Closed pwFoo closed 6 years ago
Yeah this doesnt work with privileged containers, sorry :(
On Wed, Jan 10, 2018 at 1:55 PM, pwFoo notifications@github.com wrote:
Hi @jessfraz https://github.com/jessfraz tested riddler with a running docker:stable-dind (privileged container) and get still an error. Related to #17 https://github.com/jessfraz/riddler/pull/17 and #16 https://github.com/jessfraz/riddler/issues/16.
Riddler is build with go get github.com/jessfraz/riddler and also tested with the latest 0.6 release binary. Same error message.
/mnt # riddler sysdocker panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x676bf0]
goroutine 1 [running]:github.com/jessfraz/riddler/parse.Config(0xc4203002c0, 0xc420328000, 0x1, 0x4, 0xc42032a000, 0xc420330000, 0x72b923, 0x5, 0x72b874, 0x5, ...) /go/src/github.com/jessfraz/riddler/parse/config.go:175 +0x200 main.main() /go/src/github.com/jessfraz/riddler/main.go:164 +0x33c
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/18, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbLG8DDx1iikOYqnmP3JUc7Oli8-yks5tJQeMgaJpZM4RZyLC .
--
Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3
Thank you for your prompt reply :)
So it isn't that easy (converted config) to run a privileged containers with runc? I try to run a dockerd inside of a runc container (docker:stable(-dind)) ...
I mostly made this to have sane security defaults when it comes to seccomp etc, so privileged containers was not really the intended use case :)
On Wed, Jan 10, 2018 at 2:07 PM, pwFoo notifications@github.com wrote:
Thank you for your prompt reply :)
So it isn't that easy (converted config) to run a privileged containers with runc? I try to run a dockerd inside of a runc container (docker:stable(-dind) https://hub.docker.com/_/docker/) ...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/18#issuecomment-356704205, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbBUexY1xIIdupswWo-Eb1bx0vv63ks5tJQpWgaJpZM4RZyLC .
--
Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3
Yes. It works fine for other containers. Tested it successfully earlier. It would only have been practical for me, which is why I tested it to that effect. ;)
I have a minimal alpine based initrd / system with docker support and try to move dockerd to reduce the initrd size. Use containerd could be nice because of ctr image pull
, but ctr (containerd dev binary) doesn't support --privileged
flag. And I haven't found a runc example to run privileged containers.
So I have to searching for other solutions or stay with dockerd inside my initrd.
So it can totally be edited to work... not at a computer currently but later I will point to the part that needs the logic just in case anyone wants to send a PR :) I totally realize the use case for it
Have you tried stealing the runc config from var/run like it says in the readme
So here https://github.com/jessfraz/riddler/blob/master/parse/parse.go#L155 would need a
if hc.Privileged {
// add all caps
// add all devices
// set no seccomp profile
// set unconfined apparmor profile
}
Thanks! Found the dockerd config.json. Have to adjust paths values
So each device have to be mapped? not just /dev/?
First quick test fails with
container_linux.go:296: starting container process caused "process_linux.go:398: container init caused \"process_linux.go:381: running prestart hook 0 caused \\\"fork/exec /usr/local/bin/dockerd: no such file or directory\\\"\""
But it's a starting point :)
Ok, dockerd running inside of runc :) Thank you very much for help!!!
@jessfraz Thanks for supporting me here with my problem!
So it can totally be edited to work... not at a computer currently but later I will point to the part that needs the logic just in case anyone wants to send a PR :) I totally realize the use case for it Maybe I take a look and try to add it. Because it would ne nice and I'm should learn how to code Golang ;)
Hi @jessfraz tested riddler with a running docker:stable-dind (privileged container) and get still an error. Related to #17 and #16.
Riddler is build with
go get github.com/jessfraz/riddler
and also tested with the latest 0.6 release binary. Same error message.