Description of problem: When installing (using yum) some packages docker fails with error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file If we're trying to install such package (httpd for example) in docker run environment - we have a workaround which is to specify "-privileged=true" option to the run command. Unfortunately we cannot do this when running the install inside a Dockerfile ( RUN command). This fails the build: ---> Running in 087750726dfd Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.4.6-2.fc20 will be installed --> Processing Dependency: httpd-tools = 2.4.6-2.fc20 for package: httpd-2.4.6-2.fc20.x86_64 --> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-2.fc20.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-2.fc20.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-2.fc20.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-2.fc20.x86_64 ---> Package mod_cluster.x86_64 0:1.2.6-1.fc20 will be installed --> Running transaction check ---> Package apr.x86_64 0:1.4.8-2.fc20 will be installed ---> Package apr-util.x86_64 0:1.5.2-4.fc20 will be installed ---> Package fedora-logos.noarch 0:19.0.4-3.fc20 will be installed ---> Package httpd-tools.x86_64 0:2.4.6-2.fc20 will be installed ---> Package mailcap.noarch 0:2.1.41-2.fc20 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: httpd x86_64 2.4.6-2.fc20 fedora 1.2 M mod_cluster x86_64 1.2.6-1.fc20 updates-testing 68 k Installing for dependencies: apr x86_64 1.4.8-2.fc20 fedora 100 k apr-util x86_64 1.5.2-4.fc20 fedora 90 k fedora-logos noarch 19.0.4-3.fc20 fedora 8.7 M httpd-tools x86_64 2.4.6-2.fc20 fedora 76 k mailcap noarch 2.1.41-2.fc20 fedora 31 k Transaction Summary ================================================================================ Install 2 Packages (+5 Dependent packages) Total download size: 10 M Installed size: 13 M Downloading packages: warning: /var/cache/yum/x86_64/20/fedora/packages/apr-1.4.8-2.fc20.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 246110c1: NOKEY Public key for apr-1.4.8-2.fc20.x86_64.rpm is not installed Public key for mod_cluster-1.2.6-1.fc20.x86_64.rpm is not installed -------------------------------------------------------------------------------- Total 2.6 MB/s | 10 MB 00:03 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-x86_64 Importing GPG key 0x246110C1: Userid : "Fedora (20) <fedora>" Fingerprint: c7c9 a9c8 9153 f201 83ce 7cba 2eb1 61fa 2461 10c1 Package : fedora-release-20-0.7.noarch (@fedora/$releasever) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-x86_64 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-2.fc20.x86_64 1/7 Installing : apr-util-1.5.2-4.fc20.x86_64 2/7 Installing : httpd-tools-2.4.6-2.fc20.x86_64 3/7 Installing : mailcap-2.1.41-2.fc20.noarch 4/7 Installing : fedora-logos-19.0.4-3.fc20.noarch 5/7 Installing : httpd-2.4.6-2.fc20.x86_64 6/7Error unpacking rpm package httpd-2.4.6-2.fc20.x86_64 error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file Installing : mod_cluster-1.2.6-1.fc20.x86_64 7/7 error: httpd-2.4.6-2.fc20.x86_64: install failed Verifying : httpd-tools-2.4.6-2.fc20.x86_64 1/7 Verifying : fedora-logos-19.0.4-3.fc20.noarch 2/7 Verifying : mailcap-2.1.41-2.fc20.noarch 3/7 Verifying : apr-1.4.8-2.fc20.x86_64 4/7 Verifying : apr-util-1.5.2-4.fc20.x86_64 5/7 Verifying : mod_cluster-1.2.6-1.fc20.x86_64 6/7 Verifying : httpd-2.4.6-2.fc20.x86_64 7/7 Installed: mod_cluster.x86_64 0:1.2.6-1.fc20 Dependency Installed: apr.x86_64 0:1.4.8-2.fc20 apr-util.x86_64 0:1.5.2-4.fc20 fedora-logos.noarch 0:19.0.4-3.fc20 httpd-tools.x86_64 0:2.4.6-2.fc20 mailcap.noarch 0:2.1.41-2.fc20 Failed: httpd.x86_64 0:2.4.6-2.fc20 Complete! Error build: The command [/bin/sh -c yum install -y httpd mod_cluster] returned a non-zero code: 1 The command [/bin/sh -c yum install -y httpd mod_cluster] returned a non-zero code: 1
Created attachment 803970 [details] strace from rpm installation of httpd in a container Attaching a strace log where where can see that the issue is in setting "security.capability" attribute with the "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" value for /usr/sbin/suexec file. ===================== ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0 lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0 removexattr("/usr/sbin/suexec", "security.capability") = -1 EPERM (Operation not permitted) rename("/usr/sbin/suexec;52458e7c", "/usr/sbin/suexec") = 0 getuid() = 0 getuid() = 0 chown("/usr/sbin/suexec", 0, 48) = 0 chmod("/usr/sbin/suexec", 0510) = 0 utime("/usr/sbin/suexec", [2013/09/27-13:22:45, 2013/09/27-13:22:45]) = 0 getuid() = 0 capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0 lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0 setxattr("/usr/sbin/suexec", "security.capability", "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 20, 0) = -1 EPERM (Operation not permitted) close(23) = 0 munmap(0x7f4a8238d000, 4096 ===================== The filesystem is mounted like this: /dev/mapper/docker-39fbe6132eb8f36bf6ef24024b0762ddc28a145f26f944ad16d827addd3a2916 on / type ext4 (rw,relatime,discard,stripe=64,data=ordered)
I think that this is related to blocking linux capabilities: https://github.com/dotcloud/docker/blob/5a01f7485c6df95f747e08d2cad3d4c934b811bc/lxc_template.go#L114 Especially we see there "setfcap" listed which is required to run setxattr() on files. Maybe we can drop "setfcap" from the template to make it work? BTW: There is a different option: "lxc.cap.drop" coming: http://sourceforge.net/mailarchive/message.php?msg_id=31054627
We need someone with security expertise to review, but I think the general sense is that allowing setfcap in non-privileged mode should be okay.
Created attachment 804061 [details] Remove setfcap from lxc.cap.drop I can confirm that removing setfcap from lxc.cap.drop fixes this issue. I'm attaching a patch that can be applied against Rawhide directly. Hope someone can confirm that it's safe to do so.
I would not confirm that it is safe. BUT, since you are allowing setting a file to 4755 ROOT/ROOT, this is less unsafe, although I always believed that adding setuid or setgid permissions on a file should be governed by setfcap... We do not currently allow this in virt-sandbox containers, but we don't do installs there.
"less unsafe" seems like the magic words here.
I have applied this patch and a docker-io package is available in my repo: http://goldmann.fedorapeople.org/repos/docker.repo Grab version >= 0.6.3-2.