security.syscalls.intercept.mknod no longer seems to be working for docker [ nested ? ] use cases

[jocado]

LXD: latest/edge [ ver: 6.2-bde4d03 , rev: 6.2-bde4d03 ]
OS: core24

As per per the subject:

# lxc config show -e test-container |grep security
  security.nesting: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"
#

# lxc exec test-container /bin/bash
# docker run -it --rm --privileged busybox mknod /root/test c 1 3
mknod: /root/test: Operation not permitted
#

If I enable priv mode, and restart test-container:

# lxc config show -e test-container |grep security
  security.nesting: "true"
  security.privileged: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"
#

# lxc exec test-container /bin/bash
# docker run -it --rm --privileged busybox mknod /root/test c 1 3
#

Outside of docker it will seems to work:

# lxc config show -e test-container |grep security
  security.nesting: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"
#

# lxc exec test-container /bin/bash
# mknod /root/test c 1 3
# 

This actually came to my attention because it seems that some image layer creation can require mknod now in newer version of docker. So a simple image pull can fail. It seems to be image dependent, but not sure what the actual trigger is. I don't know of any public images that container this issue I can share.

It image problem could be related to Native Overlay Diff: true in overlay2, but that's a complete guess on my part. If I downgrade docker to a version that doesn't enable that with overlay2 [ from 27.2.0 to 24.0.5 ] with the zfs or btrfs backing store, the image related error goes away.

Please let me know if you require any further info.

Thanks!

[tomponline]

@jocado does this work on 5.0/stable or 5.21/stable versions in your environment?

[tomponline]

Indeed we have similar tests here:

https://github.com/canonical/lxd-ci/blob/a5e286cd9bebf2781ae8c64e8b3ffd3c3b0a66b6/tests/interception#L35-L47

[jocado]

@jocado does this work on 5.0/stable or 5.21/stable versions in your environment?

Seems to be the same result.

[jocado]

Just to be super clear, it works fine outside of docker still.

[jocado]

I did also find another reference to the issue here

Can't be sure it's exactly the same, but I suspect it may be.

[tomponline]

Maybe one for @mihalicyn to look into when he gets a chance.

[jocado]

The main issue for us is the image loading for some images [ as mentioned above, for unknown reason some image pulls trigger a mknod, although the files referenced are certainly not device files ], but we can mitigate that by sticking on docker 24 for now.

However, we will need to upgrade at some point, and I wouldn't be surprised if another mknod related requirements presents itself eventually, even if we were able to stick on this version of docker for a while.

Anyway, thanks for taking a look 👍