4

Problem

I am building a Docker container (based on RHEL) that includes a custom binary from a third-party repository. When executing the binary in the container, I receive a nondescript error: "Operation not permitted".

Analysis

Dockerfile

The Dockerfile is fairly simple.

FROM dockerregistry.example.com/rhel7:latest

RUN yum -y install \
    curl \
    custom-package && \
    curl -Lsq https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 > /sbin/dumb-init && \
    chmod 755 /sbin/dumb-init && \
    yum clean all

ADD custom-package.conf /etc/custom-package/custom-package.conf

ENTRYPOINT ["/sbin/dumb-init", "--"]
CMD ["/usr/local/custom-package/bin/custom-package", "--config", "/etc/custom-package/custom-package.conf"]

Building the image

I build and enter the container on my workstation using the following commands.

$ docker build -t custom-package:v1 .
$ docker run --security-opt seccomp:unconfined -d custom-package:v1 tail -f /dev/null
$ docker exec -it <image ID> /bin/bash

"Operation not permitted"

Once I'm inside the image, if I try executing the binary, I receive an extremely unhelpful error. Running strace also gives a confusing output. On inspecting file permissions and metadata, it appears to be fine.

# /usr/local/telegraf/bin/telegraf
bash: /usr/local/telegraf/bin/telegraf: Operation not permitted

# strace -f /usr/local/telegraf/bin/telegraf
execve("/usr/local/telegraf/bin/telegraf", ["/usr/local/telegraf/bin/telegraf"], [/* 17 vars */]) = -1 EPERM (Operation not permitted)
write(2, "strace: exec: Operation not perm"..., 38strace: exec: Operation not permitted
) = 38
exit_group(1)                           = ?
+++ exited with 1 +++

# ls -l /usr/local/telegraf/bin/telegraf    
-rwxr-xr-x 1 telegraf telegraf 38664736 Jun  3 15:41 /usr/local/telegraf/bin/telegraf

# getcap -v /usr/local/telegraf/bin/telegraf
/usr/local/telegraf/bin/telegraf = cap_sys_rawio+ep

I am unable to collect enough information to debug my container and why the executable binary isn't working. Is there something that stands out as wrong or a reason why I would receive an unhelpful error like this?

Thanks!

Improve this question
2
  • There's not enough information in the question to reproduce / answer. At best we can guess? (is it a ulimit problem?) Commented Jul 12, 2017 at 19:19
  • @AnthonySottile What information would I be able to provide to make this easier to debug? Ultimately, I don't want the package fixed (I assume that's something I'll have to do myself), but I just want to get more helpful info to go off for debugging. Commented Jul 12, 2017 at 19:23

1 Answer 1

Reset to default
6

The SYS_RAWIO capability needs the --privileged option to access the devices. See capabilities(7).

http://man7.org/linux/man-pages/man7/capabilities.7.html

   CAP_SYS_RAWIO
          * Perform I/O port operations (iopl(2) and ioperm(2));
          * access /proc/kcore;
          * employ the FIBMAP ioctl(2) operation;
          * open devices for accessing x86 model-specific registers (MSRs, see msr(4))
          * update /proc/sys/vm/mmap_min_addr;
          * create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr;
          * map files in /proc/bus/pci;
          * open /dev/mem and /dev/kmem;
          * perform various SCSI device commands;
          * perform certain operations on hpsa(4) and cciss(4) devices;
          * perform a range of device-specific operations on other devices.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, this solved the problem and I was able to execute the binary without an issue. A quick follow-up question, though – would you anticipate this being a security concern if running the Docker container in a production environment because of the elevated privileges?
You could use strace to see the devices it need to access and pass the device with --device and add the sys_rawio capability (and maybe others) with the --cap-add option. Finally you could lock it further with AppArmor/SELinux and a seccomp profile.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.