support init system s6 (error: unable to mkdir /var/run/s6)

[urbandroid]

lots of docker images throws

s6-mkdir: warning: unable to mkdir /var/run/s6: Permission denied

is there a way to solve this issue securely? For example emby/embyserver image.

[mviereck]

This on itself is not surprising. /var/run is owned by root and only root can write to it. But per default x11docker runs containers with an unprivileged user in it.

Looking a bit closer, it seems that those images use init system/supervisor s6.

As a quick'n'dirty fix you can run x11docker with --user=root. However, this disables all container security features of x11docker.

I'll look closer on how/if x11docker could support s6.

For example emby/embyserver image.

Can you give me other examples, please? I could not find the Dockerfile for emby/emby-base, but need a well documented example to investigate.

[urbandroid]

of course i will add them here.

lots of emby version i tried has the same base so i will check the transmission ones. For example this one :

https://github.com/linuxserver/docker-transmission/blob/master/Dockerfile

which uses this one as a base:

https://github.com/linuxserver/docker-baseimage-alpine/blob/master/Dockerfile

[mviereck]

I have added support for s6-overlay with option --init=s6-overlay.

Please update x11docker to master version and try out. There might be still some issues I did not see on my first test runs. Please report if you find something.

Try e.g. x11docker --init=s6-overlay emby/embyserver x11docker -ti --init=s6-overlay emby/embyserver sh

Currently x11docker only supports the specialized s6-overlay. Maybe I'll add support for s6 in general some day. On first attempts I did not succeed, I would have to dig deeper into the setup of s6.

[urbandroid]

i tried with x11docker version: 5.5.1 and no luck.

s6-mkdir: warning: unable to mkdir /var/run/s6: Permission denied

[mviereck]

You have tried the latest stable release. The s6-overlay implementation is in 5.5.2-beta in master branch. Run x11docker --update-master to install it.

[urbandroid]

thanks a lot. it works.

i wanna ask you 2 off topic question if you don't mind.

1.

x11docker WARNING: User me is member of group docker. That allows unprivileged processes on host to gain root privileges.. >

How can i mitigate this with out kicking out me user out of docker group?

x11docker WARNING: Option --init=s6-overlay slightly degrades container isolation. It adds some user switching capabilities x11docker would disable otherwise. Services started as root might try to abuse their privileges

What are exact security implication of this warning and how can i harden it?

[mviereck]

How can i mitigate this with out kicking out me user out of docker group?

You cannot, unfortunately. Possible alternatives without group docker:

• Always type in your root/sudo password.
• For often used commands: Create small scripts (with chmod +x) in /usr/local/bin like:

  #! /bin/sh
  x11docker --init=s6-overlay emby/embyserver

  Make entries in /etc/sudoers with visudo to allow running them with sudo without a password. Example:

  urbandroid ALL=(ALL) NOPASSWD: /usr/local/bin/embyserver.sh

  Than you can run sudo emybserver.sh without a password.

---

x11docker WARNING: Option --init=s6-overlay slightly degrades container isolation. It adds some user switching capabilities x11docker would disable otherwise. Services started as root might try to abuse their privileges

What are exact security implication of this warning and how can i harden it?

You can see the created docker command with option --debug.

Differences to a regular x11docker start:

  --cap-add AUDIT_WRITE \
  --cap-add CHOWN \
  --cap-add DAC_OVERRIDE \
  --cap-add KILL \
  --cap-add SETGID \
  --cap-add SETUID \

This is a subset of default docker privileges that is needed to allow user switching in container. User switching from root to unprivileged user is needed for --init options s6-overlay, openrc, runit, systemd and sysvinit. I'll try out if s6-overlay needs a smaller subset, but probably not.

Another difference:

  --user root \

The init system and its services run as root. CMD or custom image commands run as unprivileged user.

You cannot harden this except not using s6-overlay at all. You can try to create a new Dockerfile with embyserver that works without s6-overlay.

However, don't take this too hard. --init=s6-overlay allows much more than a default x11docker setup, but is still within the default docker capabilities.