search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
19.24k stars 717 forks source link

Differences between seccomp profiles generated via `build` and `profile` commands #308

Closed mtardy closed 2 years ago

mtardy commented 2 years ago

Expected Behavior

By reading the documentation of the project, I was expecting that docker-slim profile was running the exact same part of the app that generates the seccomp profile while doing docker-slim build.

Actual Behavior

It seems that it's not the case, I have a concrete example just below that produces two different seccomp profiles and one doesn't work as it prevents the container to start correctly. The one built with docker-slim build seems to work very well, and congratulation on that 😸 ! That's an impressive feature!

Steps to Reproduce the Problem

I was trying something like that:

docker-slim --state-path docker-slim-dir profile --pull nginx:1.21.6-alpine
export IMAGE_ID=$(docker inspect nginx:1.21.6-alpine --format '{{slice .ID 7}}')
export SECCOMP_PATH=docker-slim-dir/.docker-slim-state/images/$IMAGE_ID/artifacts/nginx-seccomp.json
docker run --security-opt seccomp:$SECCOMP_PATH nginx:1.21.6-alpine

And unfortunately you get (like stated by Skybound in the previous answers)

docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: close exec fds: ensure /proc/self/fd is on procfs: operation not permitted: unknown.

But then I took a look at your examples repo and saw that : https://github.com/docker-slim/examples/blob/master/3rdparty/nginx_alpine/slim.sh

And this works perfectly!

docker-slim profile --copy-meta-artifacts . --tag nginx_alpine.slim nginx:1.21.6-alpine
docker run -p 8080:80 --security-opt seccomp=nginx-seccomp.json nginx:1.21.6-alpine

Specifications

kcq commented 2 years ago

thank you for opening the issue @mtardy

mritunjaysharma394 commented 2 years ago

I would like to take up this issue @kcq

kcq commented 2 years ago

@mritunjaysharma394 lets review the current state and let's chat about the design options