:: Re: [DNG] help with docker - runnin…
Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: dng@d404.nl
Fecha:  
A: dng
Asunto: Re: [DNG] help with docker - running entrypoint as root
On 07-07-2024 16:38, Lorenz via Dng wrote:
> Hello all,
>
> I want to use docker to create a container and run stuff with root
> privileges inside; I'm using some notes I had from few years ago,
> I remember it worked at the time but now it doesn't. :(
> I'm probably overlooking something stupid here, but right now
> I don't understand what..
>
> I'm using the follwing dockerfile:
>
> --------------------------------
> # dockerfile for runit-services testsuite
> #
> FROM debian:sid
> MAINTAINER plorenzo@???
>
> RUN apt-get update -q -q && apt-get upgrade --yes
>
> # Install runit + runit-init
> RUN dpkg -r --force-remove-protected init
> RUN apt-get install -y --no-install-recommends runit
> RUN apt-get install -y runit-init
> #RUN apt-get remove -y libnss-systemd
> #RUN apt-get install -y runit-services getty-run
>
> #install standalones alternatives to systemd
> RUN apt-get install -y libpam-elogind dbus-x11
> RUN apt-get install -y opensysusers systemd-standalone-tmpfiles
>
> #testsuite as service: TODO
>
> # launch runit as init system
> ENTRYPOINT ["/sbin/init"]
> -------------------------------------------------------
>
> then I do
> #docker build -t=runit-testsuite - < Dockerfile.runit
> #docker run --name=runit runit-testsuite
>
> as a result, I see many error printed, for example
>
>> hostname: you must be root to change the host name
>> mount: /run: permission denied.
> and so on.. (full output at the end), it looks like
> the entrypoint process is running without root privileges.
>
> if I do
> # docker exec -it runit bash
> then inside the container
> # whoami
> root
> # echo $UID
> 0
> #/etc/rcS.d/S01hostname.sh
> hostname: you must be root to change the host name
>
> Any ideas?
> Lorenzo
>
> Below full output from the container
>
> - runit: $Id: 25da3b86f7bed4038b8a039d2f8e8c9bbcf0822b $: booting.
> - runit: warning: unable to open /dev/console: file does not exist
> - runit: enter stage: /etc/runit/1
> hostname: you must be root to change the host name
> mount: /run: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /run/lock: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /sys/kernel/security: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /sys/fs/pstore: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> Activating swap...done.
> mount: /: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /proc: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /sys: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /dev/shm: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /dev/pts: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> Checking file systems...setterm: $TERM is not defined.
> setterm: $TERM is not defined.
> done.
> Cleaning up temporary files... /tmp.
> Mounting local filesystems...done.
> Activating swapfile swap, if any...done.
> mount: /run: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> mount: /run/lock: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> Cleaning up temporary files....
> Starting standalone sysusers service: opensysusersOpensysusers: system
> users successfully created.
> Starting Setting kernel variables: sysctlsysctl: permission denied on
> key "fs.protected_fifos"
> sysctl: permission denied on key "fs.protected_hardlinks"
> sysctl: permission denied on key "fs.protected_regular"
> sysctl: permission denied on key "fs.protected_symlinks"
> Cleaning up temporary files....
> - runit: leave stage: /etc/runit/1
> - runit: enter stage: /etc/runit/2
> runsvchdir: default: current.
> dmesg: read kernel buffer failed: Operation not permitted
> action denied by policy-rc.d
> action denied by policy-rc.d
> timeout: down: dbus: 8s, normally up
> timeout: down: dbus: 7s, normally up
> timeout: down: dbus: 7s, normally up
> - runit: leave stage: /etc/runit/2
> - runit: enter stage: /etc/runit/3
> Waiting for services to stop...
> ok: down: /etc/service/dbus: 100s, normally up
> ok: down: /etc/service/dbus.dep-fixer: 94s, normally up
> ok: down: /etc/service/default-syslog: 94s, normally up
> ok: down: /etc/service/elogind: 169s, normally up
> ok: down: /etc/service/getty-ttyS0: 169s, normally up
> ok: down: /etc/service/ssh: 169s, normally up
> Running shutdown tasks...
> Saving the system clock to /dev/rtc0.
> hwclock: Cannot access the Hardware Clock via any known method.
> hwclock: Use the --verbose option to see the details of our search for
> an access method.
> Opensysusers: nothing to do at shutdown.
> Asking all remaining processes to terminate...done.
> All processes ended within 2 seconds...done.
> WARNING: writing wtmp with -w is not supported for now
> Deactivating swap...swapoff: Not superuser.
> failed.
> Unmounting local filesystems...umount: /etc/hosts: must be superuser to unmount.
> umount: /etc/hostname: must be superuser to unmount.
> umount: /etc/resolv.conf: must be superuser to unmount.
> umount: /dev/mqueue: must be superuser to unmount.
> failed.
> mount: /: permission denied.
>         dmesg(1) may have more information after failed mount system call.
> - runit: leave stage: /etc/runit/3
> - runit: sending KILL signal to all processes...
> - runit: power off...
> - runit: system halt.
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


Three things: you give the hostname with the commandline --hostname
yourhostname because /etc/hostname is protected by the docker daemon.
For the console you have to add -t to the commandline too. And have
access to some fs you have to use --CAP_ADD with the correct privilege
or for quick and dirty --privileged.
So

docker run -t --hostname your hostname --privileged --name=runit
runit-testsuite

Better yet you remove everything in /etc/rcS.d/* (in the Dockerfile) and
add just the scripts you want to run in phase 1 from runit most likely
you won't need the --privileged part than.

Grtz.

Nick