Comments (6)
cpuguy83
commented on June 4, 2024
1
I'm not sure I understand if there are no errors seen what is the issue?
As I mentioned before, this is working as intended.
See GHSA-7452-xqpj-6rpc
from moby.
cpuguy83
commented on June 4, 2024
The permissions look to be exactly as intended.
We do not want the remapped user to own files in /var/lib/docker.
We do want to allow members of the remap group to traverse into certain directories because it is necessary for the remapped container to function.
Are you experiencing a particular issue?
from moby.
belotv
commented on June 4, 2024
Indeed my example is not the best. Actually it is not only the directory /var/lib/docker.
Any directory/file in that folder is owned by root. This is not aligned with the documentation, where we can see that the subfolders should be owned by the remap user: https://docs.docker.com/engine/security/userns-remap
Main issue is that I am trying to map host cgroup (as requested by freeipa) and it does not work. I am getting permission denied as the files created in /sys/fs/cgroups/xxx.slice are created with root as owner (but correct group)
from moby.
cpuguy83
commented on June 4, 2024
Docs are outdated for sure.
What's the exact command you are trying to perform and the error you are seeing?
from moby.
belotv
commented on June 4, 2024
Based on the information shared, I guess the issue is mainly that documentation from both docker and freeipa is not very clear and not fully up-to-date.
I was able to make it work by removing the /sys/fs/cgroup:/sys/fs/cgroup:rw mapping. Even if it may seems a bit weird, the scope will be properly created under the system.slice and will work as expected.
(I also unset cgroup and cgroup_parent in my Docker compose file, so that it uses the default system.slice).
I guess it is complex to maintain documentation that properly cover docker root/root with namespace remap/rootless, with both cgroupv1 and v2 to handle.
I will close the ticket as it does not seem to be a system function bug.
from moby.
kylhuk
commented on June 4, 2024
@cpuguy83 I was mislead by a non-official guide. Thank you very much for pointing me in the right direction!
from moby.
Related Issues (20)
- `docker image ls --filter=reference=docker.io/$MY/$IMG` != `docker image ls --filter=reference=$MY/$IMG`
- Pass proxy settings from host system for Windows containers HOT 1
- Rootless docker cannot start containers bound to different IPs but the same port
- Problem with moby-engine install on raspberry zero w with bullseye.
- Internal network DNS fails to resolve HOT 9
- containerd: classic builder fails to preserve platform information correctly HOT 1
- Cannot create new containers HOT 1
- Running docker containers in existing network namespace (netns) HOT 5
- Failing tests on Apple Chip Mac HOT 2
- [swarm mode] Random published port not accessible upfront using . It needs an update
- New volume mount subpath - does not create sub directory if it doesn't ee
- Add an option to start docker without any containers regardless of their restart policy
- Docker starts containers with restart policy `on-failure` after host reset HOT 1
- failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: “docker-entrypoint.sh”: executable file not found in $PATH: unknown
- [grafana/loki-docker-driver] Docker rootless error mounting "cgroup" to rootfs at "/sys/fs/cgroup"
- A potential goleak in cluster.go HOT 1
- Docker keeps cached manifests and indicies forever somewhere. HOT 4
- Docker compose argument to replace env_file directive, or argument to enable host environment passthrough
- UDP Response Timeout in Bridge Mode Networking
- docker cp --parents should exist, analogous to GNU cp --parents
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from moby.