cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon docker

docker exec can not get the correct permission with non-root user launch container

Open shuimqcn opened this issue 2 years ago • 0 comments

Description

I use "docker run -itd -u 50294:50294 almalinux:8 /bin/bash" launch a container, then use root user permission enter the container do some operation "docker exec -it --user=root <container> /bin/bash".

  1. create then same UID user("jenkins") and UID group("jenkins")
  2. Create another group "docker"(GID:50000)
  3. Join the "jenkins" into the "docker" group

After that I use non-root user enter the container "docker exec -it <container> /bin/bash", then execute "id" and "id jenkins" command, it'll show different output

$ docker exec -it cranky_ardinghelli /bin/bash
[jenkins@6dd2b805c3d6 /]$ id 
uid=50294(jenkins) gid=50294(jenkins) groups=50294(jenkins)
[jenkins@6dd2b805c3d6 /]$ id jenkins
uid=50294(jenkins) gid=50294(jenkins) groups=50294(jenkins),50000(docker)
[jenkins@6dd2b805c3d6 /]$

Reproduce

$ docker run -itd -u 50294:50294 almalinux:8 /bin/bash
$ docker ps
CONTAINER ID   IMAGE                                        COMMAND                  CREATED          STATUS          PORTS     NAMES
6dd2b805c3d6   almalinux:8                                  "/bin/bash"              11 seconds ago   Up 10 seconds             cranky_ardinghelli
$ docker exec -it cranky_ardinghelli /bin/bash
bash-4.4$ id
uid=50294 gid=50294 groups=50294
bash-4.4$ exit
exit
$ docker exec -it --user=root cranky_ardinghelli /bin/bash
[root@6dd2b805c3d6 /]# groupadd -g 50294 jenkins && useradd -d /home/jenkins -m -u 50294 -g 50294 -s /bin/bash jenkins
[root@6dd2b805c3d6 /]# groupadd -g 50000 docker
[root@6dd2b805c3d6 /]# usermod -aG docker jenkins
[root@6dd2b805c3d6 /]# id jenkins
uid=50294(jenkins) gid=50294(jenkins) groups=50294(jenkins),50000(docker)
[root@6dd2b805c3d6 /]# exit
exit
$ docker exec -it cranky_ardinghelli /bin/bash
[jenkins@6dd2b805c3d6 /]$ id 
uid=50294(jenkins) gid=50294(jenkins) groups=50294(jenkins)
[jenkins@6dd2b805c3d6 /]$ id jenkins
uid=50294(jenkins) gid=50294(jenkins) groups=50294(jenkins),50000(docker)
[jenkins@6dd2b805c3d6 /]$

Expected behavior

Fix this, make "docker exec" have the correct permission

docker version

Client: Docker Engine - Community
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.6
 Git commit:        ced0996
 Built:             Fri Jul 21 20:36:32 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.6
  Git commit:       a61e2b4
  Built:            Fri Jul 21 20:35:32 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    24.0.5
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.20.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  scan: Docker Scan (Docker Inc.)
    Version:  v0.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-scan

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 22
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
 runc version: v1.1.7-0-g860f061
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 4.18.0-477.21.1.el8_8.x86_64
 Operating System: AlmaLinux 8.8 (Sapphire Caracal)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.58GiB
 Name: jenkins-node-alma8
 ID: 1c007b45-4f34-41e8-ac74-12822b2fa8df
 Docker Root Dir: /data/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

This issue will block some jenkins job, example: Use non-root jenkins run docker in docker(DinD or Docker socket mounting), image

shuimqcn avatar Dec 20 '23 17:12 shuimqcn