Skip to content

--tmpfs fails with Permission denied and noexec is an invalid option #18853

New issue
New issue
Closed
Closed
--tmpfs fails with Permission denied and noexec is an invalid option#18853
Labels
kind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
@konstruktoid

Description

@konstruktoid
konstruktoid
opened on Dec 22, 2015

From https://github.com/rhatdan/docker/blob/b3e527dfd242ad30c0297c8b257862116cf2c50e/integration-cli/docker_cli_run_unix_test.go#L449:
dockerCmdWithError("run", "--tmpfs", "/run:noexec,nosuid,rw,size=5k,mode=700", "busybox", "touch", "/run/somefile"

$ docker run -ti -d --tmpfs /run:noexec,nosuid,rw,size=5k,mode=700 busybox touch /run/somefile
ab98b4ed8753270e95da880a912f021da7109a8e8e3ad42bb93fdfdd8d9d996f
$ docker run -ti -d --tmpfs /run:noexec busybox touch /run/somefile
docker: Invalid tmpfs option [""].
See 'docker run --help'.
$ docker run -ti -d --tmpfs /etc:noexec,nosuid,rw,size=5k,mode=700 busybox touch /tmp/somefile
75da9ade4b9dda3fb05ec915f440da38ce7e63b4d4e0796d4ca855fdfc38e158
docker: Error response from daemon: Cannot start container 75da9ade4b9dda3fb05ec915f440da38ce7e63b4d4e0796d4ca855fdfc38e158: [9] System error: configs.Command{Path:"/bin/tar", Args:[]string{"-cf", "/var/lib/docker/0.0/tmp/75da9ade4b9dda3fb05ec915f440da38ce7e63b4d4e0796d4ca855fdfc38e158018870457/_etc.tar", "-C", "/var/lib/docker/0.0/overlay/422b1cf19ddb33115ffa6de37784313271ae21ad474e7913652de234a705ef01/merged/etc", "."}, Env:[]string(nil), Dir:""} failed: /bin/tar: /var/lib/docker/0.0/overlay/422b1cf19ddb33115ffa6de37784313271ae21ad474e7913652de234a705ef01/merged/etc: Cannot open: Permission denied
/bin/tar: Error is not recoverable: exiting now
: exit status 2.
$ docker run --rm --tmpfs /etc:noexec busybox uname -a
docker: Invalid tmpfs option [""].
See 'docker run --help'.

The logs below are generated with https://gist.github.com/konstruktoid/d5444c76cf502c795c29.

:: Mount a tmpfs to verify basic tmpfs works

mount: none mounted on /tmp/tmpfstest.
none on /tmp/tmpfstest type tmpfs (rw,relatime,size=1048576k)
WORKS.

:: Create a testfile in the tmpfs

-rw------- 1 tsj tsj 29 Dec 22 18:02 /tmp/tmpfstest/pewpew
Tue Dec 22 17:02:41 UTC 2015

:: debian::wheezy container uname*

Linux 68afdf9c84ff 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 GNU/Linux
WORKS.

:: debian::wheezy container uname w readonly filesystem*

Linux 1f58e9fa95eb 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 GNU/Linux
WORKS.

:: debian::wheezy container uname with --tmpfs /etc*

Timestamp: 2015-12-22 18:02:42.721797302 +0100 CET
Code: System error

Message: configs.Command{Path:"/bin/tar", Args:[]string{"-cf", "/var/lib/docker/0.0/tmp/f66afbe8ccb867494bbcf746beda6325f6627823af1b660fe02b267a195e724a143435614/_etc.tar", "-C", "/var/lib/docker/0.0/overlay/4953cb98fc3b7f9512a9fbaacafc43068f18c32e8c70249e72b24a8d246de358/merged/etc", "."}, Env:[]string(nil), Dir:""} failed: /bin/tar: /var/lib/docker/0.0/overlay/4953cb98fc3b7f9512a9fbaacafc43068f18c32e8c70249e72b24a8d246de358/merged/etc: Cannot open: Permission denied
/bin/tar: Error is not recoverable: exiting now
: exit status 2

Frames:

---
0: setupRootfs
Package: github.com/opencontainers/runc/libcontainer
File: rootfs_linux.go@36

---
1: Init
Package: github.com/opencontainers/runc/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@57

---
2: StartInitialization
Package: github.com/opencontainers/runc/libcontainer.(*LinuxFactory)
File: factory_linux.go@243

---
3: initializer
Package: github.com/docker/docker/daemon/execdriver/native
File: init.go@35

---
4: Init
Package: github.com/docker/docker/pkg/reexec
File: reexec.go@26

---
5: main
Package: main
File: docker.go@18

---
6: main
Package: runtime
File: proc.go@111

---
7: goexit
Package: runtime
File: asm_amd64.s@1721
docker: Error response from daemon: Cannot start container f66afbe8ccb867494bbcf746beda6325f6627823af1b660fe02b267a195e724a: [9] System error: configs.Command{Path:"/bin/tar", Args:[]string{"-cf", "/var/lib/docker/0.0/tmp/f66afbe8ccb867494bbcf746beda6325f6627823af1b660fe02b267a195e724a143435614/_etc.tar", "-C", "/var/lib/docker/0.0/overlay/4953cb98fc3b7f9512a9fbaacafc43068f18c32e8c70249e72b24a8d246de358/merged/etc", "."}, Env:[]string(nil), Dir:""} failed: /bin/tar: /var/lib/docker/0.0/overlay/4953cb98fc3b7f9512a9fbaacafc43068f18c32e8c70249e72b24a8d246de358/merged/etc: Cannot open: Permission denied
/bin/tar: Error is not recoverable: exiting now
: exit status 2.

