search

qemus / qemu-docker

QEMU in a Docker container.
MIT License
460 stars 55 forks source link

Security Issue: Requires Root Privs #572

Closed JamesClarke7283 closed 3 weeks ago

JamesClarke7283 commented 4 months ago

Operating system

Parabola GNU/Linux-libre

Description

I have my user added to the kvm group, and also rootless podman is setup, it should work without root privs.

Dockerfile

FROM scratch
COPY --from=qemux/qemu-docker:5.16 / /

ARG VERSION_ARG="0.0"
ARG DEBCONF_NOWARNINGS="yes"
ARG DEBIAN_FRONTEND="noninteractive"
ARG DEBCONF_NONINTERACTIVE_SEEN="true"

RUN set -eu && \
    apt-get update && \
    apt-get --no-install-recommends -y install \
        bc \
        curl \
        7zip \
        wsdd \
        samba \
        xz-utils \
        wimtools \
        dos2unix \
        cabextract \
        genisoimage \
        libxml2-utils && \
    apt-get clean && \
    echo "$VERSION_ARG" > /run/version && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

COPY --chmod=755 ./src /run/
COPY --chmod=755 ./assets /run/assets

ADD --chmod=755 https://raw.githubusercontent.com/christgau/wsdd/v0.8/src/wsdd.py /usr/sbin/wsdd
ADD --chmod=664 https://github.com/qemus/virtiso/releases/download/v0.1.248/virtio-win-0.1.248.tar.xz /drivers.txz

EXPOSE 8006 3389
VOLUME /storage

ENV RAM_SIZE "4G"
ENV CPU_CORES "2"
ENV DISK_SIZE "64G"
ENV VERSION "win11"

ENTRYPOINT ["/usr/bin/tini", "-s", "/run/entry.sh"]

Docker log

❯ ERROR: Script must be executed with root privileges.

Screenshots (optional)

No response

NateChoe1 commented 3 months ago

I was able to get this image working on rootless docker by editing /etc/subgid. On my system, my username is nate, and the kvm user has gid 104, so I added this line.

nate:104:1

I wrote a very short script to do this process automatically (requires root privileges).

#!/bin/bash

read -p "Enter your username: " DOCKER_USER

KVM_GROUP="$(cat /etc/group | grep ^kvm | awk -F: '{print $3;}')"
printf "%s:%s:1\n" "$DOCKER_USER" "$KVM_GROUP" >> /etc/subgid

If this doesn't work, you may need to add the kvm group to your container. First, find the group that the host kvm group maps to.

#!/bin/bash

read -p "Enter your username: " DOCKER_USER

KVM_GROUP="$(cat /etc/group | grep ^kvm | awk -F: '{print $3;}')"
KVM_MAPPED_GROUP=1
while read MAPPING ; do
    if [ "$(printf "%s\n" "$MAPPING" | awk -F: '{print $2;}')" -eq "$KVM_GROUP" ] ; then
        break
    fi
    MAP_SIZE="$(printf "%s\n" "$MAPPING" | awk -F: '{print $3;}')"
    KVM_MAPPED_GROUP="$(expr "$KVM_MAPPED_GROUP" + "$MAP_SIZE")"
done < <(grep "^$DOCKER_USER" /etc/subgid)

echo "KVM group: $KVM_MAPPED_GROUP"

Then, in your docker-compose.yml file, add the following lines:

services:
  qemu:
    # ...
    group_add:
      - [the group number from the previous step]