search

genuinetools / riddler

A tool to convert docker inspect to the opencontainers runc spec.
MIT License
253 stars 21 forks source link

riddler panic with docker:stable-dind container #18

Closed pwFoo closed 6 years ago

pwFoo commented 6 years ago

Hi @jessfraz tested riddler with a running docker:stable-dind (privileged container) and get still an error. Related to #17 and #16.

Riddler is build with go get github.com/jessfraz/riddler and also tested with the latest 0.6 release binary. Same error message.

/mnt # riddler sysdocker
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x676bf0]

goroutine 1 [running]:
github.com/jessfraz/riddler/parse.Config(0xc4203002c0, 0xc420328000, 0x1, 0x4, 0xc42032a000, 0xc420330000, 0x72b923, 0x5, 0x72b874, 0x5, ...)
        /go/src/github.com/jessfraz/riddler/parse/config.go:175 +0x200
main.main()
        /go/src/github.com/jessfraz/riddler/main.go:164 +0x33c
jessfraz commented 6 years ago

Yeah this doesnt work with privileged containers, sorry :(

On Wed, Jan 10, 2018 at 1:55 PM, pwFoo notifications@github.com wrote:

Hi @jessfraz https://github.com/jessfraz tested riddler with a running docker:stable-dind (privileged container) and get still an error. Related to #17 https://github.com/jessfraz/riddler/pull/17 and #16 https://github.com/jessfraz/riddler/issues/16.

Riddler is build with go get github.com/jessfraz/riddler and also tested with the latest 0.6 release binary. Same error message.

/mnt # riddler sysdocker panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x676bf0]

goroutine 1 [running]:github.com/jessfraz/riddler/parse.Config(0xc4203002c0, 0xc420328000, 0x1, 0x4, 0xc42032a000, 0xc420330000, 0x72b923, 0x5, 0x72b874, 0x5, ...) /go/src/github.com/jessfraz/riddler/parse/config.go:175 +0x200 main.main() /go/src/github.com/jessfraz/riddler/main.go:164 +0x33c

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/18, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbLG8DDx1iikOYqnmP3JUc7Oli8-yks5tJQeMgaJpZM4RZyLC .

--

Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

pwFoo commented 6 years ago

Thank you for your prompt reply :)

So it isn't that easy (converted config) to run a privileged containers with runc? I try to run a dockerd inside of a runc container (docker:stable(-dind)) ...

jessfraz commented 6 years ago

I mostly made this to have sane security defaults when it comes to seccomp etc, so privileged containers was not really the intended use case :)

On Wed, Jan 10, 2018 at 2:07 PM, pwFoo notifications@github.com wrote:

Thank you for your prompt reply :)

So it isn't that easy (converted config) to run a privileged containers with runc? I try to run a dockerd inside of a runc container (docker:stable(-dind) https://hub.docker.com/_/docker/) ...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/18#issuecomment-356704205, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbBUexY1xIIdupswWo-Eb1bx0vv63ks5tJQpWgaJpZM4RZyLC .

--

Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

pwFoo commented 6 years ago

Yes. It works fine for other containers. Tested it successfully earlier. It would only have been practical for me, which is why I tested it to that effect. ;)

I have a minimal alpine based initrd / system with docker support and try to move dockerd to reduce the initrd size. Use containerd could be nice because of ctr image pull, but ctr (containerd dev binary) doesn't support --privileged flag. And I haven't found a runc example to run privileged containers.

So I have to searching for other solutions or stay with dockerd inside my initrd.

jessfraz commented 6 years ago

So it can totally be edited to work... not at a computer currently but later I will point to the part that needs the logic just in case anyone wants to send a PR :) I totally realize the use case for it

jessfraz commented 6 years ago

Have you tried stealing the runc config from var/run like it says in the readme

jessfraz commented 6 years ago

So here https://github.com/jessfraz/riddler/blob/master/parse/parse.go#L155 would need a 

if hc.Privileged {
// add all caps
// add all devices
// set no seccomp profile
// set unconfined apparmor profile
}
pwFoo commented 6 years ago

Thanks! Found the dockerd config.json. Have to adjust paths values

So each device have to be mapped? not just /dev/?

pwFoo commented 6 years ago

First quick test fails with 

container_linux.go:296: starting container process caused "process_linux.go:398: container init caused \"process_linux.go:381: running prestart hook 0 caused \\\"fork/exec /usr/local/bin/dockerd: no such file or directory\\\"\""

But it's a starting point :)

pwFoo commented 6 years ago

Ok, dockerd running inside of runc :) Thank you very much for help!!!

pwFoo commented 6 years ago

@jessfraz Thanks for supporting me here with my problem!

So it can totally be edited to work... not at a computer currently but later I will point to the part that needs the logic just in case anyone wants to send a PR :) I totally realize the use case for it Maybe I take a look and try to add it. Because it would ne nice and I'm should learn how to code Golang ;)