:: debian::wheezy container uname with --tmpfs /etc:noexec*

docker: Invalid tmpfs option [""].
See 'docker run --help'.

:: debian::wheezy container uname with --tmpfs /etc:rw,nosuid using sudo*

docker: Invalid tmpfs option [""].
See 'docker run --help'.

:: busybox touch /run/somefile (from tests)
WORKS.

:: busybox fs options touch /run/somefile (from tests)
WORKS.

:: busybox fs --tmpfs /etc

Timestamp: 2015-12-22 18:02:44.308551924 +0100 CET
Code: System error

Message: configs.Command{Path:"/bin/tar", Args:[]string{"-cf", "/var/lib/docker/0.0/tmp/b3d858cf619b1a5e649380c36613dd6f9a1cd99bc029b445cd96aa04d07a54d3087305069/_etc.tar", "-C", "/var/lib/docker/0.0/overlay/c0353ccf10594c403fcbb2d589b6c861171057c1a01015423d7dda30e657d8f8/merged/etc", "."}, Env:[]string(nil), Dir:""} failed: /bin/tar: /var/lib/docker/0.0/overlay/c0353ccf10594c403fcbb2d589b6c861171057c1a01015423d7dda30e657d8f8/merged/etc: Cannot open: Permission denied
/bin/tar: Error is not recoverable: exiting now
: exit status 2

Frames:

---
0: setupRootfs
Package: github.com/opencontainers/runc/libcontainer
File: rootfs_linux.go@36

---
1: Init
Package: github.com/opencontainers/runc/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@57

---
2: StartInitialization
Package: github.com/opencontainers/runc/libcontainer.(*LinuxFactory)
File: factory_linux.go@243

---
3: initializer
Package: github.com/docker/docker/daemon/execdriver/native
File: init.go@35

---
4: Init
Package: github.com/docker/docker/pkg/reexec
File: reexec.go@26

---
5: main
Package: main
File: docker.go@18

---
6: main
Package: runtime
File: proc.go@111

---
7: goexit
Package: runtime
File: asm_amd64.s@1721
docker: Error response from daemon: Cannot start container b3d858cf619b1a5e649380c36613dd6f9a1cd99bc029b445cd96aa04d07a54d3: [9] System error: configs.Command{Path:"/bin/tar", Args:[]string{"-cf", "/var/lib/docker/0.0/tmp/b3d858cf619b1a5e649380c36613dd6f9a1cd99bc029b445cd96aa04d07a54d3087305069/_etc.tar", "-C", "/var/lib/docker/0.0/overlay/c0353ccf10594c403fcbb2d589b6c861171057c1a01015423d7dda30e657d8f8/merged/etc", "."}, Env:[]string(nil), Dir:""} failed: /bin/tar: /var/lib/docker/0.0/overlay/c0353ccf10594c403fcbb2d589b6c861171057c1a01015423d7dda30e657d8f8/merged/etc: Cannot open: Permission denied
/bin/tar: Error is not recoverable: exiting now
: exit status 2.

*:: busybox --tmpfs /etc:noexec

docker: Invalid tmpfs option [""].
See 'docker run --help'.

:: Docker version

Client:
 Version:      1.10.0-dev
 API version:  1.22
 Go version:   go1.5.2
 Git commit:   8537501
 Built:        Mon Dec 21 20:12:08 2015
 OS/Arch:      linux/amd64
 Experimental: true

Server:
 Version:      1.10.0-dev
 API version:  1.22
 Go version:   go1.5.2
 Git commit:   8537501
 Built:        Mon Dec 21 20:12:08 2015
 OS/Arch:      linux/amd64
 Experimental: true

:: Docker info

Containers: 81
Images: 14
Server Version: 1.10.0-dev
Storage Driver: overlay
 Backing Filesystem: extfs
Execution Driver: native-0.2
Logging Driver: json-file
Plugins:
 Volume: local
 Network: bridge null host
Kernel Version: 4.2.0-18-generic
Operating System: Ubuntu 15.10
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.954 GiB
Name: lab01
ID: 6AEH:63II:LVVM:TZPI:LSSA:U5LL:U27O:XJ22:TBY6:6BKS:MTEX:PVEG
WARNING: No swap limit support
Experimental: true

:: Docker group
docker:x:999:tsj

:: Host information
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 15.10
Release: 15.10
Codename: wily
Linux lab01 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions