#1
On my Mac
$ uname -a
Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64
$ md5 `which docker`
MD5 (/usr/local/bin/docker) = d0da0db0b35f2d8ccad29296c297faf3
#2
In a dind container
$ docker run --rm --privileged --name dind1 -it -v /var/run/docker.sock:/var/run/docker.sock docker:1.8-dind sh
/ # docker version
Client:
Version: 1.8.3
API version: 1.20
Go version: go1.4.2
Git commit: f4bf5c7
Built: Mon Oct 12 18:01:15 UTC 2015
OS/Arch: linux/amd64
Error response from daemon: 400 Bad Request: malformed Host header
/ # which docker
/usr/local/bin/docker
/ # md5sum /usr/local/bin/docker
73804379c30833e79345dced46f55e91 /usr/local/bin/docker
#3
To avoid "Error response from daemon: 400 Bad Request: malformed Host header" I need the docker client binary for the Mac OS (not Linux), so I do a bind mount
$ docker run --rm --privileged --name dind1 -it -v /var/run/docker.sock:/var/run/docker.sock -v /usr/local/bin/docker:/usr/local/bin/docker docker:1.8-dind sh
/ # md5sum /usr/local/bin/docker
1abd4fcb4e4bddf17574e2e85d9a42eb /usr/local/bin/docker
/ # docker version
Client: Docker Engine - Community
Version: 19.03.13
API version: 1.40
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:00:06 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.13
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:07:04 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.3.7
GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Question:
Why are the /usr/local/bin/docker md5sums different in #1 and #3 ?
Related
Looking to fix this issue. I'm running RHEL7 with docker-compose 2.9.0. I've boiled things down to these files:
[<user>]$ ls -la
-rw-rw-r--. 1 glaisne glaisne 166 Aug 4 14:22 docker-compose.cloud-build.yml
-rw-rw-r--. 1 glaisne glaisne 76 Aug 4 14:04 .env.azure
drwxrwxr-x. 2 glaisne glaisne 24 Aug 4 14:12 helloWorld
[<user>]$ ls ./helloWorld
Dockerfile
[<user>]$ cat ./docker-compose.cloud-build.yml
version: '3.4'
services:
hello-world:
image: ${AZURE_DOCKER_REGISTRY}<servername>.hello-world:${DOCKER_IMAGE_TAG}
build:
context: ./helloWorld
[<user>]$ cat .env.azure
AZURE_DOCKER_REGISTRY=<server>.azurecr.io/
DOCKER_IMAGE_TAG=dev
[<user>]$ cat ./helloWorld/Dockerfile
FROM alpine
CMD ["echo", "Hello World"]
If I run
sudo docker-compose -f ./docker-compose.cloud-build.yml --env-file=./.env.azure build
I get this error:
[+] Building 0.0s (0/0)
listing workers for Build: failed to list workers: Unavailable: connection error: desc = "transport: Error while dialing unable to upgrade to h2c, received 404"
I am no Linux or docker guru, but I've done about all I can to fix this with no luck. The Docker service is running on the system (Docker version info below). Any insight on what this could be would be helpful. I've rebooted, Docker service has been given enough time to run, I don't see any network/firewall issues that I can tell ( from 404 ). I've even looked at the source (I don't speak go), and can't fine any reference to 'dial', 'h2c', 'workers.'
TIA
Docker version info:
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-209.git7d71120.el7_9.x86_64
Go version: go1.10.3
Git commit: 7d71120/1.13.1
Built: Fri Jan 7 13:15:46 2022
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-209.git7d71120.el7_9.x86_64
Go version: go1.10.3
Git commit: 7d71120/1.13.1
Built: Fri Jan 7 13:15:46 2022
OS/Arch: linux/amd64
Experimental: false
It seems that this problem has not yet been completely solved, but for the moment this may help you, try to set DOCKER_BUILDKIT=0 env var to disable the use of the buildkit API.
Reference: https://github.com/containers/podman/issues/13889
Note: If you use the sudo command for execute docker-compose please use the -E flag for preserve the env variables.
I am trying to use docker's user namespaces feature using the official documentation here
I have added the configuration to my daemon.json file like
{
"debug":true,
"experimental": false,
"features":{"buildkit": false},
"userns-remap":"default"
}
I also verified that both subuid and subguid in /etc contain the following entries
dhost:100000:65536
dockremap:165536:65536
I built my image to verify the functionality using an alpine:latest like so
FROM alpine:latest
RUN mkdir -p /root/.cache
WORKDIR /app
command used in building the image docker image build -t myimage:1 .
