docker rootless support ?

[parisni]

Wondering if sp would work w/ docker in rootless mode.

Apart from security perspective one interesting effect would be docker volume access.

Right now when SP mounts a dynamic volume let's say containing the username, the very first time docker creates the folder both on the host and within the container with root access. As a result if the docker image is no root, that folder is read-only.

With docker rootless the volume would be created by the user , say 1000:1000, which is used by most containers (Jupyter, rstudio at least)

[parisni]

sounds like it works fine !

the volume is not anymore an issue, and it's much more secure to run docker in rootless.
DIND works also fine, but the shiny-proxy container has to run with user=0 (in order to read the /run/user/1000/docker.sock file)

[LEDfan]

Hi, as you noticed ShinyProxy works fine with rootless docker, although it's important that ShinyProxy is using the same user, such that it's able to access the docker socket (the use of a TCP port is insecure and would remove the benefit of rootless docker).

When running ShinyProxy in Docker, you can use (almost) the same commands as here: https://github.com/openanalytics/shinyproxy-config-examples/tree/master/02-containerized-docker-engine#how-to-run . Apparently when mounting the Docker socket, docker changes the ownership to root:docker, where docker is the docker group on the host machine. Therefore, you must pass the --group-add $(getent group docker | cut -d: -f3) option to the docker run command. This ensure ShinyProxy runs with a user that is part of the docker group. Therefore, ShinyProxy will have access to the docker socket, even if the shinyproxy user and the user running the docker daemon have a different id.

EDIT: we will add this information to the documentation and examples.

[LDSamson]

sounds like it works fine !

the volume is not anymore an issue, and it's much more secure to run docker in rootless. DIND works also fine, but the shiny-proxy container has to run with user=0 (in order to read the /run/user/1000/docker.sock file)

@parisni just adding my experience since I happened to work on exactly the same problem the last weeks (getting containerized shinyproxy running in Rootless mode). It took us some time to get mounted volumes working, but we managed to get the setup working without setting a user to root in any of the containers (including the ShinyProxy container).

Following this advice, we used rootlesskit to change ownership of the volume that needs to be mounted to a UID that is available in the container (thus, to a specific subUID on the host):

rootlesskit -- chown -R shinyproxy:shinyproxy data_folder

I tested since last week, and so far it works quite well with ShinyProxy, regardless of the number of containers in use.

[parisni]

Therefore, you must pass the --group-add $(getent group docker | cut -d: -f3) option to the docker run command

as for rootless to me it's OK to either set group-add=997 or user=0. Indeed both work for DIND.

rootlesskit -- chown -R shinyproxy:shinyproxy data_folder

interresting.

works fine so far, however, not sure why apps started by shiny proxy are run with the root user by default (it's mapped to the host rootless user BTW). For eg, execing rstudio will result as:

$ docker exec -it parisni-rstudio-3193 bash
root@5099e35347d2:/# whoami
root

and the logs are:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_set_env: executing...
skipping /var/run/s6/container_environment/HOME
skipping /var/run/s6/container_environment/RSTUDIO_VERSION
[cont-init.d] 01_set_env: exited 0.
[cont-init.d] 02_userconf: executing...
Assuming the container runs under rootless mode
Under rootless mode,
 - You will log in using 'root' as user
 - You will have root privileges within the container (e.g. apt)
 - The files you create as root on mounted volumes will appear at the host as owned by the user who started the container
 - You can't modify host files you don't have permission to
 - You should NOT run in RUNROOTLESS=true if you are using the container with privileges (e.g. sudo docker run... or sudo podman run...)
Skipping authentication as requested
setting minimum authorised user to 0 (RUNROOTLESS=true)
deleting the default user (rstudio) since it is not needed.
No password has been supplied.
No password has been supplied.
No password has been supplied.
chpasswd: (user root) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user root) password not changed
No sudoers changes needed when running rootless
[cont-init.d] 02_userconf: exited 0.
[cont-init.d] 03_setup_root_path.sh: executing...
root path: /app_proxy/64dec17c-213d-4d9d-b9f8-e44c7cd49989/
Set www-root-path to /app_proxy/64dec17c-213d-4d9d-b9f8-e44c7cd49989/
[cont-init.d] 03_setup_root_path.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

