Ubuntu
docker.io package

Bug #1639407
Comment #3

Comment 3 for bug 1639407

Revision history for this message

Lizzie Dixon (l-zzie) wrote on 2016-11-07:

Here's the version I have installed and 'docker info':

    ubuntu@ubuntu-yakkety:~$ dpkg -s docker.io
    Package: docker.io
    Status: install ok installed
    Priority: optional
    Section: admin
    Installed-Size: 77442
    Maintainer: Ubuntu Developers <email address hidden>
    Architecture: amd64
    Version: 1.12.1-0ubuntu15
    Replaces: docker (<< 1.5~)
    Depends: adduser, containerd (>= 0.2.3~), iptables, runc (>= 1.0.0~rc1~), init-system-helpers (>= 1.18~), libapparmor1 (>= 2.6~devel), libc6 (>= 2.14), libdevmapper1.02.1 (>= 2:1.02.97)
    Recommends: ca-certificates, cgroupfs-mount | cgroup-lite, git, ubuntu-fan, xz-utils, apparmor
    Suggests: aufs-tools, btrfs-tools, debootstrap, docker-doc, rinse, zfs-fuse | zfsutils
    Breaks: docker (<< 1.5~)
    Conffiles:
     /etc/default/docker 4ed438ab743c3abef1a1006fa57b05cd
     /etc/init.d/docker 73e254995b37e21ac3b63825a3b28704
     /etc/init/docker.conf 8ce66c020d5e129a177a87e0c504439c
    Description: Linux container runtime
     Docker complements kernel namespacing with a high-level API which operates at
     the process level. It runs unix processes with strong guarantees of isolation
     and repeatability across servers.
     .
     Docker is a great building block for automating distributed systems:
     large-scale web deployments, database clusters, continuous deployment systems,
     private PaaS, service-oriented architectures, etc.
     .
     This package contains the daemon and client. Using docker.io on non-amd64 hosts
     is not supported at this time. Please be careful when using it on anything
     besides amd64.
     .
     Also, note that kernel version 3.8 or above is required for proper operation of
     the daemon process, and that any lower versions may have subtle and/or glaring
     issues.
    Built-Using: glibc (= 2.24-3ubuntu1), golang-1.6 (= 1.6.3-1ubuntu1)
    Homepage: https://dockerproject.org
    Original-Maintainer: Paul Tagliamonte <email address hidden>
    ubuntu@ubuntu-yakkety:~$ docker info
    Cannot connect to the Docker daemon. Is the docker daemon running on this host?
    ubuntu@ubuntu-yakkety:~$ sudo docker info
    Containers: 0
     Running: 0
     Paused: 0
     Stopped: 0
    Images: 0
    Server Version: 1.12.1
    Storage Driver: overlay
     Backing Filesystem: extfs
    Logging Driver: json-file
    Cgroup Driver: cgroupfs
    Plugins:
     Volume: local
     Network: host bridge overlay null
    Swarm: inactive
    Runtimes: runc
    Default Runtime: runc
    Security Options: apparmor
    Kernel Version: 4.8.0-26-generic
    Operating System: Ubuntu 16.10
    OSType: linux
    Architecture: x86_64
    CPUs: 2
    Total Memory: 991.7 MiB
    Name: ubuntu-yakkety
    ID: G6JA:MD2U:CD45:5DC3:DFZ3:GUNY:IDH7:HYP5:C4J5:TOSZ:ZFE4:ZK6K
    Docker Root Dir: /var/lib/docker
    Debug Mode (client): false
    Debug Mode (server): false
    Registry: https://index.docker.io/v1/
    WARNING: No swap limit support
    Insecure Registries:
     127.0.0.0/8

Here's what happens if I try to specify a seccomp profile:

    ubuntu@ubuntu-yakkety:~$ curl -L -O https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
      % Total % Received % Xferd Average Speed Time Time Time Current
                                     Dload Upload Total Spent Left Speed
    100 10755 100 10755 0 0 5517 0 0:00:01 0:00:01 --:--:-- 5515
    (failed reverse-i-search)`sudo docker run b': ^Cdo docker info
    ubuntu@ubuntu-yakkety:~$ sudo docker run -it --security-opt seccomp=default.json ubuntu -i /bin/bash
    Unable to find image 'ubuntu:latest' locally
    latest: Pulling from library/ubuntu
    6bbedd9b76a4: Pull complete
    fc19d60a83f1: Pull complete
    de413bb911fd: Pull complete
    2879a7ad3144: Pull complete
    668604fde02e: Pull complete
    Digest: sha256:2d44ae143feeb36f4c898d32ed2ab2dffeb3a573d2d8928646dfc9cb7deb1315
    Status: Downloaded newer image for ubuntu:latest
    docker: Error response from daemon: linux seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile.
    ubuntu@ubuntu-yakkety:~$

