Docker problems with the kernel? | Alpine Linux forums

6 posts / 0 new

#1 Mon, 2015-11-23 10:50

pwFoo

Offline
Last seen: 7 months 1 week ago
Joined: 2015-08-27

Hello,

I tried to use the gui docker container example here:
https://github.com/jfrazelle/dockerfiles/blob/master/chromium/Dockerfile

grsec kernel:
There are some permission problems to solve.
/usr/lib/chromium/chromium: error while loading shared libraries: libwavpack.so.1: cannot enable executable stack as shared object requires: Permission denied

ls -lh /usr/lib/libwavpack.so*
lrwxrwxrwx    1 root     root          19 Nov 22 08:29 /usr/lib/libwavpack.so.1 -> libwavpack.so.1.1.7
-rwxrwxrwx    1 root     root      137.7K Nov 16 16:29 /usr/lib/libwavpack.so.1.1.7

Before that test I solved another problem by disable:

kernel.grsecurity.chroot_deny_chmod=0
kernel.grsecurity.chroot_deny_mknod=0

vanilla kernel missing /dev/mqueue
So I switched to the vanilla kernel for testing, but there is /dev/mqueue missing. So start fails with.
mounting mqueue mqueue : no such device

Any chance to solve the problems to run docker on Alpine?

#2 Mon, 2015-11-23 20:56

pwFoo

Offline
Last seen: 7 months 1 week ago
Joined: 2015-08-27

Tested to disable grsec run time in proc without success...

kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_bad_rename = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_fchdir = 0
kernel.grsecurity.chroot_deny_mknod = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_shmat = 0
kernel.grsecurity.chroot_deny_sysctl = 0
kernel.grsecurity.chroot_deny_unix = 0
kernel.grsecurity.chroot_enforce_chdir = 0
kernel.grsecurity.chroot_findtask = 0
kernel.grsecurity.chroot_restrict_nice = 0
kernel.grsecurity.consistent_setxid = 0
kernel.grsecurity.deter_bruteforce = 0
kernel.grsecurity.fifo_restrictions = 0
kernel.grsecurity.forkfail_logging = 0
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.harden_ipc = 0
kernel.grsecurity.harden_ptrace = 0
kernel.grsecurity.linking_restrictions = 0
kernel.grsecurity.ptrace_readexec = 0
kernel.grsecurity.resource_logging = 0
kernel.grsecurity.signal_logging = 0
kernel.grsecurity.timechange_logging = 0

error
error while loading shared libraries: libwavpack.so.1: cannot enable executable stack as shared object requires: Permission denied

#3 Mon, 2015-11-23 21:47

pwFoo

Offline
Last seen: 7 months 1 week ago
Joined: 2015-08-27

Why MQUEUE is disabled in the vanilla kernel?

grep MQUEUE /boot/config
# CONFIG_POSIX_MQUEUE is not set

As I read it's a default activated feature. It's enabled with the grsec kernel, but there are some permission problems with grsec and docker...

#4 Sun, 2015-12-06 11:02

pwFoo

Offline
Last seen: 7 months 1 week ago
Joined: 2015-08-27

Anyone...?

tested it again. pull images works with changed files in proc (echo 0 > /proc/[...]/ into files chroot_deny_chmod, chroot_deny_fchdir, chroot_deny_mount and linking_restrictions). I don|t know why changes ignored by sysctl -w.

Next (I hope last problem...) is userns...

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

But...

grep USER_NS /boot/config-grsec 
CONFIG_USER_NS=y

I get this error with Arch Linux ("USER_NS=n"!). So why I get this error with alpine linux grsec kernel with enabled USER_NS?

#5 Sun, 2015-12-06 14:30 (Reply to #4)

pwFoo

Offline
Last seen: 7 months 1 week ago
Joined: 2015-08-27

Disabled all in directory /proc/sys/kernel/grsecurity/, no success...
Seems I have to move the docker host from alpine linux to voidlinux to getit working. :(

#6 Sat, 2016-02-20 23:38

Klowner

Offline
Last seen: 2 years 1 month ago
Joined: 2016-02-20

I'm also having issues running docker on Alpine.

For example, wernight/plex-media-server:autoupdate fails with ./Plex Media Server: error while loading shared libraries: libgnsdk_dsp.so.3.07.7: cannot enable executable stack as shared object requires: Permission denied

Same image works fine on my Arch host, I assume it's grsec related or something?