search

nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Apache License 2.0
2.82k stars 156 forks source link

docker OPA plugin fails to start with "default-runtime": "sysbox-runc" #734

Open dmitryroshchin opened 1 year ago

dmitryroshchin commented 1 year ago

I've bumped into an issue when running sysbox simultanously with this docker plugin.

When setting sysbox as default runtime the following errors, even when configured plugin not to use hostnetwork Sep 13 15:15:51 kata-testing dockerd[1102769]: time="2023-09-13T15:15:51.065032021Z" level=error msg="failed to enable plugin" error="failed to create task for container: failed to create shim task: OCI runtime create failed: container_linux.go:424: starting container process caused: process_linux.go:404: getting the final child's pid from pipe caused: EOF: unknown" id=d484abad1799472ea722c78145161a18758b8a5cf966edfa4dfb8202717a3ef9 If I change default runtime to runc, everything works like a charm. But the thing is I need sysbox to be the default runtime

steps to reproduce:

env: Ubuntu 20.04.6 LTS docker-ce/focal,now 5:24.0.5-1~ubuntu.20.04~focal sysbox-ce/now 0.6.1.linux amd64 build,install,enable opa docker plugin

plugin config.json:

{
    "description": "A policy-enabled authorization plugin for Docker",
    "documentation": "https://www.openpolicyagent.org/docs/docker-authorization/",
    "entrypoint": [
        "/opa-docker-authz"
    ],
    "args": {
        "name": "opa-args",
        "description": "Arguments for opa-docker-authz",
        "settable": ["value"],
        "value": ["-policy-file","/opa/config/authz.rego"]
    },
    "interface": {
        "socket": "opa-docker-authz.sock",
        "types": ["docker.authz/1.0"]
    },
    "network": {
        "type": "bridge"
    },
    "mounts": [
       {
            "name": "policy",
            "source": "/etc/docker",
            "destination": "/opa",
            "type": "none",
            "options": ["bind", "ro"],
            "settable": ["source"]
       }
    ],
    "workdir": "/opa"
}

/etc/docker/daemon.json

{
    "debug": true,
    "default-runtime": "runc",
    "authorization-plugins": ["openpolicyagent/opa-docker-authz-v2:0.8"],
    "runtimes": {
            "sysbox-runc": {
            "path": "/usr/bin/sysbox-runc"
        }
    }
}

/etc/docker/config/authz.rego:

package docker.authz

default allow := false

allow {
    not deny
}

deny {
    seccomp_unconfined
}

seccomp_unconfined {
    input.Body.HostConfig.SecurityOpt[_] == "seccomp:unconfined"
}

sudo systemctl restart docker.service

sudo docker ps error during connect: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": EOF

ctalledo commented 1 year ago

Hi @dmitryroshchin, no not yet. ETA next 1->2 weeks.

dmitryroshchin commented 1 year ago

@ctalledo any news on this issue?