Docker compose with no-new-privileges does not work

[jogerj]

The README.md specifies that security_opt item is optional, but when it's set to [no-new-priveleges:true], the container would not start. Removing the line allows the container to start normally. If this option was working in the past, either something has changed or my setup does not support it for some reason.

Running on Ubuntu 22.04.4 LTS (Jammy Jellyfish) inside proxmox (pve-manager/8.2.4/faa83925c9641325 (running kernel: 6.8.8-4-pve))

docker-compose.yml:

name: cloudflare
services:
  ddns:
    image: favonia/cloudflare-ddns:1.14.0
    network_mode: host
    restart: always
    user: "1000:1000"
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true] # commenting out this line removes fixes it
    environment:
      CF_API_TOKEN: ${CF_API_TOKEN} # from .env
      DOMAINS: foo.example.com,bar.example.com
      PROXIED: "false"
      IP6_PROVIDER: "none"

docker compose logs:

cloudflare-ddns-1  | exec /bin/ddns: operation not permitted
cloudflare-ddns-1  | exec /bin/ddns: operation not permitted
cloudflare-ddns-1  | exec /bin/ddns: operation not permitted
...

uname -a:

Linux foo.example.com 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

docker version:

Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.14
 Git commit:        ced0996
 Built:             Tue Jun 25 22:37:33 2024
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.14
  Git commit:       a61e2b4
  Built:            Tue Jun 25 22:38:06 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.12
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[favonia]

@jogerj Thanks for the report! I tried to replicate your setup but it seems to be working on my machine :thinking: However I saw other reports of other Docker images that show the same problem, so you are not alone. I will check more details when I am more available. In any case, thanks!

[favonia]

@jogerj Have you tried running any other Docker image with no-new-priveleges : true? If only the updater fails, I will have to dig into it further. If other images fail as well, then I would just change the documentation.

[jogerj]

Indeed, changing the image with alpine also fails when trying to exec /bin/sh. I also isolated the problem to the single machine.

I'm also trying to replicate the issue on whatever machine I have on hand. I have three other machines that I tried the exact same setup with, works flawlessly: one is running Ubuntu 22.04 LTS aarch64 ( 6.5.0-1021-oracle), another one Ubuntu 24.04 LTS amd64 (6.8.0-41-generic), another one Ubuntu 24.04 LTS aarch64 (6.8.0-1011-oracle). They're compute instances in oci/aws

The only outliers here with the machine that has issues are:

• it's running inside qemu with proxmox (qemu 7.0.0, q35)
• it runs on an older 5.15 kernel (host machine runs on 6.8.8-4-pve)

[favonia]

@jogerj Thank you for your testing. I made a pull request #923 to update documentation and will merge it soon. You can preview the new README. (The link will stop working when the PR is merged.) The documentation was updated! Let me know if you want me to add anything to help your past self.