update Dockerfile, with Giuseppe's newuidmap

[AkihiroSuda]

EDIT: waiting for docker/cli#1347 to be merged

---

Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp

With shadow-maint/shadow#132 , we should no longer need --privileged for running RootlessKit inside Docker containers.

[AkihiroSuda]

unshare -rmn mount -t sysfs none /sys inside container seems to require some privilege..?

$ id -u
1001
$ unshare -rmn mount -t sysfs none /sys
(success)

$ docker run --rm --user 1000 --privileged ubuntu:18.04 unshare -rmn mount -t sysfs none /sys
(success)

$ docker run --rm --user 1000 --security-opt seccomp=unconfined --security-opt apparmor=unconfined --cap-add all --net=host ubuntu:18.04 unshare -rmn mount -t sysfs none /sys
mount: /sys: permission denied.

[AkihiroSuda]

@giuseppe @cyphar @jessfraz could you help me about the sysfs mount? ^^

[AkihiroSuda]

Uh, read-only mount on /sys prohibits unshare -rmn mount -t sysfs none /sys...

https://github.com/moby/moby/blob/07ccc6d8c81d96e07f60184dbe03e75c552eba47/daemon/oci_linux.go#L607-L616

$ docker run -it --privileged --rm --entrypoint bash rootless-containers/rootlesskit:test 
user@5ffda338c480:/$ unshare -rmn mount -t sysfs none /sys; echo $?
0
user@5ffda338c480:/$ sudo mount -o remount,ro /sys
user@5ffda338c480:/$ unshare -rmn mount -t sysfs none /sys; echo $?
mount: /sys: permission denied.
32
user@5ffda338c480:/$ mkdir /tmp/sys2
user@5ffda338c480:/$ unshare -rmn mount -t sysfs none /tmp/sys2; echo $?
mount: /tmp/sys2: permission denied.
32
user@5ffda338c480:/$ echo 'why :('
why :(

[giuseppe]

user@5ffda338c480:/$ echo 'why :(' why :(

I think the error happens because of: https://github.com/torvalds/linux/blob/master/fs/namespace.c#L3326-L3328

It should be fine to mount another /sys that is also 'ro'. This works on Fedora with Linux 4.18.9-200.fc28.x86_64:

# docker run --rm  --security-opt seccomp=unconfined --cap-add all -ti ubuntu:18.04 \
  bash  -c 'umount /sys/firmware; \
  chroot --userspec 1000:1000 / unshare -rmn mount -o ro -t sysfs none /sys'

[AkihiroSuda]

Thanks, but it seems we still need to unmount /sys/firmware as the root in the container...

[giuseppe]

Thanks, but it seems we still need to unmount /sys/firmware as the root in the container...

yes, there must already be a fully visible /sys mounted

[cyphar]

Yes, this is quite similar to the other mnt_already_visible problems we had with /proc. Basically in order to mount any filesystem in a userns you need to have a non-masked mount of it in your mount namespace, with mount options that are not more restricted than what you're trying to mount.

(This is a somewhat odd restriction for /proc and /sys since they are namespaced implicitly -- and this has been brought to the attention of Eric in the past, but his proposed fix of procfs2 is not something we should expect soon.)

[AkihiroSuda]

updated PR.
Mounting sysfs is now skipped if it is not possible