Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support init system s6 (error: unable to mkdir /var/run/s6) #136

Closed
urbandroid opened this issue Mar 18, 2019 · 7 comments
Closed

support init system s6 (error: unable to mkdir /var/run/s6) #136

urbandroid opened this issue Mar 18, 2019 · 7 comments
Labels
enhancement question

Comments

@urbandroid
Copy link

lots of docker images throws

s6-mkdir: warning: unable to mkdir /var/run/s6: Permission denied

is there a way to solve this issue securely? For example emby/embyserver image.
@mviereck
Copy link
Owner

mviereck commented Mar 18, 2019
edited
Loading

This on itself is not surprising. /var/run is owned by root and only root can write to it. But per default x11docker runs containers with an unprivileged user in it.

Looking a bit closer, it seems that those images use init system/supervisor s6.

As a quick'n'dirty fix you can run x11docker with --user=root. However, this disables all container security features of x11docker.

I'll look closer on how/if x11docker could support s6.

For example emby/embyserver image.

Can you give me other examples, please? I could not find the Dockerfile for emby/emby-base, but need a well documented example to investigate.

@mviereck mviereck changed the title common s6 error support init system s6 (error: unable to mkdir /var/run/s6) Mar 18, 2019
@urbandroid
Copy link
Author

urbandroid commented Mar 18, 2019
edited
Loading

of course i will add them here.

lots of emby version i tried has the same base so i will check the transmission ones. For example this one :

https://github.com/linuxserver/docker-transmission/blob/master/Dockerfile

which uses this one as a base:

https://github.com/linuxserver/docker-baseimage-alpine/blob/master/Dockerfile

mviereck added a commit that referenced this issue Mar 19, 2019
@mviereck
--init=s6-overlay: New init system option #136
62088ac
@mviereck
Copy link
Owner

mviereck commented Mar 19, 2019
edited
Loading

I have added support for s6-overlay with option --init=s6-overlay.

Please update x11docker to master version and try out. There might be still some issues I did not see on my first test runs. Please report if you find something.

Try e.g.
x11docker --init=s6-overlay emby/embyserver
x11docker -ti --init=s6-overlay emby/embyserver sh

Currently x11docker only supports the specialized s6-overlay.
Maybe I'll add support for s6 in general some day. On first attempts I did not succeed, I would have to dig deeper into the setup of s6.

@mviereck mviereck reopened this Mar 19, 2019
@urbandroid
Copy link
Author

i tried with x11docker version: 5.5.1 and no luck.

s6-mkdir: warning: unable to mkdir /var/run/s6: Permission denied

@mviereck
Copy link
Owner

You have tried the latest stable release.
The s6-overlay implementation is in 5.5.2-beta in master branch.
Run x11docker --update-master to install it.

@urbandroid
Copy link
Author

thanks a lot. it works.

i wanna ask you 2 off topic question if you don't mind.

x11docker WARNING: User me is member of group docker.
That allows unprivileged processes on host to gain root privileges.. >

How can i mitigate this with out kicking out me user out of docker group?

x11docker WARNING: Option --init=s6-overlay slightly degrades container isolation.
It adds some user switching capabilities x11docker would disable otherwise.
Services started as root might try to abuse their privileges

What are exact security implication of this warning and how can i harden it?

@mviereck
Copy link
Owner

mviereck commented Mar 20, 2019
edited
Loading

How can i mitigate this with out kicking out me user out of docker group?

You cannot, unfortunately.
Possible alternatives without group docker:

  • Always type in your root/sudo password.
  • For often used commands: Create small scripts (with chmod +x) in /usr/local/bin like:
#! /bin/sh
x11docker --init=s6-overlay emby/embyserver

Make entries in /etc/sudoers with visudo to allow running them with sudo without a password.
Example:

urbandroid ALL=(ALL) NOPASSWD: /usr/local/bin/embyserver.sh

Than you can run sudo emybserver.sh without a password.

x11docker WARNING: Option --init=s6-overlay slightly degrades container isolation.
It adds some user switching capabilities x11docker would disable otherwise.
Services started as root might try to abuse their privileges

What are exact security implication of this warning and how can i harden it?

You can see the created docker command with option --debug.

Differences to a regular x11docker start:

  --cap-add AUDIT_WRITE \
  --cap-add CHOWN \
  --cap-add DAC_OVERRIDE \
  --cap-add KILL \
  --cap-add SETGID \
  --cap-add SETUID \

This is a subset of default docker privileges that is needed to allow user switching in container. User switching from root to unprivileged user is needed for --init options s6-overlay, openrc, runit, systemd and sysvinit.
I'll try out if s6-overlay needs a smaller subset, but probably not.

Another difference:

  --user root \

The init system and its services run as root.
CMD or custom image commands run as unprivileged user.

You cannot harden this except not using s6-overlay at all. You can try to create a new Dockerfile with embyserver that works without s6-overlay.

However, don't take this too hard. --init=s6-overlay allows much more than a default x11docker setup, but is still within the default docker capabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@urbandroid @mviereck