Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: Docker with Namespace-Remapping #23

Open
SonicFM opened this issue Aug 1, 2022 · 1 comment
Open

Problem: Docker with Namespace-Remapping #23

SonicFM opened this issue Aug 1, 2022 · 1 comment

Comments

@SonicFM
Copy link

SonicFM commented Aug 1, 2022

As wished in #22 here is the issue to track the mentioned Problem down.

I am using Docker namespace remapping. I was able to solve the issues within the containers that are in the docker-compose.yml by adding " userns_mode: "host" " for each container as far as I could observe so far.

However, start.py loads the fact extraction container, but this fails because it seems to start without the "userns_mode: "host" " parameter. See also fkie-cad/FACT_core#794. This looks very much like the same problem.

./start.py pull

[2022-07-29 13:33:41][install][INFO]: FACT Installer 1.2
[2022-07-29 13:33:41][install][INFO]: Your distribution (alpine 3.15.5) is not supported. FACT Installer requires Ubuntu 18.04, 20.04 or compatible!
[2022-07-29 13:33:41][backend][INFO]: Pulling fact extraction container
Traceback (most recent call last):
  File "/opt/FACT_core/src/install.py", line 187, in <module>.
    install()
  File "/opt/FACT_core/src/install.py", line 156, in install
    install_docker_images(args)
  File "/opt/FACT_core/src/install.py", line 180, in install_docker_images
    backend_install_docker_images()
  File "/opt/FACT_core/src/install/backend.py", line 80, in _install_docker_images
    raise InstallationError(f'Failed to pull extraction container:\n{docker_process.stdout}')
helperFunctions.install.InstallationError: Failed to pull extraction container:
Using default tag: latest
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=fkiecad%2Ffact_extractor&tag=latest": dial unix /var/run/docker.sock: connect: permission denied

Maybe modifying the file metioned in fkie-cad/FACT_core#794 could help?!

I will need to setup Namespace-Remapping on my non-dockerized FACT, than i could try and hopefully get any new information.
I'll report back as soon as i can.

Thanks again!
@SonicFM SonicFM mentioned this issue Aug 1, 2022
Open
@maringuu
Copy link
Collaborator

maringuu commented Sep 6, 2022

The problem is that when using namespace remapping the container has no way to access outside of its uid/gid range as defined in /etc/subuid and /etc/subgid.
To access the docker socket that we mount in the container the container must have access to the docker group on the host.

For example podman supports --uidmap. This would allow us to tell the daemon to use subordinate ids for everything but the docker group. Docker does not seem to support this, so sadly this won't work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SonicFM @maringuu