32 bit and 64 bit Debian containers have different permissions by default #20550
Description
Description of problem:
A 32 bit container created with mkimage/debootstrap has different permissions by default than a 64 bit container created with the same script
docker version:
Client:
Version: 1.10.1
API version: 1.22
Go version: go1.5.3
Git commit: 9e83765
Built: Thu Feb 11 19:15:20 2016
OS/Arch: linux/amd64
Server:
Version: 1.10.1
API version: 1.22
Go version: go1.5.3
Git commit: 9e83765
Built: Thu Feb 11 19:15:20 2016
OS/Arch: linux/amd64
docker info:
Containers: 21
Running: 0
Paused: 0
Stopped: 21
Images: 13
Server Version: 1.10.1
Storage Driver: devicemapper
Pool Name: docker-8:50-3939729-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: ext4
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 2.217 GB
Data Space Total: 107.4 GB
Data Space Available: 105.2 GB
Metadata Space Used: 2.953 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.145 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.115 (2016-01-25)
Execution Driver: native-0.2
Logging Driver: json-file
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 4.3.0-1-amd64
Operating System: Debian GNU/Linux stretch/sid
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 23.43 GiB
Name: xxx
ID: xxx
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No oom kill disable support
uname -a: Linux xxx 4.3.0-1-amd64 #1 SMP Debian 4.3.5-1 (2016-02-06) x86_64 GNU/Linux
Environment details (AWS, VirtualBox, physical, etc.): Physical Debian sid host
Steps to Reproduce:
- Build an x64 debian sid image with the script linked above (note ./debootstrap NOT debootstrap)
./debootstrap sid-test sid http://httpredir.debian.org/debian/
# coffee time
tar -cf - -C sid-test . | docker import - test-debian-sid
- Patch the ./debootstrap script with the following hack:
diff --git a/contrib/mkimage/debootstrap b/contrib/mkimage/debootstrap
index c613d53..3882767 100755
--- a/contrib/mkimage/debootstrap
+++ b/contrib/mkimage/debootstrap
@@ -30,7 +30,7 @@ rootfs_chroot() {
(
set -x
- $DEBOOTSTRAP "${before[@]}" "$suite" "$rootfsDir" "$@"
+ $DEBOOTSTRAP --arch=i386 "${before[@]}" "$suite" "$rootfsDir" "$@"
)
# now for some Docker-specific tweaks
- Create a 32 bit image with the "new" script
./debootstrap sid-test-i386 sid http://httpredir.debian.org/debian/
# maybe whisky this time?
tar -cf - -C sid-test-i386 . | docker import - test-debian-sid-i386- Run the commands from
Actual Resultsbelow in each container. Perhaps drink more whiskey, as building a simple Debian package in a Docker container has now taken 6 hours.
Actual Results:
#32 bit
sudo docker run -it test-debian-sid-i386 bash
root@5f6adf619d1f:/# ip
Cannot open netlink socket: Operation not permitted
root@5f6adf619d1f:/# ping 8.8.8.8
socket: Operation not permitted#64 bit
$ sudo docker run -it test-debian-sid bash
root@9aeead06db9d:/# ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { link | address | addrlabel | route | rule | neighbor | ntable |
tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |
netns | l2tp | fou | tcp_metrics | token | netconf }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-h[uman-readable] | -iec |
-f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } |
-4 | -6 | -I | -D | -B | -0 |
-l[oops] { maximum-addr-flush-attempts } | -br[ief] |
-o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] |
-rc[vbuf] [size] | -n[etns] name | -a[ll] | -c[olor]}
root@9aeead06db9d:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=5.88 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=54 time=6.21 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=54 time=5.99 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=54 time=5.99 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=54 time=5.93 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 5.886/6.004/6.211/0.139 msExpected Results: similar output from each container - i.e. same permissions to use sockets
Additional info: Running with --privileged 'fixes' this issue, but why? I'm treating this as a (very annoying) bug because two containers created the same way should work the same by default.
If you manage to get strace in the container (by magic, that script is very difficult to understand), you'll get permission denied on the first ptrace() call.