Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container Images #3666

Open
rvadim opened this issue Jan 29, 2024 · 7 comments
Open

Container Images #3666

rvadim opened this issue Jan 29, 2024 · 7 comments

Comments

@rvadim
Copy link

rvadim commented Jan 29, 2024

Requirements for a runtimes are not fully described:

$ docker run --rm  -it -u 1000:1 --cap-drop=ALL kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted
@rvadim
Copy link
Author

rvadim commented Jan 29, 2024

Also SETUID and SETGID are not enough:

$ docker run --rm  -it --cap-drop=ALL --cap-add=SETUID --cap-add=SETGID  kubeflownotebookswg/jupyter-pytorch-full:v1.8.0 
s6-chown: fatal: unable to chown /run: Operation not permitted
s6-overlay-suexec: fatal: child failed with exit code 111

@rvadim
Copy link
Author

rvadim commented Jan 29, 2024

https://github.com/just-containers/s6-overlay?tab=readme-ov-file#user-directive
No idea how it should be runnable under non-root env.

@kjoe kjoe mentioned this issue Mar 24, 2024
Closed
@skarnet
Copy link

skarnet commented Mar 25, 2024

USER is supported by s6-overlay. I'm interested in knowing how docker run -u $uid differs from a USER directive.

@rvadim
Copy link
Author

rvadim commented Mar 25, 2024

As I mentioned earlier, it is not user problem, it is linux capabilities problem, because of if you set docker run -u user it will works fine. But in case of capabilities drop(kubernetes typical environment https://kyverno.io/policies/best-practices/require-drop-all/require-drop-all/) it will not work.

@skarnet
Copy link

skarnet commented Mar 25, 2024

Right. What happens if you also add --cap-add=CHOWN?

@rvadim
Copy link
Author

rvadim commented Mar 26, 2024
edited
Loading 

~$ docker run --rm  -it -u 1000:1 --cap-drop=ALL --cap-add=CHOWN kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
Unable to find image 'kubeflownotebookswg/jupyter-pytorch-full:v1.8.0' locally
v1.8.0: Pulling from kubeflownotebookswg/jupyter-pytorch-full
aece8493d397: Already exists 
5bc051129e13: Already exists 
c0dc552994be: Already exists 
ba8a2777b51a: Already exists 
1c695b124666: Already exists 
2aa684f59b95: Already exists 
dc9989a913ea: Already exists 
0c0fd82562a7: Already exists 
bee6977a7fd6: Already exists 
d66e22d661be: Already exists 
5c31f6c87876: Already exists 
35de76f46c69: Already exists 
9425aeb39f23: Already exists 
6ef7dca1e501: Already exists 
9883fa42965c: Already exists 
6546b01abb7e: Pull complete 
7377292d6843: Pull complete 
5c625670cce0: Pull complete 
7d64ea0e6721: Pull complete 
d100c2e80c90: Pull complete 
b1a55ffa9a8c: Pull complete 
Digest: sha256:d9ed16ec8934091c8bb155978fbfebcd4c276933c0d24eedd251ed3887f70b43
Status: Downloaded newer image for kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted

@skarnet
Copy link

skarnet commented Mar 26, 2024

Well you'll need SETUID, SETGID and CHOWN...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Needs Triage
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rvadim @skarnet