for-mac icon indicating copy to clipboard operation
for-mac copied to clipboard

Published 20 hours ago verified publisher icon docker

Enable `CONFIG_SECURITY` support on `6.6.X-linuxkit`+

Open PhilipSchmid opened this issue 2 months ago • 2 comments

Description

When trying to run eBPF-based security tools, like Tetragon (also see related Tetragon GH issue), on Docker Desktop-based KIND clusters, we're seeing issues like the following one, as the Docker Desktop (4.28.0 (139021), Server Version: 25.0.3) shipped Kernel 6.6.16-linuxkit doesn't have CONFIG_SECURITY=y set at kernel compilation time:

... aborting could not load BPF programs: failed prog /var/lib/tetragon/bpf_execve_bprm_commit_creds.o kern_version 394768 loadInstance: attaching 'tg_kp_bprm_committing_creds' failed: creating perf_kprobe PMU (arch-specific fallback for \"security_bprm_committing_creds\"): token __arm64_security_bprm_committing_creds: not found: no such file or directory

It's not set on the Docker Desktop included VM:

$ docker run -it --rm --privileged --pid=host ubuntu nsenter -t 1 -m -u -n -i sh -c 'cat /proc/config.gz | gunzip | grep CONFIG_SECURITY'
CONFIG_SECURITY_DMESG_RESTRICT=y
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y

However, on the upstream linuxkit/linuxkit project it's already enabled for x86_64 and aarch64.

Can we please get CONFIG_SECURITY=y set on the Docker Desktop linuxkit VM as well?

Reproduce

  1. Install Docker Desktop (v4.28.0) with kernel 6.6.16-linuxkit on an ARM64 Mac
  2. Run docker run -it --rm --privileged --pid=host ubuntu nsenter -t 1 -m -u -n -i sh -c 'cat /proc/config.gz | gunzip | grep CONFIG_SECURITY'

Expected behavior

No response

docker version

Client:
 Cloud integration: v1.0.35+desktop.11
 Version:           25.0.3
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        4debf41
 Built:             Tue Feb  6 21:13:26 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.28.0 (139021)
 Engine:
  Version:          25.0.3
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       f417435
  Built:            Tue Feb  6 21:14:22 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    25.0.3
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1-desktop.4
    Path:     /Users/user/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.6-desktop.1
    Path:     /Users/user/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.24
    Path:     /Users/user/.docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/user/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.22
    Path:     /Users/user/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /Users/user/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.0.1
    Path:     /Users/user/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/user/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.5.0
    Path:     /Users/user/.docker/cli-plugins/docker-scout
WARNING: Plugin "/Users/user/.docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /Users/user/.docker/cli-plugins/docker-scan: no such file or directory

Server:
 Containers: 30
  Running: 4
  Paused: 0
  Stopped: 26
 Images: 52
 Server Version: 25.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.6.16-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 11.67GiB
 Name: docker-desktop
 ID: 03bc7779-afb1-46ce-a5ba-5f0ef9409d97
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profil

Diagnostics ID

D157BC07-AB5D-4FE5-8D0B-647AB720B1AC/20240415141419

Additional Info

No response

PhilipSchmid avatar Apr 15 '24 14:04 PhilipSchmid