You can find documentation about /proc/self/status here:
https://www.kernel.org/doc/Documentation/filesystems/proc.txt

The relevant part is:

Seccomp seccomp mode, like prctl(PR_GET_SECCOMP, ...)

'man 2 prctl' (http://man7.org/linux/man-pages/man2/prctl.2.html) says

       PR_SET_SECCOMP (since Linux 2.6.23)
              Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The more
              recent seccomp(2) system call provides a superset of the functionality of PR_SET_SECCOMP.

The seccomp mode is selected via arg2. (The seccomp constants are defined in <linux/seccomp.h>.)

              With arg2 set to SECCOMP_MODE_STRICT, the only system calls that the thread is permitted to make are read(2),
              write(2), _exit(2) (but not exit_group(2)), and sigreturn(2). Other system calls result in the delivery of a
              SIGKILL signal. Strict secure computing mode is useful for number-crunching applications that may need to exe‐
              cute untrusted byte code, perhaps obtained by reading from a pipe or socket. This operation is available only
              if the kernel is configured with CONFIG_SECCOMP enabled.

              With arg2 set to SECCOMP_MODE_FILTER (since Linux 3.5), the system calls allowed are defined by a pointer to a
              Berkeley Packet Filter passed in arg3. This argument is a pointer to struct sock_fprog; it can be designed to
              filter arbitrary system calls and system call arguments. This mode is available only if the kernel is config‐
              ured with CONFIG_SECCOMP_FILTER enabled.

              If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode is inherited by children created by
              fork(2); if execve(2) is permitted, then the seccomp mode is preserved across execve(2). If the filters permit
              prctl() calls, then additional filters can be added; they are run in order until the first non-allow result is
              seen.

For further information, see the kernel source file Documentation/prctl/seccomp_filter.txt.

Here's the version I have installed and 'docker info':

ubuntu@ubuntu-yakkety:~$ dpkg -s docker.io 
    Package: docker.io
    Status: install ok installed
    Priority: optional
    Section: admin
    Installed-Size: 77442
    Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
    Architecture: amd64
    Version: 1.12.1-0ubuntu15
    Replaces: docker (<< 1.5~)
    Depends: adduser, containerd (>= 0.2.3~), iptables, runc (>= 1.0.0~rc1~), init-system-helpers (>= 1.18~), libapparmor1 (>= 2.6~devel), libc6 (>= 2.14), libdevmapper1.02.1 (>= 2:1.02.97)
    Recommends: ca-certificates, cgroupfs-mount | cgroup-lite, git, ubuntu-fan, xz-utils, apparmor
    Suggests: aufs-tools, btrfs-tools, debootstrap, docker-doc, rinse, zfs-fuse | zfsutils
    Breaks: docker (<< 1.5~)
    Conffiles:
     /etc/default/docker 4ed438ab743c3abef1a1006fa57b05cd
     /etc/init.d/docker 73e254995b37e21ac3b63825a3b28704
     /etc/init/docker.conf 8ce66c020d5e129a177a87e0c504439c
    Description: Linux container runtime
     Docker complements kernel namespacing with a high-level API which operates at
     the process level. It runs unix processes with strong guarantees of isolation
     and repeatability across servers.
     .
     Docker is a great building block for automating distributed systems:
     large-scale web deployments, database clusters, continuous deployment systems,
     private PaaS, service-oriented architectures, etc.
     .
     This package contains the daemon and client. Using docker.io on non-amd64 hosts
     is not supported at this time. Please be careful when using it on anything
     besides amd64.
     .
     Also, note that kernel version 3.8 or above is required for proper operation of
     the daemon process, and that any lower versions may have subtle and/or glaring
     issues.
    Built-Using: glibc (= 2.24-3ubuntu1), golang-1.6 (= 1.6.3-1ubuntu1)
    Homepage: https://dockerproject.org
    Original-Maintainer: Paul Tagliamonte <paultag@debian.org>
    ubuntu@ubuntu-yakkety:~$ docker info
    Cannot connect to the Docker daemon. Is the docker daemon running on this host?
    ubuntu@ubuntu-yakkety:~$ sudo docker info
    Containers: 0
     Running: 0
     Paused: 0
     Stopped: 0
    Images: 0
    Server Version: 1.12.1
    Storage Driver: overlay
     Backing Filesystem: extfs
    Logging Driver: json-file
    Cgroup Driver: cgroupfs
    Plugins:
     Volume: local
     Network: host bridge overlay null
    Swarm: inactive
    Runtimes: runc
    Default Runtime: runc
    Security Options: apparmor
    Kernel Version: 4.8.0-26-generic
    Operating System: Ubuntu 16.10
    OSType: linux
    Architecture: x86_64
    CPUs: 2
    Total Memory: 991.7 MiB
    Name: ubuntu-yakkety
    ID: G6JA:MD2U:CD45:5DC3:DFZ3:GUNY:IDH7:HYP5:C4J5:TOSZ:ZFE4:ZK6K
    Docker Root Dir: /var/lib/docker
    Debug Mode (client): false
    Debug Mode (server): false
    Registry: https://index.docker.io/v1/
    WARNING: No swap limit support
    Insecure Registries:
     127.0.0.0/8

