gvisor: userns-remap default is unsupported

What I would consider an important security setting, appears unsupported by runsc. When I set "userns-remap": "default" in the daemon conf file, trying to run any container with runsc as the runtime causes it to fail (default runtime works fine).

Commands attempted:

$ docker run --runtime=runsc --rm -v /root/:/tmp/root -u root -it ubuntu bash
docker: Error response from daemon: OCI runtime create failed: /var/lib/docker/100000.100000/runtimes/runsc did not terminate sucessfully: reading spec: mount option "noexec" is not supported: &{/dev/shm bind /var/lib/docker/100000.100000/containers/5d4b42d548e56a6057c078c0605b1127ec6d0a70e92355a5f06877ef6abacc1a/mounts/shm [rbind rprivate noexec nosuid nodev]}

$ docker run --runtime=runsc hello-world
docker: Error response from daemon: OCI runtime create failed: /var/lib/docker/100000.100000/runtimes/runsc did not terminate sucessfully: unknown.
ERRO[0000] error waiting for container: context canceled

Docker version:

Client:
 Version:           18.09.3
 API version:       1.39
 Go version:        go1.12
 Git commit:        
 Built:             Sun Mar 10 23:16:06 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.3
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.12
  Git commit:       v18.09.3
  Built:            Sun Mar 10 23:16:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false

uname (void linux) Linux void-nvme2 4.20.16_1 #1 SMP PREEMPT Thu Mar 14 20:39:59 UTC 2019 x86_64 GNU/Linux

Debug Log for ubuntu container:

I0320 18:50:48.840255    8593 x:0] ***************************
I0320 18:50:48.840315    8593 x:0] Args: [/usr/local/bin/runsc --debug-log=/tmp/runsc/ --debug --strace --root /var/run/docker/runtime-runsc/moby --log /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/5d4b42d548e56a6057c078c0605b1127ec6d0a70e92355a5f06877ef6abacc1a/log.json --log-format json create --bundle /var/run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/5d4b42d548e56a6057c078c0605b1127ec6d0a70e92355a5f06877ef6abacc1a --pid-file /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/5d4b42d548e56a6057c078c0605b1127ec6d0a70e92355a5f06877ef6abacc1a/init.pid --console-socket /tmp/pty571071343/pty.sock 5d4b42d548e56a6057c078c0605b1127ec6d0a70e92355a5f06877ef6abacc1a]
I0320 18:50:48.840337    8593 x:0] Git Revision: 87cce0ec08b9d629a5e3a88be411b1721d767301
I0320 18:50:48.840346    8593 x:0] PID: 8593
I0320 18:50:48.840355    8593 x:0] UID: 0, GID: 0
I0320 18:50:48.840362    8593 x:0] Configuration:
I0320 18:50:48.840369    8593 x:0] 		RootDir: /var/run/docker/runtime-runsc/moby
I0320 18:50:48.840376    8593 x:0] 		Platform: ptrace
I0320 18:50:48.840386    8593 x:0] 		FileAccess: exclusive, overlay: false
I0320 18:50:48.840395    8593 x:0] 		Network: sandbox, logging: false
I0320 18:50:48.840403    8593 x:0] 		Strace: true, max size: 1024, syscalls: []
I0320 18:50:48.840411    8593 x:0] ***************************
W0320 18:50:48.841643    8593 x:0] AppArmor profile "docker-default" is being ignored
W0320 18:50:48.841659    8593 x:0] Seccomp spec is being ignored
W0320 18:50:48.841683    8593 x:0] FATAL ERROR: reading spec: mount option "noexec" is not supported: &{/dev/shm bind /var/lib/docker/100000.100000/containers/5d4b42d548e56a6057c078c0605b1127ec6d0a70e92355a5f06877ef6abacc1a/mounts/shm [rbind rprivate noexec nosuid nodev]}

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 22 (4 by maintainers)

Commits related to this issue

Most upvoted comments

All changes have been pushed into the upstream repo.

+1
avagin on May 7, 2019

I presume this is now in the nightlies since the above linked commit?

Here is one more patch on review. I think it will be merged today or tomorrow: https://gvisor-review.googlesource.com/c/gvisor/+/15960

+1
avagin on Apr 9, 2019
Read more comments on GitHub
← gvisor: rust http server cannot listen on port
highway: Build fails on arm64 device →