Closed hytdsh closed 9 months ago
https://github.com/moby/moby/issues/46679
It appears that CAP_SETUID cannot be assigned in Rootless Docker host. Is this what it's supposed to be?
rootless@debian12:~$ ls -l /var/run/user/1001/docker.sock
srw-rw---T 1 rootless 166532 0 Oct 23 20:33 /var/run/user/1001/docker.sock
rootless@debian12:~$ git clone https://github.com/docker-library/docker.git ./dind-source
rootless@debian12:~$ cd dind-source/24/dind-rootless/
rootless@debian12:~/dind-source/24/dind-rootless$ nano Dockerfile
rootless@debian12:~/dind-source/24/dind-rootless$ git diff Dockerfile
diff --git a/24/dind-rootless/Dockerfile b/24/dind-rootless/Dockerfile
index 766214d..edbb62d 100644
--- a/24/dind-rootless/Dockerfile
+++ b/24/dind-rootless/Dockerfile
@@ -8,7 +8,7 @@ FROM docker:24-dind
# busybox "ip" is insufficient:
# [rootlesskit:child ] error: executing [[ip tuntap add name tap0 mode tap] [ip link set tap0 address 02:50:00:00:00:01]]: exit status 1
-RUN apk add --no-cache iproute2 fuse-overlayfs
+RUN apk add --no-cache iproute2 fuse-overlayfs strace
# "/run/user/UID" will be used by default as the value of XDG_RUNTIME_DIR
RUN mkdir /run/user && chmod 1777 /run/user
rootless@debian12:~/dind-source/24/dind-rootless$ touch compose.yml
rootless@debian12:~/dind-source/24/dind-rootless$ nano compose.yml
rootless@debian12:~/dind-source/24/dind-rootless$ cat compose.yml
version: "3"
services:
my-rootless:
build: .
image: my-rootless
privileged: true
cap_add:
- SETUID
- SETGID
entrypoint: ["tail", "-f", "/dev/null"]
rootless@debian12:~/dind-source/24/dind-rootless$ docker compose build
rootless@debian12:~/dind-source/24/dind-rootless$ docker compose up -d
[+] Running 2/2
✔ Network dind-rootless_default Created 0.1s
✔ Container dind-rootless-my-rootless-1 Started
rootless@debian12:~/dind-source/24/dind-rootless$ docker compose exec my-rootless sh
/ $
/ $ unshare -U sleep 100 &
/ $ strace newuidmap $! 0 $(id -u) 1 1 100000 65536
execve("/usr/bin/newuidmap", ["newuidmap", "12", "0", "1000", "1", "1", "100000", "65536"], 0x7ffc2ec885a8 /* 11 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fe8d0946b48) = 0
set_tid_address(0x7fe8d0946fb8) = 17
brk(NULL) = 0x556e626a3000
brk(0x556e626a5000) = 0x556e626a5000
mmap(0x556e626a3000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x556e626a3000
mprotect(0x7fe8d0943000, 4096, PROT_READ) = 0
mprotect(0x556e61497000, 4096, PROT_READ) = 0
poll([{fd=0, events=0}, {fd=1, events=0}, {fd=2, events=0}], 3, 0) = 0 (Timeout)
open("/proc/12/", O_RDONLY|O_LARGEFILE|O_DIRECTORY) = 3
getuid() = 1000
open("/etc/passwd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8d08ac000
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
read(4, "root:x:0:0:root:/root:/bin/ash\nb"..., 1024) = 1024
read(4, "gin\nsmmsp:x:209:209:smmsp:/var/s"..., 1024) = 266
close(4) = 0
munmap(0x7fe8d08ac000, 4096) = 0
fstat(3, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
getuid() = 1000
open("/etc/login.defs", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
getgid() = 1000
getgid() = 1000
open("/etc/subuid", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_LARGEFILE|O_NOFOLLOW) = 4
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8d08ac000
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8d08a8000
read(4, "dockremap:165536:65536\nrootless:"..., 1024) = 45
read(4, "", 1024) = 0
munmap(0x7fe8d08a8000, 16384) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_LARGEFILE) = 5
read(5, "# musl itself does not support N"..., 1024) = 205
read(5, "", 1024) = 0
close(5) = 0
open("/etc/passwd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 5
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
read(5, "root:x:0:0:root:/root:/bin/ash\nb"..., 1024) = 1024
read(5, "gin\nsmmsp:x:209:209:smmsp:/var/s"..., 1024) = 266
close(5) = 0
geteuid() = 1000
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_SETUID, permitted=1<<CAP_SETUID, inheritable=0}) = -1 EPERM (Operation not permitted)
writev(2, [{iov_base="newuidmap: Could not set caps\n", iov_len=30}, {iov_base=NULL, iov_len=0}], 2newuidmap: Could not set caps
) = 30
exit_group(1) = ?
+++ exited with 1 +++
There are definitely a lot of constraints to "rootless" mode, and I'm not sure it supports any kind of nesting, but I do admit I'm not an expert on the subject. I know running "rootless" Docker inside rootful Docker still requires privileged mode, for example.
Hi there,
I am facing an error trying to run the dind-rootless image on a Rootless Docker host. I would like to achieve pattern 2 in the following.
Please let me know if there is any information I am missing.
dind or dind-rootless on Rootless Docker host
Pattern 1: dind on Rootless Docker host
docker pull
succeeds butdocker run
fails.Pattern 2: dind-rootless on Rootless Docker host
dind-rootless
cannot be executed.dind or dind-rootless on Rootfull Docker host (as a comparison)
Pattern 3: dind on Rootfull Docker host
Success.
Pattern 4: dind-rootless on Rootfull Docker host
Success with DOCKER_HOST env.