 3 years ago

Unfortunately, this is due to changes in glibc which started using faccessat2, and thus what's noted in https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2 is the only real solution: