Fix permissions on Docker
piranna opened this issue · comments
When running NodeOS on Docker, no matter what user do you login, it gets UID & GID 0, having root permissions. We need to find and fix this.
Docker AppArmor template
disable filesystems mounting
by default, so it's needed to disable usage of AppArmor at all. A better
alternative would be to use a custom template that mimics the Docker default one
but allowing filesystems mounting. This could be easily crafted with
Bane.
Docker default seccomp
profile accept setud,
but for some reason it's not working and instead they are a no-op
how do you check its uid and git inside nodeos?
Wth pstree
and looking what processes tree it print, the one for root
or the one of nodeos
user. Dumb, but effective :-)
what does your tree for root and for nodeos print?
Im getting this (on docker):
~ > pstree
init
├── exclfs
└─┬ init
├─┬ nsh
│ └── pstree
└── nodeos-reverse-
But it should be like this (on QEmu)?
init
├── exclfs
└─┬ init
├─┬ getty
│ └─┬ nsh
│ └── pstree
└── nodeos-reverse-
kthreadd
├── ksoftirqd/0
├── kworker/0:0
├── kworker/0:0H
├── kworker/u2:0
├── rcu_sched
├── rcu_bh
├── migration/0
├── lru-add-drain
├── cpuhp/0
├── kdevtmpfs
├── netns
├── kworker/u2:1
├── kworker/u2:2
├── oom_reaper
├── writeback
├── kcompactd0
├── crypto
├── bioset
├── kblockd
├── ata_sff
├── md
├── kworker/0:1
├── cfg80211
├── rpciod
├── xprtiod
├── kswapd0
├── vmstat
├── nfsiod
├── acpi_thermal_pm
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── scsi_eh_0
├── scsi_tmf_0
├── scsi_eh_1
├── scsi_tmf_1
├── kworker/u2:3
├── bioset
├── kworker/u2:4
├── bioset
├── kworker/0:2
├── kpsmoused
├── ipv6_addrconf
├── deferwq
├── kworker/0:1H
├── jbd2/sda-8
└── ext4-rsv-conver
Im getting this (on docker):
This is the tree for root
user.
But it should be like this (on QEmu)?
Hum... that's not good, seems on QEmu we are having a regression, because it's too the list of root
processes... In both cases they should be
~ > pstree
nsh
└ pstree
This seem more like a software error from logon
than from docker
or qemu
This seem more like a software error from logon than from docker or qemu
Docker has a problem, but it's true that logon
was using setreuid()
and changed it to setuid()
because the docs says it's more secure. Maybe this could be the reason of the problem with QEmu... Problem here is about how to test it :-/
You say that it was using setreuid()
but the source on here is using setreuid()
the usersfs pulls the dependencies on build
so this could be the problem or am i wrong?
Yes, no matter what of them you use, they are from the same functions family. It's a problem on/with Docker.