docker-samba
docker-samba copied to clipboard
Published
20 hours ago •
crazy-max
crazy-max
Container fails to start when running on Mac - bind failed: Operation not permitted
Behaviour
I am trying to run this container on Mac and the container immediately exits. Enabling a higher log level, I get the following:
added interface eth0 ip=172.17.0.2 bcast=172.17.255.255 netmask=255.255.0.0
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
uid=0 gid=0 euid=0 egid=0
messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted
Steps to reproduce this issue
docker run -p 445:445 -v "$(pwd)/data:/data" -e SAMBA_LOG_LEVEL=3 --name samba-test crazymax/samba
config.yml
auth:
- user: foo
group: foo
uid: 1000
gid: 1000
password: bar
- user: baz
group: xxx
uid: 1100
gid: 1200
password_file: /run/secrets/baz_password
global:
- "force user = foo"
- "force group = foo"
share:
- name: public
comment: Public
path: /samba/public
browsable: yes
readonly: yes
guestok: yes
veto: no
- name: share
path: /samba/share
browsable: yes
readonly: no
guestok: yes
writelist: foo
veto: no
Expected behaviour
Container should run and be able to bind.
Actual behaviour
Container immediately exits
messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted
Configuration
- Docker version 20.10.17, build 100c701
- macOS Monterey Version 12.4 (21F79)
Docker info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.8.2)
compose: Docker Compose (Docker Inc., v2.6.1)
extension: Manages Docker extensions (Docker Inc., v0.2.7)
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 5
Running: 3
Paused: 0
Stopped: 2
Images: 36
Server Version: 20.10.17
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc version: v1.1.2-0-ga916309
init version: de40ad0
Security Options:
seccomp
Profile: default
cgroupns
Kernel Version: 5.10.104-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 5
Total Memory: 15.6GiB
Name: docker-desktop
ID: DJYW:4L2Q:KQKY:SJEN:3O4X:XDDL:VAMW:I5U4:YOS7:WLIC:YPFA:ZJOV
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5000
127.0.0.0/8
Live Restore Enabled: false
Logs
Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user foo/foo (1000:1000)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/tdbsam.so' loaded
Forcing Primary Group to 'Domain Users' for foo
Creating user baz/xxx (1100:1200)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/tdbsam.so' loaded
Forcing Primary Group to 'Domain Users' for baz
Add global option: force user = foo
Add global option: force group = foo
Creating share public
Creating share share
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_STANDALONE
# Global parameters
[global]
disable netbios = Yes
disable spoolss = Yes
dns proxy = No
local master = No
map to guest = Bad User
pam password change = Yes
printcap name = /dev/null
security = USER
server role = standalone server
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Docker Samba Server
smb ports = 445
unix extensions = No
usershare allow guests = Yes
winbind scan trusted domains = Yes
fruit:time machine = yes
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:veto_appledouble = no
fruit:posix_rename = yes
fruit:model = MacSamba
fruit:metadata = stream
idmap config * : backend = tdb
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
force group = foo
force user = foo
hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
hosts deny = 0.0.0.0/0
printing = bsd
strict locking = No
vfs objects = fruit streams_xattr
wide links = Yes
[public]
comment = Public
delete veto files = Yes
guest ok = Yes
path = /samba/public
veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
[share]
delete veto files = Yes
guest ok = Yes
path = /samba/share
read only = No
veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
write list = foo
added interface eth0 ip=172.17.0.2 bcast=172.17.255.255 netmask=255.255.0.0
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
uid=0 gid=0 euid=0 egid=0
messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted
Do you have the same issue with this cap?:
$ docker run --cap-add=sys_nice -p 445:445 -v "$(pwd)/data:/data" -e SAMBA_LOG_LEVEL=3 --name samba-test crazymax/samba
I'm not able to repro on an M1 mac mini (macOS Monterey 12.3.1) with Docker Desktop 4.10.1:
$ docker run --rm -it crazymax/samba
Setting timezone to UTC
Initializing files and folders
Setting global configuration
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_STANDALONE
# Global parameters
[global]
disable netbios = Yes
disable spoolss = Yes
dns proxy = No
local master = No
map to guest = Bad User
pam password change = Yes
printcap name = /dev/null
security = USER
server role = standalone server
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Docker Samba Server
smb ports = 445
unix extensions = No
usershare allow guests = Yes
winbind scan trusted domains = Yes
fruit:time machine = yes
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:veto_appledouble = no
fruit:posix_rename = yes
fruit:model = MacSamba
fruit:metadata = stream
idmap config * : backend = tdb
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
hosts deny = 0.0.0.0/0
printing = bsd
strict locking = No
vfs objects = fruit streams_xattr
wide links = Yes
smbd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
Not sure what the issue is
The only thing I notice is that you are running Monterey 12.3.1 and I'm running 12.5. Perhaps they updated something security-wise that's having an effect?