Update documentation to clarify REPL usage and security implications

[swizzlr]

Overview

Swift REPL requires LLDB. LLDB requires some elevated privileges.

Objectives

• [ ] Clearly define the elevated privileges required by LLDB's REPL
• [ ] Provide clear and simple documentation in the README on how to access the REPL, including an explanation of the rationale required
• [ ] Provide alternative examples of using the docker image that don't involve the REPL/elevated privileges (e.g. Dockerfiles, invoking scripts in Swift)

[andradei]

Had to add --privileged like @LoiKos mentioned. Maybe it is time to update the README that is shown on https://hub.docker.com/_/swift/

[tianon]

Sounds like more caps are now required than before -- definitely time to update the description, but we need to figure out the minimal set of required caps first (because adding "--privileged" to that description is a 100% no-go; you might as well not use a container at that point).

[hamin]

this one is tough and has been haunting us forever :) . Not sure what to do here, in the Github readme we have privileged noting that ppl use containers locally for development too and not just for deployments, places where a Swift repl is more needed or helpful. I think we decided to exclude them from the Docker hub documentation specifically for containers on linux servers concern. I think this was also pointed to us out by Docker team when we were merging the project in the official images section that they maintain.

[aduermael]

@tianon

Sounds like more caps are now required than before

Unfortunately, even with --cap-add=ALL, I can't make it work... 😕

[tianon]

Ah, so there's likely something in the default seccomp profile and/or apparmor profile blocking it now.

[tianon]

Confirmed, I can run the REPL with just "--security-opt seccomp=unconfined" (and no other options).

Now to narrow down what exactly is required for it to work that the default profile blocks.

[tianon]

Ok, here's what I've had success with: (where default.json comes from https://raw.githubusercontent.com/docker/docker-ce/v17.06.2-ce/components/engine/profiles/seccomp/default.json)

--- default.json    2017-09-08 15:02:37.061507178 -0700
+++ swift.json  2017-09-08 15:02:54.821989684 -0700
@@ -216,6 +216,7 @@
                "open",
                "openat",
                "pause",
+               "personality",
                "pipe",
                "pipe2",
                "poll",

$ docker run -it --rm --security-opt seccomp=swift.json --cap-add sys_ptrace swift swift
Welcome to Swift version 3.1 (swift-3.1-RELEASE). Type :help for assistance.
  1>  

[Khalian]

Should we even be supporting repl in the official image? If things like text editors are excluded, everything except the core compiler and runtime should be excluded right? The purpose of this image is execution, not dev support.

[jonauz]

So what is the way to make this docker work? As I keep getting error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8 no matter what I try to copy from here to my terminal. Can't pass even first step to install this docker. I'm not familiar with REPL, so definitely have no clue how to set up it, just following readme, which is not working.

[swizzlr]

@jonauz If the Readme instructions aren't working for you, please open a separate issue. This issue tracks the fact that the REPL fails without elevated security privileges.

[swizzlr]

Action item: me to update Readme and sync it with official repo README.

[fekerr]

I get this:

docker run --cap-add sys_ptrace -it --rm swift swift error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8

I see from above I should perhaps open a new issue?

[tianon]

@fekerr it likely also needs a slightly customised seccomp profile, as I noted above (https://github.com/swiftdocker/docker-swift/issues/9#issuecomment-328224511)

[shahmishal]

@swizzlr We are moving Swift Docker issues to https://bugs.swift.org Component: Docker. Can you please file your issue on bugs.swift.org?

We are planning on closing GitHub swift-docker issues on Dec 20th, 2018 (PST).

[CarlitosDroid]

In the same way as @LoiKos and @andradei I had to add --privileged docker run --privileged --cap-add sys_ptrace -it --rm swift:5.0-xenial swift I have Docker running on macOS Mojave. We are in 2019 and they still don't update the README in docker Hub.

[tianon]

Adding --privileged is a huge hammer with broad security implications. What should be documented is the specific security features that need to be disabled, add I already noted above: https://github.com/apple/swift-docker/issues/9#issuecomment-328224511

[1oo7]

When I add --cap-add sys_ptrace the image never gets created.

[DrSajid]

Hi,

I just tried today and this worked for me! docker run --privileged --cap-add sys_ptrace -it --name swiftfun swift /bin/bash

[Guang1234567]

As @tianon comment for --privileged

maybe

docker run --cap-add sys_ptrace --security-opt seccomp=unconfined -it --rm swift swift

better than

docker run --privileged --cap-add sys_ptrace -it --name swiftfun swift /bin/bash

[Guang1234567]

[NHellFire]

I've gotten it working with only one change to the seccomp profile.

root@2b7a2030895e:~# strace -f swift repl 2>&1 | grep EPERM
[pid   436] setsid()                    = -1 EPERM (Operation not permitted)
[pid   439] personality(PER_LINUX|ADDR_NO_RANDOMIZE) = -1 EPERM (Operation not permitted)

My change to the default seccomp profile:

--- seccomp.json.orig  2023-08-31 03:56:06.480864664 +0100
+++ seccomp.json  2023-08-31 03:56:51.149223795 +0100
@@ -824,6 +824,19 @@
           "CAP_PERFMON"
         ]
       }
+    },
+    {
+      "names": [
+        "personality"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "args": [
+        {
+          "index": 0,
+          "value": 262144,
+          "op": "SCMP_CMP_EQ"
+        }
+      ]
     }
   ]
 }
\ No newline at end of file

$ docker run --rm -it --security-opt seccomp=seccomp.json swift swift repl
Welcome to Swift version 5.8.1 (swift-5.8.1-RELEASE).
Type :help for assistance.
  1> import Foundation
  2> Date()
$R0: Foundation.Date = 2023-08-31 02:43:28 GMT
  3> ^D

Allowing ADDR_NO_RANDOMIZE by default was requested in moby/moby#43011, but the answer was to maintain your own seccomp profile.