search

fkie-cad / FACT_docker

Dockerfile for building the FACT container
GNU General Public License v3.0
21 stars 10 forks source link

Problem: Docker with Namespace-Remapping #23

Open SonicFM opened 1 year ago

SonicFM commented 1 year ago

As wished in https://github.com/fkie-cad/FACT_docker/issues/22 here is the issue to track the mentioned Problem down.

I am using Docker namespace remapping. I was able to solve the issues within the containers that are in the docker-compose.yml by adding " userns_mode: "host" " for each container as far as I could observe so far.

However, start.py loads the fact extraction container, but this fails because it seems to start without the "userns_mode: "host" " parameter. See also https://github.com/fkie-cad/FACT_core/issues/794. This looks very much like the same problem.

./start.py pull

[2022-07-29 13:33:41][install][INFO]: FACT Installer 1.2
[2022-07-29 13:33:41][install][INFO]: Your distribution (alpine 3.15.5) is not supported. FACT Installer requires Ubuntu 18.04, 20.04 or compatible!
[2022-07-29 13:33:41][backend][INFO]: Pulling fact extraction container
Traceback (most recent call last):
  File "/opt/FACT_core/src/install.py", line 187, in <module>.
    install()
  File "/opt/FACT_core/src/install.py", line 156, in install
    install_docker_images(args)
  File "/opt/FACT_core/src/install.py", line 180, in install_docker_images
    backend_install_docker_images()
  File "/opt/FACT_core/src/install/backend.py", line 80, in _install_docker_images
    raise InstallationError(f'Failed to pull extraction container:\n{docker_process.stdout}')
helperFunctions.install.InstallationError: Failed to pull extraction container:
Using default tag: latest
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=fkiecad%2Ffact_extractor&tag=latest": dial unix /var/run/docker.sock: connect: permission denied

Maybe modifying the file metioned in https://github.com/fkie-cad/FACT_core/issues/794 could help?!

I will need to setup Namespace-Remapping on my non-dockerized FACT, than i could try and hopefully get any new information. I'll report back as soon as i can.

Thanks again!

maringuu commented 1 year ago

The problem is that when using namespace remapping the container has no way to access outside of its uid/gid range as defined in /etc/subuid and /etc/subgid. To access the docker socket that we mount in the container the container must have access to the docker group on the host.

For example podman supports --uidmap. This would allow us to tell the daemon to use subordinate ids for everything but the docker group. Docker does not seem to support this, so sadly this won't work.