Develop Reference

Can not update block I/O in docker update

I would like to update --blkio-weight in docker. Howerver, I get the error
Steps to reproduce the issue:
docker run -itd --name redis6.2 -p 6379:6379 redis:6.2
docker update --blkio-weight 100 redis6.2
Describe the results you received:
redis6.2
Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.
Describe the results you expected:
redis6.2
Output of docker version:
Client: Docker Engine - Community
Version: 20.10.16
API version: 1.41
Go version: go1.17.10
Git commit: aa7e414
Built: Thu May 12 09:17:23 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.16
API version: 1.41 (minimum version 1.12)
Go version: go1.17.10
Git commit: f756502
Built: Thu May 12 09:15:28 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.4
GitCommit: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
runc:
Version: 1.1.1
GitCommit: v1.1.1-0-g52de29d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Output of docker info:
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 4
Running: 2
Paused: 0
Stopped: 2
Images: 14
Server Version: 20.10.16
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
runc version: v1.1.1-0-g52de29d
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.4.0-89-generic
Operating System: Ubuntu 20.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 7.775GiB
Name: bEtGZz0x
ID: PDEQ:QYGO:JXVT:FYPQ:NZO7:PU66:J2CP:4RRS:TL6N:AGCR:OGZE:SH5K
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://nexus.cloudcontrolsystems.cn/
Live Restore Enabled: false
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.):
Ubuntu 20.04.4 LTS VirtualBox and physical

access denied in docker when mounting volumes while userns is enabled

I am trying to use docker's user namespaces feature using the official documentation here
I have added the configuration to my daemon.json file like
{
"debug":true,
"experimental": false,
"features":{"buildkit": false},
"userns-remap":"default"
}
I also verified that both subuid and subguid in /etc contain the following entries
dhost:100000:65536
dockremap:165536:65536
I built my image to verify the functionality using an alpine:latest like so
FROM alpine:latest
RUN mkdir -p /root/.cache
WORKDIR /app
command used in building the image docker image build -t myimage:1 .
Then I run a container from this image using
docker container run -it --rm --name mycontainer -v "$(pwd)/test:/app" myimage:1 sh
I get access to the workdir inside the container (app) but I cannot touch/create any file without getting permission denied. Do I need to change the owner of the test directory I used to mount? if yes, who should own it?
docker version
docker version
Client: Docker Engine - Community
Version: 20.10.14
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 24 01:47:57 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 87a90dc
Built: Thu Mar 24 01:45:46 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Host OS info
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

mount: /tmp/cgrp permission denied - docker

I am trying to follow this article to reproduce a container escape vulnerability that exists in docker. As mentioned in the article (Refining the proof of concept section), I first run,
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
to create a docker container with needed privileges. After, when I run
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
which is the next step but I get an error saying mount: /tmp/cgrp: permission denied. Not sure why that happens. I tried the solutions mentioned in this (adding --privileged flag etc) but nothing seemed to work.
Here is the output of the docker version command.
Client:
Version: 20.10.5+dfsg1
API version: 1.41
Go version: go1.15.9
Git commit: 55c4c88
Built: Wed Aug 4 19:55:57 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.5+dfsg1
API version: 1.41 (minimum version 1.12)
Go version: go1.15.9
Git commit: 363e9a8
Built: Wed Aug 4 19:55:57 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.12~ds1
GitCommit: 1.4.12~ds1-1~deb11u1
runc:
Version: 1.0.0~rc93+ds1
GitCommit: 1.0.0~rc93+ds1-5+b2
docker-init:
Version: 0.19.0
GitCommit:
How do I go about this?

Bind mount docker client binary from MacOS to docker-dind image

#1
On my Mac
$ uname -a
Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64
$ md5 `which docker`
MD5 (/usr/local/bin/docker) = d0da0db0b35f2d8ccad29296c297faf3
#2
In a dind container
$ docker run --rm --privileged --name dind1 -it -v /var/run/docker.sock:/var/run/docker.sock docker:1.8-dind sh
/ # docker version
Client:
Version: 1.8.3
API version: 1.20
Go version: go1.4.2
Git commit: f4bf5c7
Built: Mon Oct 12 18:01:15 UTC 2015
OS/Arch: linux/amd64
Error response from daemon: 400 Bad Request: malformed Host header
/ # which docker
/usr/local/bin/docker
/ # md5sum /usr/local/bin/docker
73804379c30833e79345dced46f55e91 /usr/local/bin/docker
#3
To avoid "Error response from daemon: 400 Bad Request: malformed Host header" I need the docker client binary for the Mac OS (not Linux), so I do a bind mount
$ docker run --rm --privileged --name dind1 -it -v /var/run/docker.sock:/var/run/docker.sock -v /usr/local/bin/docker:/usr/local/bin/docker docker:1.8-dind sh
/ # md5sum /usr/local/bin/docker
1abd4fcb4e4bddf17574e2e85d9a42eb /usr/local/bin/docker
/ # docker version
Client: Docker Engine - Community
Version: 19.03.13
API version: 1.40
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:00:06 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.13
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:07:04 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.3.7
GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Question:
Why are the /usr/local/bin/docker md5sums different in #1 and #3 ?

docker push to nexus 3 - invalid checksum digest format

Though I am able to successfully push a newly pulled docker image to Nexus 3 docker hosted repo, an error like "invalid checksum digest format" is thrown at the end. I pulled "jenkins:latest" from dockerhub, then tagged it and then pushed it to a nexus docker hosted repo.
f3e4e0468545: Pushed
656120ad8c56: Pushed
30f9a83f20f3: Pushed
78dbfa5b7cbc: Pushed
invalid checksum digest format
I know Nexus 3 is not LTS yet, but want to be sure that its not my environment settings. I have an insecure docker registry on 18443
docker info
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 53
Server Version: 1.10.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 89
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 3.16.0-53-generic
Operating System: Ubuntu 14.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.86 GiB
Client:
Version: 1.10.1
API version: 1.22
Go version: go1.5.3
Git commit: 9e83765
Built: Thu Feb 11 19:27:08 2016
OS/Arch: linux/amd64
Server:
Version: 1.10.1
API version: 1.22
Go version: go1.5.3
Git commit: 9e83765
Built: Thu Feb 11 19:27:08 2016
OS/Arch: linux/amd64

Docker version 1.10 was not out when Nexus 3.0m7 was released. We are working on adding support for it now. This specific issue is being tracked here:
https://issues.sonatype.org/browse/NEXUS-9766
UPDATE: This issue/ticket is resolved now in Nexus Repository Manager 3.0.0-03. For upgrade instructions see https://support.sonatype.com/hc/en-us/articles/217967608-How-to-Upgrade-Nexus-3-Milestone-m7-to-3-0-0-Final.