init should create /dev/net/tun with 0666

[AkihiroSuda]

Description

init should create /dev/net/tun with p666 permission. This is required for rootless dind

https://github.com/docker/for-mac/issues/3838

Steps to reproduce the issue: stat /dev/net/tun

Describe the results you received: Access: (0660/crw-rw----)

Describe the results you expected: Access: (0666/crw-rw-rw-)

Additional information you deem important (e.g. issue happens only occasionally):

[justincormack]

Seams reasonable. Should be added around https://github.com/linuxkit/linuxkit/blob/master/pkg/init/cmd/rc.init/main.go#L198

[deitch]

I am curious where it is getting created. @AkihiroSuda 's issue said:

Describe the results you received: Access: (0660/crw-rw----)

So it already is getting created, but with incorrect perms. Where is that happening?

[justincormack]

Probably the hotplug daemon.

On Sat, 19 Oct 2019 at 23:46, Avi Deitcher notifications@github.com wrote:

I am curious where it is getting created. @AkihiroSuda https://github.com/AkihiroSuda 's issue said:

Describe the results you received: Access: (0660/crw-rw----)

So it already is getting created, but with incorrect perms. Where is that happening?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/linuxkit/linuxkit/issues/3432?email_source=notifications&email_token=AADVYPG23RAYTFVHDS33JI3QPP5EFA5CNFSM4JCPFMH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBYDVPQ#issuecomment-544225982, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADVYPF25EHSDY2O5JVBMX3QPP5EFANCNFSM4JCPFMHQ .

[deitch]

Probably the hotplug daemon.

Will the daemon behave correctly if the device is already there (after Akihiro submits a PR to add it)? I assume so, as that would make sense, but I have learned never to rely on my own assumptions... :-)

[AkihiroSuda]

diff --git a/pkg/init/cmd/rc.init/main.go b/pkg/init/cmd/rc.init/main.go
index 6d65af17a..8f05f205b 100644
--- a/pkg/init/cmd/rc.init/main.go
+++ b/pkg/init/cmd/rc.init/main.go
@@ -196,6 +196,8 @@ func doMounts() {
        mkchar("/dev/tty", 0666, 5, 0)
        mkchar("/dev/null", 0666, 1, 3)
        mkchar("/dev/kmsg", 0660, 1, 11)
+       // allow everyone to use TUN/TAP
+       mkchar("/dev/net/tun", 0666, 10, 200)
        // make standard symlinks
        symlink("/proc/self/fd", "/dev/fd")
        symlink("/proc/self/fd/0", "/dev/stdin")

Rebuilt docker.yml with the patch above, no success

$ DOCKER_BUILDKIT=1 linuxkit pkg build ./pkg/init
$ docker tag linuxkit/init:1d8e0532ca588c5ad0d9ca6038349a70bb7ac626-dirty foo/bar
$ docker push foo/bar
$ vi docker.yml
$ linuxkit build -format qcow2-bios docker.yml
$ linuxkit run qemu docker.qcow2 
(ns: getty) linuxkit-26740bd71677:~# ls -l /dev/net/tun 
crw-rw----    1 root     root       10, 200 Oct 20 13:14 /dev/net/tun

[justincormack]

You might need to create /dev/net too. The error handling here is not great due to environment it runs in.

On Sun, 20 Oct 2019 at 06:19, Akihiro Suda notifications@github.com wrote:

diff --git a/pkg/init/cmd/rc.init/main.go b/pkg/init/cmd/rc.init/main.go index 6d65af17a..8f05f205b 100644--- a/pkg/init/cmd/rc.init/main.go+++ b/pkg/init/cmd/rc.init/main.go@@ -196,6 +196,8 @@ func doMounts() { mkchar("/dev/tty", 0666, 5, 0) mkchar("/dev/null", 0666, 1, 3) mkchar("/dev/kmsg", 0660, 1, 11)+ // allow everyone to use TUN/TAP+ mkchar("/dev/net/tun", 0666, 10, 200) // make standard symlinks symlink("/proc/self/fd", "/dev/fd") symlink("/proc/self/fd/0", "/dev/stdin")

Rebuilt docker.yml with the patch above, no success

$ docker tag linuxkit/init:1d8e0532ca588c5ad0d9ca6038349a70bb7ac626-dirty foo/bar $ docker push foo/bar $ vi docker.yml $ linuxkit build -format qcow2-bios docker.yml $ linuxkit run qemu docker.qcow2 (ns: getty) linuxkit-26740bd71677:~# ls -l /dev/net/tun crw-rw---- 1 root root 10, 200 Oct 20 13:14 /dev/net/tun

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/linuxkit/linuxkit/issues/3432?email_source=notifications&email_token=AADVYPDPYUOKX4W5DROVUITQPRLEJA5CNFSM4JCPFMH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBYJ5AY#issuecomment-544251523, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADVYPGMXU326YWSXK4FDPLQPRLEJANCNFSM4JCPFMHQ .

[AkihiroSuda]

still no success :thinking:

diff --git a/pkg/init/cmd/rc.init/main.go b/pkg/init/cmd/rc.init/main.go
index 6d65af17a..3f3b4e5be 100644
--- a/pkg/init/cmd/rc.init/main.go
+++ b/pkg/init/cmd/rc.init/main.go
@@ -196,6 +196,9 @@ func doMounts() {
        mkchar("/dev/tty", 0666, 5, 0)
        mkchar("/dev/null", 0666, 1, 3)
        mkchar("/dev/kmsg", 0660, 1, 11)
+       // allow everyone to use TUN/TAP
+       os.MkdirAll("/dev/net", 0755)
+       mkchar("/dev/net/tun", 0666, 10, 200)
        // make standard symlinks
        symlink("/proc/self/fd", "/dev/fd")
        symlink("/proc/self/fd/0", "/dev/stdin")

[justincormack]

Hmm, so it is still there later with different permissions? Seems like the mysterious hotplug daemon is changing it. That is part of busybox (I do want to rewrite it in Go, or use one that is already written). Maybe there is some config for this... It is not well documented.

[tjfontaine]

Looks like the permissions are captured here? https://github.com/alpinelinux/aports/blob/master/main/busybox-initscripts/mdev.conf#L103

[justincormack]

Ah we should probably get Alpine to fix it upstream.

[justincormack]

Filed an issue on https://gitlab.alpinelinux.org/alpine/aports/issues/10903 but happy to take a PR here to override the file for now.

[AkihiroSuda]

Thanks!

[bsideup]

@justincormack FYI https://gitlab.alpinelinux.org/alpine/aports/issues/10903 is fixed now: https://gitlab.alpinelinux.org/alpine/aports/-/commit/f22963eb8177ad5e3ebcb6de94c9dcf93dd382a4

[andreiborisov]

Any movement on this?