for-mac
for-mac copied to clipboard
Enable `CONFIG_SECURITY` support on `6.6.X-linuxkit`+
Description
When trying to run eBPF-based security tools, like Tetragon (also see related Tetragon GH issue), on Docker Desktop-based KIND clusters, we're seeing issues like the following one, as the Docker Desktop (4.28.0 (139021)
, Server Version: 25.0.3
) shipped Kernel 6.6.16-linuxkit
doesn't have CONFIG_SECURITY=y
set at kernel compilation time:
... aborting could not load BPF programs: failed prog /var/lib/tetragon/bpf_execve_bprm_commit_creds.o kern_version 394768 loadInstance: attaching 'tg_kp_bprm_committing_creds' failed: creating perf_kprobe PMU (arch-specific fallback for \"security_bprm_committing_creds\"): token __arm64_security_bprm_committing_creds: not found: no such file or directory
It's not set on the Docker Desktop included VM:
$ docker run -it --rm --privileged --pid=host ubuntu nsenter -t 1 -m -u -n -i sh -c 'cat /proc/config.gz | gunzip | grep CONFIG_SECURITY'
CONFIG_SECURITY_DMESG_RESTRICT=y
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
However, on the upstream linuxkit/linuxkit project it's already enabled for x86_64 and aarch64.
Can we please get CONFIG_SECURITY=y
set on the Docker Desktop linuxkit
VM as well?
Reproduce
- Install Docker Desktop (
v4.28.0
) with kernel6.6.16-linuxkit
on an ARM64 Mac - Run
docker run -it --rm --privileged --pid=host ubuntu nsenter -t 1 -m -u -n -i sh -c 'cat /proc/config.gz | gunzip | grep CONFIG_SECURITY'
Expected behavior
No response
docker version
Client:
Cloud integration: v1.0.35+desktop.11
Version: 25.0.3
API version: 1.44
Go version: go1.21.6
Git commit: 4debf41
Built: Tue Feb 6 21:13:26 2024
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.28.0 (139021)
Engine:
Version: 25.0.3
API version: 1.44 (minimum version 1.24)
Go version: go1.21.6
Git commit: f417435
Built: Tue Feb 6 21:14:22 2024
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.6.28
GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client:
Version: 25.0.3
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1-desktop.4
Path: /Users/user/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.6-desktop.1
Path: /Users/user/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container. (Docker Inc.)
Version: 0.0.24
Path: /Users/user/.docker/cli-plugins/docker-debug
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.0
Path: /Users/user/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.22
Path: /Users/user/.docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.4
Path: /Users/user/.docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.0.1
Path: /Users/user/.docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/user/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.5.0
Path: /Users/user/.docker/cli-plugins/docker-scout
WARNING: Plugin "/Users/user/.docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /Users/user/.docker/cli-plugins/docker-scan: no such file or directory
Server:
Containers: 30
Running: 4
Paused: 0
Stopped: 26
Images: 52
Server Version: 25.0.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
cgroupns
Kernel Version: 6.6.16-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 10
Total Memory: 11.67GiB
Name: docker-desktop
ID: 03bc7779-afb1-46ce-a5ba-5f0ef9409d97
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: daemon is not using the default seccomp profil
Diagnostics ID
D157BC07-AB5D-4FE5-8D0B-647AB720B1AC/20240415141419
Additional Info
No response