dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts by AkihiroSuda · Pull Request #42199 · moby/moby

AkihiroSuda · 2021-03-25T08:31:05Z

- What I did
Fix #41230

- How I did it

Previously, running dockerd-rootless.sh on SELinux-enabled hosts was failing with can't open lock file /run/xtables.lock: Permission denied error. (issue #41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401

- How to verify it

Install Rootless Docker to Fedora 34, without disabling SELinux
Make sure the daemon starts up without can't open lock file /run/xtables.lock: Permission denied error

- Description for the changelog

dockerd-rootless.sh: avoid can't open lock file /run/xtables.lock: Permission denied errorSELinux hosts

- A picture of a cute animal (not mandatory but encouraged)
🐧

AkihiroSuda · 2021-03-25T08:33:35Z

contrib/dockerd-rootless.sh

Note: I also tried /run/dockerd-rootless-xtables.lock, $(mktemp -d /tmp/dir.XXXXXXXX)/xtables.lock, ${ROOTLESSKIT_STATE_DIR}/xtables.lock, $HOME/.docker/run/xtables.lock, but none of them could satisfy SELinux😅

It seems only a file under /tmp can work.

@giuseppe Do you happen to know whether this is by design?

no idea :) what error do you see?

Could you force a system_u:object_r:iptables_var_run_t:s0 label on the file?

can't open lock file /run/user/1000/dockerd-rootless-xtables.lock: Permission denied error.

I tried touch /run/user/1000/dockerd-rootless-xtables.lock && chcon system_u:object_r:iptables_var_run_t:s0 /run/user/1000/dockerd-rootless-xtables.lock but same error

Updated to use chcon system_u:object_r:iptables_var_run_t:s0 /run.

Previously, running dockerd-rootless.sh on SELinux-enabled hosts was failing with "can't open lock file /run/xtables.lock: Permission denied" error. (issue 41230). This commit avoids hitting the error by relabeling /run in the RootlessKit child. The actual /run on the parent is unaffected. https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401 Tested on Fedora 34 Signed-off-by: Akihiro Suda <[email protected]>

thaJeztah · 2021-04-28T10:26:48Z

contrib/dockerd-rootless.sh

 	rm -f /run/docker /run/containerd /run/xtables.lock
+
+	if [ -n "$_DOCKERD_ROOTLESS_SELINUX" ]; then
+		# iptables requires /run in the child to be relabeled. The actual /run in the parent is unaffected.
+		# https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401
+		# https://github.com/moby/moby/issues/41230
+		chcon system_u:object_r:iptables_var_run_t:s0 /run
+	fi


Wondering; should this be seen as a temporary approach (and ultimately be handled by rootlesskit or dockerd itself?)

Ideally this could be fixed on the selinux policy package of RHEL/Fedora, however, given that even Podman has the same workaround, this workaround is likely to be permanent.

Ach, missed your reply; meant to say; if we'll need this, would it be possible to move this step into the go code (dockerd or rootless kit) so that the bash script can be simplified (ideally the script would only have to do minimal steps to configure the daemon to run in rootless mode)

It's ok for now to use the script, but just rather would have the script small (if possible)

I'd prefer to keep this in the script.

Other distros/versions may have different policies for SELinux, and may require different chcon workarounds. The script is intended to be modifiable for such workarounds.

thaJeztah

LGTM

but left a question (for a follow up?)

AkihiroSuda · 2021-06-04T05:49:14Z

Cherry-pick to 20.10: #42462

AkihiroSuda added area/security/selinux area/rootless Rootless Mode process/cherry-pick labels Mar 25, 2021

AkihiroSuda commented Mar 25, 2021

View reviewed changes

This was referenced Mar 25, 2021

Rootless mode doesn't start on Fedora 32 with SELinux enabled (but works on CentOS 8.2): "can't open lock file /run/xtables.lock: Permission denied" #41230

Closed

containerd-rootless.sh: /run/xtables.lock EACCES on SELinux hosts containerd/nerdctl#136

Closed

AkihiroSuda added this to the 21.xx milestone Mar 26, 2021

AkihiroSuda requested a review from thaJeztah March 30, 2021 09:05

AkihiroSuda requested a review from kolyshkin April 7, 2021 05:01

AkihiroSuda force-pushed the rootless-selinux-xtables-workaround branch 2 times, most recently from 66300a9 to 54b4466 Compare April 28, 2021 06:00

AkihiroSuda mentioned this pull request Apr 28, 2021

rootless+overlay2 (kernel 5.11)+SELinux: mkdir /home/<USER>/.local/share/docker/overlay2/<CID>-init/merged/dev: permission denied. #42333

Closed

AkihiroSuda requested a review from tianon April 28, 2021 06:11

AkihiroSuda mentioned this pull request Apr 28, 2021

rootless: disable overlay2 if running with SELinux #42334

Merged

AkihiroSuda force-pushed the rootless-selinux-xtables-workaround branch from 54b4466 to cdaf82b Compare April 28, 2021 09:21

thaJeztah reviewed Apr 28, 2021

View reviewed changes

AkihiroSuda requested a review from thaJeztah May 4, 2021 09:38

thaJeztah approved these changes May 6, 2021

View reviewed changes

AkihiroSuda requested a review from cpuguy83 May 18, 2021 05:26

cpuguy83 merged commit cdaf82b into moby:master Jun 3, 2021

AkihiroSuda mentioned this pull request Jun 4, 2021

[20.10 backport] rootless: avoid /run/xtables.lock EACCES on SELinux hosts ; disable overlay2 if running with SELinux ; fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed #42462

Merged

AkihiroSuda added process/cherry-picked and removed process/cherry-pick labels Jun 4, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts#42199

dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts#42199
cpuguy83 merged 1 commit intomoby:masterfrom
AkihiroSuda:rootless-selinux-xtables-workaround

AkihiroSuda commented Mar 25, 2021 •

edited

Loading

Uh oh!

AkihiroSuda Mar 25, 2021 •

edited

Loading

Uh oh!

AkihiroSuda Mar 25, 2021

Uh oh!

giuseppe Mar 26, 2021

Uh oh!

AkihiroSuda Mar 26, 2021

Uh oh!

AkihiroSuda Apr 28, 2021

Uh oh!

thaJeztah Apr 28, 2021

Uh oh!

AkihiroSuda Apr 28, 2021

Uh oh!

thaJeztah May 6, 2021

Uh oh!

AkihiroSuda May 6, 2021

Uh oh!

thaJeztah left a comment

Uh oh!

AkihiroSuda commented Jun 4, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

AkihiroSuda commented Mar 25, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

AkihiroSuda Mar 25, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

AkihiroSuda commented Jun 4, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

AkihiroSuda commented Mar 25, 2021 •

edited

Loading

AkihiroSuda Mar 25, 2021 •

edited

Loading