Here's what happens if I try to specify a seccomp profile:

ubuntu@ubuntu-yakkety:~$ curl -L -O https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 10755  100 10755    0     0   5517      0  0:00:01  0:00:01 --:--:--  5515
    (failed reverse-i-search)`sudo docker run b': ^Cdo docker info
    ubuntu@ubuntu-yakkety:~$ sudo docker run -it --security-opt seccomp=default.json ubuntu -i /bin/bash
    Unable to find image 'ubuntu:latest' locally
    latest: Pulling from library/ubuntu
    6bbedd9b76a4: Pull complete 
    fc19d60a83f1: Pull complete 
    de413bb911fd: Pull complete 
    2879a7ad3144: Pull complete 
    668604fde02e: Pull complete 
    Digest: sha256:2d44ae143feeb36f4c898d32ed2ab2dffeb3a573d2d8928646dfc9cb7deb1315
    Status: Downloaded newer image for ubuntu:latest
    docker: Error response from daemon: linux seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile.
    ubuntu@ubuntu-yakkety:~$

You can find documentation about /proc/self/status here:
https://www.kernel.org/doc/Documentation/filesystems/proc.txt

The relevant part is:

Seccomp                     seccomp mode, like prctl(PR_GET_SECCOMP, ...)

'man 2 prctl' (http://man7.org/linux/man-pages/man2/prctl.2.html) says

PR_SET_SECCOMP (since Linux 2.6.23)
              Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls.   The  more
              recent seccomp(2) system call provides a superset of the functionality of PR_SET_SECCOMP.

The seccomp mode is selected via arg2.  (The seccomp constants are defined in <linux/seccomp.h>.)

With  arg2  set  to SECCOMP_MODE_STRICT, the only system calls that the thread is permitted to make are read(2),
              write(2), _exit(2) (but not exit_group(2)), and sigreturn(2).  Other system calls result in the  delivery  of  a
              SIGKILL  signal.  Strict secure computing mode is useful for number-crunching applications that may need to exe‐
              cute untrusted byte code, perhaps obtained by reading from a pipe or socket.  This operation is  available  only
              if the kernel is configured with CONFIG_SECCOMP enabled.

With  arg2  set to SECCOMP_MODE_FILTER (since Linux 3.5), the system calls allowed are defined by a pointer to a
              Berkeley Packet Filter passed in arg3.  This argument is a pointer to struct sock_fprog; it can be  designed  to
              filter  arbitrary  system calls and system call arguments.  This mode is available only if the kernel is config‐
              ured with CONFIG_SECCOMP_FILTER enabled.

If SECCOMP_MODE_FILTER filters permit fork(2), then the  seccomp  mode  is  inherited  by  children  created  by
              fork(2);  if execve(2) is permitted, then the seccomp mode is preserved across execve(2).  If the filters permit
              prctl() calls, then additional filters can be added; they are run in order until the first non-allow  result  is
              seen.

For further information, see the kernel source file Documentation/prctl/seccomp_filter.txt.

Ubuntudocker.io package

Comment 3 for bug 1639407

Ubuntu
docker.io package