sysbox icon indicating copy to clipboard operation
sysbox copied to clipboard

Published 20 hours ago verified publisher icon nestybox

docker OPA plugin fails to start with "default-runtime": "sysbox-runc"

Open dmitryroshchin opened this issue 1 year ago • 2 comments

I've bumped into an issue when running sysbox simultanously with this docker plugin.

When setting sysbox as default runtime the following errors, even when configured plugin not to use hostnetwork Sep 13 15:15:51 kata-testing dockerd[1102769]: time="2023-09-13T15:15:51.065032021Z" level=error msg="failed to enable plugin" error="failed to create task for container: failed to create shim task: OCI runtime create failed: container_linux.go:424: starting container process caused: process_linux.go:404: getting the final child's pid from pipe caused: EOF: unknown" id=d484abad1799472ea722c78145161a18758b8a5cf966edfa4dfb8202717a3ef9 If I change default runtime to runc, everything works like a charm. But the thing is I need sysbox to be the default runtime

steps to reproduce:

env: Ubuntu 20.04.6 LTS docker-ce/focal,now 5:24.0.5-1~ubuntu.20.04~focal sysbox-ce/now 0.6.1.linux amd64 build,install,enable opa docker plugin

plugin config.json:

{
    "description": "A policy-enabled authorization plugin for Docker",
    "documentation": "https://www.openpolicyagent.org/docs/docker-authorization/",
    "entrypoint": [
        "/opa-docker-authz"
    ],
    "args": {
        "name": "opa-args",
        "description": "Arguments for opa-docker-authz",
        "settable": ["value"],
        "value": ["-policy-file","/opa/config/authz.rego"]
    },
    "interface": {
        "socket": "opa-docker-authz.sock",
        "types": ["docker.authz/1.0"]
    },
    "network": {
        "type": "bridge"
    },
    "mounts": [
       {
            "name": "policy",
            "source": "/etc/docker",
            "destination": "/opa",
            "type": "none",
            "options": ["bind", "ro"],
            "settable": ["source"]
       }
    ],
    "workdir": "/opa"
}

/etc/docker/daemon.json

{
    "debug": true,
    "default-runtime": "runc",
    "authorization-plugins": ["openpolicyagent/opa-docker-authz-v2:0.8"],
    "runtimes": {
            "sysbox-runc": {
            "path": "/usr/bin/sysbox-runc"
        }
    }
}

/etc/docker/config/authz.rego:

package docker.authz

default allow := false

allow {
    not deny
}

deny {
    seccomp_unconfined
}

seccomp_unconfined {
    input.Body.HostConfig.SecurityOpt[_] == "seccomp:unconfined"
}

sudo systemctl restart docker.service

sudo docker ps error during connect: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": EOF

dmitryroshchin avatar Sep 14 '23 09:09 dmitryroshchin

Hi @dmitryroshchin, no not yet. ETA next 1->2 weeks.

ctalledo avatar Sep 19 '23 16:09 ctalledo

@ctalledo any news on this issue?

dmitryroshchin avatar Nov 13 '23 08:11 dmitryroshchin