Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nosuid problem in foreign architecture builds #47

Closed
z3ntu opened this issue Dec 28, 2019 · 11 comments
Closed

nosuid problem in foreign architecture builds #47

z3ntu opened this issue Dec 28, 2019 · 11 comments

Comments

@z3ntu
Copy link

z3ntu commented Dec 28, 2019

(continued from #46)

Running env DABUILD_ARCH=aarch64 dabuild -r on an x86_64 machine results in sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? being printed (tested with aarch64 & armv7)

alpinelinux/docker-abuild   edge-aarch64        1470e8631406        9 days ago          195MB

$ docker run --entrypoint /bin/sh --rm -it alpinelinux/docker-abuild:edge-aarch64
~ $ sudo ls
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

On the host:

$ mount | grep docker
/dev/mapper/docker-8:1-20185132-fc7eb3aa34775e1dc50251a64cf4b6320077e1d03f1bce5c269907e2b5b2a7bc on /mnt/hdd/docker/devicemapper/mnt/fc7eb3aa34775e1dc50251a64cf4b6320077e1d03f1bce5c269907e2b5b2a7bc type xfs (rw,relatime,nouuid,attr2,inode64,logbufs=8,logbsize=64k,sunit=128,swidth=128,noquota)
nsfs on /run/docker/netns/d72959cccaf9 type nsfs (rw)

In the container:

~ $ mount
/dev/mapper/docker-8:1-20185132-b4824e4ae8418b6c7d99c2d628b3d8def114a44359cd13bd9bc8b83253483ca2 on / type xfs (rw,relatime,nouuid,attr2,inode64,logbufs=8,logbsize=64k,sunit=128,swidth=128,noquota)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/rdma type cgroup (ro,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
/dev/sda1 on /etc/resolv.conf type ext4 (rw,relatime,stripe=32738)
/dev/sda1 on /etc/hostname type ext4 (rw,relatime,stripe=32738)
/dev/sda1 on /etc/hosts type ext4 (rw,relatime,stripe=32738)
devpts on /dev/console type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
proc on /proc/bus type proc (ro,relatime)
proc on /proc/fs type proc (ro,relatime)
proc on /proc/irq type proc (ro,relatime)
proc on /proc/sys type proc (ro,relatime)
proc on /proc/sysrq-trigger type proc (ro,relatime)
tmpfs on /proc/asound type tmpfs (ro,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/latency_stats type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/scsi type tmpfs (ro,relatime)
tmpfs on /sys/firmware type tmpfs (ro,relatime)

So as far as I can tell, the rootfs inside the container is not nosuid and I also don't have anything mounted specially (except ~/.cache and /root/.cache but those shouldn't matter)
@z3ntu z3ntu mentioned this issue Dec 28, 2019
Closed
@mor1
Copy link
Collaborator

mor1 commented Dec 28, 2019 via email

@z3ntu
Copy link
Author

z3ntu commented Dec 28, 2019 

$ env DABUILD_ARCH=aarch64 DABUILD_DEBUG=true dabuild -r
+ PS4='$LINENO: '
20: '[' /mnt/hdd/alpine = /mnt/hdd/alpine/aports/community/qt5-qtwebengine ']'
27: '[' '!' aarch64 ']'
28: case "$DABUILD_ARCH" in
34: '[' '' ']'
337: git status
337: head -1
37: APORTS_BRANCH='On branch qtwebengine-lima'
38: APORTS_BRANCH=qtwebengine-lima
39: case $APORTS_BRANCH in
45: ABUILD_VERSION=edge
51: ABUILD_PACKAGES=/mnt/hdd/alpine/packages/edge
53: mkdir -p /mnt/hdd/alpine/packages/edge
54: '[' '!' '(' -d /mnt/hdd/alpine/packages/edge -a -w /mnt/hdd/alpine/packages/edge ')' ']'
63: ABUILD_VOLUMES='-v /home/luca/.abuild:/home/builder/.abuild   -v /mnt/hdd/alpine/aports:/home/builder/aports   -v /mnt/hdd/alpine/packages/edge:/home/builder/packages'
65: '[' -f /etc/abuild.conf ']'
69: '[' -w /var/cache/distfiles ']'
73: '[' '' = true ']'
90: ABUILD_WORKDIR=/home/builder/aports/community/qt5-qtwebengine
91: DOCKER='docker run -ti -v /home/luca/.abuild:/home/builder/.abuild   -v /mnt/hdd/alpine/aports:/home/builder/aports   -v /mnt/hdd/alpine/packages/edge:/home/builder/packages -e DABUILD_DEBUG '
92: docker run -ti -v /home/luca/.abuild:/home/builder/.abuild -v /mnt/hdd/alpine/aports:/home/builder/aports -v /mnt/hdd/alpine/packages/edge:/home/builder/packages -e DABUILD_DEBUG --workdir /home/builder/aports/community/qt5-qtwebengine alpinelinux/docker-abuild:edge-aarch64 -r
13: PS4='$LINENO: '
17: '[' '!' -w /home/builder/.abuild/ ]
22: '[' '!' -r /home/builder/.abuild/abuild.conf ]
27: . /home/builder/.abuild/abuild.conf
1: PACKAGER_PRIVKEY=/home/builder/.abuild/-5d73b499.rsa
28: '[' '!' -s /home/builder/.abuild/-5d73b499.rsa ]
33: sudo cp -v /home/builder/.abuild/-5d73b499.rsa.pub /etc/apk/keys/
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

@mor1
Copy link
Collaborator

mor1 commented Dec 28, 2019

Hm. Is your /home/luca directory either mounted from NFS or on a file system with nosuid perhaps?

@z3ntu
Copy link
Author

z3ntu commented Dec 28, 2019

No^^ /dev/mapper/MyVol-home on /home type ext4 (rw,relatime)

@mor1
Copy link
Collaborator

mor1 commented Dec 29, 2019

Hm. Do you have any filesystems mounted nosuid? Searching around, the following seems relevant: moby/moby#36730 (comment) -- is /var/lib/docker mounted on a nosuid overlay fs?

@z3ntu
Copy link
Author

z3ntu commented Dec 29, 2019

Unfortunately that's not the case either..

 ~  df -h /var/lib/docker/
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       890G  844G  1,1G 100% /mnt/hdd
 ~  mount | grep /mnt/hdd
/dev/sda1 on /mnt/hdd type ext4 (rw,relatime,stripe=32738)

@z3ntu
Copy link
Author

z3ntu commented Dec 29, 2019

Trying on another PC (also Arch Linux but very standard setup):

$ docker run --entrypoint /bin/sh --rm -it alpinelinux/docker-abuild:edge-aarch64
standard_init_linux.go:211: exec user process caused "exec format error"

Installing qemu-arm-static from the AUR and restarting systemd-binfmt.service and trying again results in sh starting but sudo refuses to work as well.

Do you know if Docker for mac does any special setup with binfmt maybe?

@clandmeter
Copy link
Member

I think this is related how binfmt_misc is registered for that arch.

@z3ntu
Copy link
Author

z3ntu commented Dec 29, 2019

Ah found the issue now thanks to

multiarch/qemu-user-static#17 and https://bbs.archlinux.org/viewtopic.php?id=242708

Basically changing the binfmt flag from F to OCF works fine and running sudo apk works now :) Thanks for your help!

@z3ntu z3ntu closed this as completed Dec 29, 2019
@mor1
Copy link
Collaborator

mor1 commented Dec 29, 2019 via email

@mor1
Copy link
Collaborator

mor1 commented Dec 29, 2019 via email

@martin-g martin-g mentioned this issue Mar 26, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clandmeter @mor1 @z3ntu