Then I run a container from this image using
docker container run -it --rm --name mycontainer -v "$(pwd)/test:/app" myimage:1 sh
I get access to the workdir inside the container (app) but I cannot touch/create any file without getting permission denied. Do I need to change the owner of the test directory I used to mount? if yes, who should own it?
docker version
docker version
Client: Docker Engine - Community
Version: 20.10.14
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 24 01:47:57 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 87a90dc
Built: Thu Mar 24 01:45:46 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Host OS info
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
I am trying to follow this article to reproduce a container escape vulnerability that exists in docker. As mentioned in the article (Refining the proof of concept section), I first run,
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
to create a docker container with needed privileges. After, when I run
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
which is the next step but I get an error saying mount: /tmp/cgrp: permission denied. Not sure why that happens. I tried the solutions mentioned in this (adding --privileged flag etc) but nothing seemed to work.
Here is the output of the docker version command.
Client:
Version: 20.10.5+dfsg1
API version: 1.41
Go version: go1.15.9
Git commit: 55c4c88
Built: Wed Aug 4 19:55:57 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.5+dfsg1
API version: 1.41 (minimum version 1.12)
Go version: go1.15.9
Git commit: 363e9a8
Built: Wed Aug 4 19:55:57 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.12~ds1
GitCommit: 1.4.12~ds1-1~deb11u1
runc:
Version: 1.0.0~rc93+ds1
GitCommit: 1.0.0~rc93+ds1-5+b2
docker-init:
Version: 0.19.0
GitCommit:
How do I go about this?
Docker cgroup file memory.limit_in_bytes use 9223372036854771712 instead of uint64 max as a default value ?
uint64 max = 9223372036854775807.
ahojliu#ubuntu:/sys/fs/cgroup/memory/docker/210401ffb15b18832b6a104d8aebac98cd29ff20fe0bc779f4ddfe04923faf46$ cat memory.limit_in_bytes
9223372036854771712
Ubuntu 20.04
Linux kernel version:
Linux version 5.11.0-41-generic (buildd#lgw01-amd64-005) (gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021
Docker version:
Client: Docker Engine - Community
Version: 20.10.11
API version: 1.41
Go version: go1.16.9
Git commit: dea9396
Built: Thu Nov 18 00:37:06 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.11
API version: 1.41 (minimum version 1.12)
Go version: go1.16.9
Git commit: 847da18
Built: Thu Nov 18 00:35:15 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.12
GitCommit: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc:
Version: 1.0.2
GitCommit: v1.0.2-0-g52b36a2
docker-init:
Version: 0.19.0
GitCommit: de40ad0
seems the default value of cgroup memory is set to PAGE_COUNTER_MAX,which is LONG_MAX/PAGE_SIZE on 64-bit platform.when the paltform`s PAGE_SIZE is diferent ,the default value of cgroup memory is diferent, such as 4k and 64k has the different default values:
0x7ffffffffffff000(pagesize=4k)
0x7fffffffffff0000(pagesize= 64k)
reflink:
https://tracker.ceph.com/issues/42059
https://github.com/torvalds/linux/blob/ea4424be16887a37735d6550cfd0611528dbe5d9/mm/memcontrol.c#L5337
I have created one docker multiarch image with buildx command.
sudo docker buildx build -f build/Dockerfile --platform linux/arm/v7,linux/arm64,linux/amd64 -t uditgaurav/chaos-operator:v3 . --push
build/Dockerfile:
FROM golang:1.13
ENV GO111MODULE=on \
CGO_ENABLED=1
ENV OPERATOR=/usr/local/bin/chaos-operator \
USER_UID=1001 \
USER_NAME=chaos-operator
# install operator binary
COPY build/_output/bin/chaos-operator ${OPERATOR}
COPY build/bin /usr/local/bin
RUN /usr/local/bin/user_setup
RUN export GOOS=$(echo ${TARGETPLATFORM} | cut -d / -f1) && \
export GOARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) && \
GOARM=$(echo ${TARGETPLATFORM} | cut -d / -f3 | cut -c2-)
ENTRYPOINT ["/usr/local/bin/entrypoint"]
USER ${USER_UID}
In dockerhub the images came with diff arch:
But when I ran it in arm clusters it is showing error:
standard_init_linux.go:211: exec user process caused "exec format error"
Docker Version on ARM cluster
Client:
Version: 19.03.6
API version: 1.40
Go version: go1.12.17
Git commit: 369ce74a3c
Built: Fri Feb 28 23:47:53 2020
OS/Arch: linux/arm64
Experimental: false
Server:
Engine:
Version: 19.03.6
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: 369ce74a3c
Built: Wed Feb 19 01:06:16 2020
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.3.3-0ubuntu1~18.04.2
GitCommit:
runc:
Version: spec: 1.0.1-dev
GitCommit:
docker-init:
Version: 0.18.0
GitCommit:
can anyone help on this?
Docker multiarch build is not the problem. The problem is that /usr/local/bin/chaos-operator is an linux/amd64 binary and you're trying to run it on linux/arm64.