search

genuinetools / riddler

A tool to convert docker inspect to the opencontainers runc spec.
MIT License
253 stars 21 forks source link

Start a converted privileged container fails #16

Closed pwFoo closed 6 years ago

pwFoo commented 7 years ago

Maybe there is something else wrong, but it depends on capabilities section in generated config.json.

Convert a simple container (docker export, tar, generate config.json with riddler) works fine, but a privileged container (dind container) fails:

/mnt # runc run dockerd
json: cannot unmarshal array into Go struct field Process.capabilities of type specs.LinuxCapabilities

config.json part:

...
        "cwd": "/",
        "capabilities": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_DAC_READ_SEARCH",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_LINUX_IMMUTABLE",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_BROADCAST",
            "CAP_NET_ADMIN",
            "CAP_NET_RAW",
            "CAP_IPC_LOCK",
            "CAP_IPC_OWNER",
            "CAP_SYS_MODULE",
            "CAP_SYS_RAWIO",
            "CAP_SYS_CHROOT",
            "CAP_SYS_PTRACE",
            "CAP_SYS_PACCT",
            "CAP_SYS_ADMIN",
            "CAP_SYS_BOOT",
            "CAP_SYS_NICE",
            "CAP_SYS_RESOURCE",
            "CAP_SYS_TIME",
            "CAP_SYS_TTY_CONFIG",
            "CAP_MKNOD",
            "CAP_LEASE",
            "CAP_AUDIT_WRITE",
            "CAP_AUDIT_CONTROL",
            "CAP_SETFCAP",
            "CAP_MAC_OVERRIDE",
            "CAP_MAC_ADMIN",
            "CAP_SYSLOG",
            "CAP_WAKE_ALARM",
            "CAP_BLOCK_SUSPEND",
            "CAP_AUDIT_READ"
        ],
        "rlimits": [
...

If I remove the capabilities part between cwd and rlimits it works fine.

Any idea how to fix it?

jessfraz commented 7 years ago

looks like the spec changed

On Wed, Apr 19, 2017 at 9:58 AM, pwFoo notifications@github.com wrote:

Maybe there is something else wrong, but it depends on capabilities section in generated config.json.

Convert a simple container (docker export, tar, generate config.json with riddler) works fine, but a privileged container (dind container) fails:

/mnt # runc run dockerd json: cannot unmarshal array into Go struct field Process.capabilities of type specs.LinuxCapabilities

config.json part:

... "cwd": "/", "capabilities": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ" ], "rlimits": [ ...

If I remove the capabilities part between cwd and rlimits it works fine.

Any idea how to fix it?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/16, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbHDCMtp6CHWQkvf16uvEpHOALI7Vks5rxhLvgaJpZM4NBuLy .

--

Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

jessfraz commented 7 years ago

you can use an older version of runc or checkout how the capabilities spec changed here https://github.com/opencontainers/runtime-spec/blob/master/config.md and send a PR, I unfortunately don't have adequate time to do it myself

On Wed, Apr 19, 2017 at 10:00 AM, Jess Frazelle notifications@github.com wrote:

looks like the spec changed

On Wed, Apr 19, 2017 at 9:58 AM, pwFoo notifications@github.com wrote:

Maybe there is something else wrong, but it depends on capabilities section in generated config.json.

Convert a simple container (docker export, tar, generate config.json with riddler) works fine, but a privileged container (dind container) fails:

/mnt # runc run dockerd json: cannot unmarshal array into Go struct field Process.capabilities of type specs.LinuxCapabilities

config.json part:

... "cwd": "/", "capabilities": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ" ], "rlimits": [ ...

If I remove the capabilities part between cwd and rlimits it works fine.

Any idea how to fix it?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/16, or mute the thread https://github.com/notifications/unsubscribe-auth/ ABYNbHDCMtp6CHWQkvf16uvEpHOALI7Vks5rxhLvgaJpZM4NBuLy .

--

Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search= 0x18F3685C0022BFF3

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/16#issuecomment-295280229, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbNaFH77orACUtHzi0ndGhhMPtVN4ks5rxhN4gaJpZM4NBuLy .

--

Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

pwFoo commented 7 years ago

Thanks! I'll take a look

pwFoo commented 7 years ago

Example generated by runc spec

                "capabilities": {
                        "bounding": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "effective": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "inheritable": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "permitted": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "ambient": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ]
                },
jessfraz commented 6 years ago

oh yeah this doesnt support privileged containers it was not a part of my use case sorry