cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon devcontainers

`seccomp=profile.json` path isn't relative to `devcontainer-feature.json` or `compose.yml`

Open snebjorn opened this issue 3 years ago • 7 comments

How is a path to a seccomp profile file specificed?

This doesn't work when seccomp.json is in same folder as devcontainer-feature.json

// devcontainer-feature.json
{
  "securityOpt": ["seccomp=seccomp.json"]
}

This doesn't work when seccomp.json is in same folder as compose.yml

// devcontainer.json
{
  "dockerComposeFile": "compose.yml",
  // rest omitted...
}

# compose.yml
services:
  app:
    security_opt:
      - seccomp:seccomp.json

seccomp accepts a path https://docs.docker.com/engine/security/seccomp/

$ docker run --rm \
             -it \
             --security-opt seccomp=/path/to/seccomp/profile.json \
             hello-world

snebjorn avatar Oct 08 '22 13:10 snebjorn

The path should be relative to the (first) docker-compose.yml. Is that not the case? What do you get for docker-compose version?

(Older versions of Docker Compose resolved the path relative to the working directory of the docker-compose executable which is the workspace folder in this case.)

chrmarti avatar Oct 11 '22 06:10 chrmarti

What do you get for docker-compose version?

Locally I'm running Docker Compose version v2.10.2 No sure what GitHub Codespaces is running.

The path should be relative to the (first) docker-compose.yml. Is that not the case?

Try uncommenting this seccomp config https://github.com/snebjorn/devcontainer-feature/blob/a4e878bbf0be759d08384544cc28b9ecb69be050/src/chromium/devcontainer-feature.json#L15

It's right next to, well, everything image

This is the result

https://github.com/snebjorn/devcontainer-feature/actions/runs/3207901547/jobs/5243255064

Start: Run: docker run --sig-proxy=false -a STDOUT -a STDERR --mount type=bind,source=/tmp/devcontainercli/container-features-test/1665179748920,target=/workspaces/1665179748920 -l devcontainer.local_folder=/tmp/devcontainercli/container-features-test/1665179748920 --security-opt seccomp=seccomp-chromium.json --entrypoint /bin/sh vsc-1665179748920-1fb487e9c51146a17306239137140e08-features -c echo Container started docker: opening seccomp profile (seccomp-chromium.json) failed: open seccomp-chromium.json: no such file or directory. See 'docker run --help'. [-] Failed to launch container:

Command failed: docker run --sig-proxy=false -a STDOUT -a STDERR --mount type=bind,source=/tmp/devcontainercli/container-features-test/1665179748920,target=/workspaces/1665179748920 -l devcontainer.local_folder=/tmp/devcontainercli/container-features-test/1665179748920 --security-opt seccomp=seccomp-chromium.json --entrypoint /bin/sh vsc-1665179748920-1fb487e9c51146a17306239137140e08-features -c echo Container started

I've encountered the same issue with GitHub Codespaces. I had to specify an absolute path which I found to be: /var/lib/docker/codespacemount/workspace/<repo>/.devcontainer/profile.json

snebjorn avatar Oct 11 '22 21:10 snebjorn

I misread, you're using this in a feature. Not sure how we would solve this. We could carry the file in the image or on a label on the image and apply it (and update the path on the parameter) when the container is created.

chrmarti avatar Oct 12 '22 05:10 chrmarti

This is also a problem when doing it directly in a devcontainer.json. Should I create a separate issue for handling seccomp files in the devcontainer.json?

Just to be clear. I don't care if the path is relative or not. It just want a path to a seccomp file that is reliable regardless of where the container is hosted/launched

snebjorn avatar Oct 12 '22 07:10 snebjorn

It should work in the devcontainer.json. The difficulty is that with a single container, the path needs to be relative to the workspace root folder and with Docker Compose it needs to be relative to the first docker-compose-yml's folder. If that does not work I'd appreciate a separate bug report. Thanks.

chrmarti avatar Oct 13 '22 07:10 chrmarti

It should work in the devcontainer.json

I couldn't get it to work. Hmm well I did it in a compose file. See https://github.com/snebjorn/openapi-generator/tree/feature/devcontainer/.devcontainer

I tested:

  • seccomp:chrome.json
  • seccomp:./chrome.json
  • seccomp:.devcontainer/chrome.json
  • seccomp:./.devcontainer/chrome.json
  • seccomp:openapi-generator/.devcontainer/chrome.json
  • seccomp:workspace/openapi-generator/.devcontainer/chrome.json
  • seccomp:codespacemount/workspace/openapi-generator/.devcontainer/chrome.json
  • seccomp:docker/codespacemount/workspace/openapi-generator/.devcontainer/chrome.json
  • seccomp:lib/docker/codespacemount/workspace/openapi-generator/.devcontainer/chrome.json

But in the end I could only get the absolute path to work

  • seccomp:/var/lib/docker/codespacemount/workspace/openapi-generator/.devcontainer/chrome.json

snebjorn avatar Oct 13 '22 07:10 snebjorn

In the devcontainer.json ${localWorkspaceFolder} could be used to get an absolute path at runtime.

chrmarti avatar Dec 12 '23 13:12 chrmarti