Inability to use some devices when inside a container
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
runc (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek | ||
Focal |
Fix Released
|
Undecided
|
Lena Voytek | ||
Jammy |
Fix Released
|
Undecided
|
Lena Voytek | ||
Kinetic |
Fix Released
|
Undecided
|
Lena Voytek | ||
Lunar |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in a custom runc container. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https:/
[Test Plan]
# lxc launch ubuntu:22.04 test-runc -c security.
# lxc exec test-runc bash
# apt update && apt dist-upgrade -y
# apt install docker.io runc -y
# docker pull "ubuntu:22.04"
# mkdir -p test-container/
# cd test-container
# runc spec
> Create a basic linux runc container that has systemd, sh, and docker installed, add the following to the mounts section of config.json file to connect host docker files, and mark readOnly as false for root:
{
"destination": "/var/run/
"type": "bind",
"source": "/var/run/
"options": [
"rbind",
"rw"
]
},
{
"destination": "/var/lib/docker",
"type": "bind",
"source": "/var/lib/docker",
"options": [
"rbind",
"rw"
]
},
# runc run test-container
/ # cat <<EOF > Dockerfile
FROM ubuntu:22.04
RUN echo test > /dev/null
EOF
/ # docker build -t test .
Before the fix this will result in:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place, and the build will succeed.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https:/
Some more details and fix in runc can be seen here:
https:/
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~
Candidate: 1.1.4-0ubuntu1~
Version table:
*** 1.1.4-0ubuntu1~
500 http://
100 /var/lib/
1.1.0-0ubuntu1 500
500 http://
description: | updated |
Changed in runc (Ubuntu Focal): | |
assignee: | nobody → Lena Voytek (lvoytek) |
status: | New → In Progress |
description: | updated |
description: | updated |
description: | updated |
Thank you for the bug report. I created a PPA for 22.04 using the upstream commit you provided here: https:/ /launchpad. net/~lvoytek/ +archive/ ubuntu/ runc-fix- dev-in- containers
If you would like to test it you can run the following commands:
sudo add-apt-repository ppa:lvoytek/ runc-fix- dev-in- containers
sudo apt update
sudo apt upgrade
This likely affects kinetic and lunar too, marking as such.