Open swizzlr opened 8 years ago
Had to add --privileged
like @LoiKos mentioned. Maybe it is time to update the README that is shown on https://hub.docker.com/_/swift/
Sounds like more caps are now required than before -- definitely time to update the description, but we need to figure out the minimal set of required caps first (because adding "--privileged" to that description is a 100% no-go; you might as well not use a container at that point).
this one is tough and has been haunting us forever :) . Not sure what to do here, in the Github readme we have privileged noting that ppl use containers locally for development too and not just for deployments, places where a Swift repl is more needed or helpful. I think we decided to exclude them from the Docker hub documentation specifically for containers on linux servers concern. I think this was also pointed to us out by Docker team when we were merging the project in the official images section that they maintain.
@tianon
Sounds like more caps are now required than before
Unfortunately, even with --cap-add=ALL
, I can't make it work... 😕
Ah, so there's likely something in the default seccomp profile and/or apparmor profile blocking it now.
Confirmed, I can run the REPL with just "--security-opt seccomp=unconfined" (and no other options).
Now to narrow down what exactly is required for it to work that the default profile blocks.
Ok, here's what I've had success with: (where default.json
comes from https://raw.githubusercontent.com/docker/docker-ce/v17.06.2-ce/components/engine/profiles/seccomp/default.json)
--- default.json 2017-09-08 15:02:37.061507178 -0700
+++ swift.json 2017-09-08 15:02:54.821989684 -0700
@@ -216,6 +216,7 @@
"open",
"openat",
"pause",
+ "personality",
"pipe",
"pipe2",
"poll",
$ docker run -it --rm --security-opt seccomp=swift.json --cap-add sys_ptrace swift swift
Welcome to Swift version 3.1 (swift-3.1-RELEASE). Type :help for assistance.
1>
Should we even be supporting repl in the official image? If things like text editors are excluded, everything except the core compiler and runtime should be excluded right? The purpose of this image is execution, not dev support.
So what is the way to make this docker work? As I keep getting error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8
no matter what I try to copy from here to my terminal.
Can't pass even first step to install this docker. I'm not familiar with REPL, so definitely have no clue how to set up it, just following readme, which is not working.
@jonauz If the Readme instructions aren't working for you, please open a separate issue. This issue tracks the fact that the REPL fails without elevated security privileges.
Action item: me to update Readme and sync it with official repo README.
I get this:
docker run --cap-add sys_ptrace -it --rm swift swift error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8
I see from above I should perhaps open a new issue?
@fekerr it likely also needs a slightly customised seccomp profile, as I noted above (https://github.com/swiftdocker/docker-swift/issues/9#issuecomment-328224511)
@swizzlr We are moving Swift Docker issues to https://bugs.swift.org Component: Docker. Can you please file your issue on bugs.swift.org?
We are planning on closing GitHub swift-docker issues on Dec 20th, 2018 (PST).
In the same way as @LoiKos and @andradei
I had to add --privileged
docker run --privileged --cap-add sys_ptrace -it --rm swift:5.0-xenial swift
I have Docker running on macOS Mojave. We are in 2019 and they still don't update the README in docker Hub.
Adding --privileged
is a huge hammer with broad security implications. What should be documented is the specific security features that need to be disabled, add I already noted above: https://github.com/apple/swift-docker/issues/9#issuecomment-328224511
When I add --cap-add sys_ptrace the image never gets created.
Hi,
I just tried today and this worked for me! docker run --privileged --cap-add sys_ptrace -it --name swiftfun swift /bin/bash
As @tianon comment for --privileged
maybe
docker run --cap-add sys_ptrace --security-opt seccomp=unconfined -it --rm swift swift
better than
docker run --privileged --cap-add sys_ptrace -it --name swiftfun swift /bin/bash
I've gotten it working with only one change to the seccomp profile.
root@2b7a2030895e:~# strace -f swift repl 2>&1 | grep EPERM
[pid 436] setsid() = -1 EPERM (Operation not permitted)
[pid 439] personality(PER_LINUX|ADDR_NO_RANDOMIZE) = -1 EPERM (Operation not permitted)
My change to the default seccomp profile:
--- seccomp.json.orig 2023-08-31 03:56:06.480864664 +0100
+++ seccomp.json 2023-08-31 03:56:51.149223795 +0100
@@ -824,6 +824,19 @@
"CAP_PERFMON"
]
}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 262144,
+ "op": "SCMP_CMP_EQ"
+ }
+ ]
}
]
}
\ No newline at end of file
$ docker run --rm -it --security-opt seccomp=seccomp.json swift swift repl
Welcome to Swift version 5.8.1 (swift-5.8.1-RELEASE).
Type :help for assistance.
1> import Foundation
2> Date()
$R0: Foundation.Date = 2023-08-31 02:43:28 GMT
3> ^D
Allowing ADDR_NO_RANDOMIZE by default was requested in moby/moby#43011, but the answer was to maintain your own seccomp profile.
Overview
Swift REPL requires LLDB. LLDB requires some elevated privileges.
Objectives