now if I set docker-user: 1000 in the spec, the user is now rstudio

docker exec -it parisni-rstudio-2431 bash
rstudio@e7364393aacc:/$ whoami
rstudio

The container fails to start correctly and I get the following logs:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/01_set_env: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/03_setup_root_path.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/02_userconf: Operation not permitted
s6-chmod: fatal: unable to change mode of /var/run/s6/etc/cont-init.d/01_set_env: Operation not permitted
s6-chmod: fatal: unable to change mode of /var/run/s6/etc/cont-init.d/03_setup_root_path.sh: Operation not permitted
s6-chmod: fatal: unable to change mode of /var/run/s6/etc/cont-init.d/02_userconf: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/rstudio/run: Operation not permitted
s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/rstudio/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/rstudio/finish: Operation not permitted
s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/rstudio/finish: Operation not permitted
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_set_env: executing...
sed: couldn't open temporary file /usr/local/lib/R/etc/sedZuoyA4: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/CRAN
sed: couldn't open temporary file /usr/local/lib/R/etc/sedUl5VfW: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/CWD
sed: couldn't open temporary file /usr/local/lib/R/etc/sedFaQetk: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/DEFAULT_USER
sed: couldn't open temporary file /usr/local/lib/R/etc/sedKN4iZm: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/DISABLE_AUTH
sed: couldn't open temporary file /usr/local/lib/R/etc/seds1fq0I: Permission denied
skipping /var/run/s6/container_environment/HOME
sed: couldn't open temporary file /usr/local/lib/R/etc/sedPYHjTT: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/HOSTNAME
sed: couldn't open temporary file /usr/local/lib/R/etc/sedcsEFJf: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/LANG
sed: couldn't open temporary file /usr/local/lib/R/etc/sedqpBNZT: Permission denied
skipping /var/run/s6/container_environment/PATH
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
sed: couldn't open temporary file /usr/local/lib/R/etc/sedGiCinw: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/R_HOME
sed: couldn't open temporary file /usr/local/lib/R/etc/sed8AfcBC: Permission denied
skipping /var/run/s6/container_environment/RSTUDIO_VERSION
sed: couldn't open temporary file /usr/local/lib/R/etc/sedoh7q62: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/R_VERSION
sed: couldn't open temporary file /usr/local/lib/R/etc/sedgVRP5g: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/S6_VERSION
sed: couldn't open temporary file /usr/local/lib/R/etc/sedSsdM2T: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/SHINYPROXY_PUBLIC_PATH
sed: couldn't open temporary file /usr/local/lib/R/etc/sedaA8b0C: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/SHINYPROXY_USERGROUPS
sed: couldn't open temporary file /usr/local/lib/R/etc/sedFSTQBn: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/SHINYPROXY_USERNAME
sed: couldn't open temporary file /usr/local/lib/R/etc/sed2IMjzH: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/TZ
sed: couldn't open temporary file /usr/local/lib/R/etc/sedgJcm8p: Permission denied
/var/run/s6/etc/cont-init.d/01_set_env: line 9: /usr/local/lib/R/etc/Renviron.site: Permission denied
skipping /var/run/s6/container_environment/WWW_ROOT_PATH
[cont-init.d] 01_set_env: exited 0.
[cont-init.d] 02_userconf: executing...
Assuming the container runs under rootless mode
Under rootless mode,
 - You will log in using 'root' as user
 - You will have root privileges within the container (e.g. apt)
 - The files you create as root on mounted volumes will appear at the host as owned by the user who started the container
 - You can't modify host files you don't have permission to
 - You should NOT run in RUNROOTLESS=true if you are using the container with privileges (e.g. sudo docker run... or sudo podman run...)
usermod: Permission denied.
usermod: cannot lock /etc/passwd; try again later.
usermod: Permission denied.
usermod: cannot lock /etc/passwd; try again later.
cp: cannot create regular file '/etc/rstudio/rserver.conf': Permission denied
/var/run/s6/etc/cont-init.d/02_userconf: line 108: /etc/environment: Permission denied


tput: No value for $TERM and no -T specified
The password is set to aeb5eyieTh0aech2
If you want to set your own password, set the PASSWORD environment variable. e.g. run with:
docker run -e PASSWORD=<YOUR_PASS> -p 8787:8787 rocker/rstudio
tput: No value for $TERM and no -T specified


setting minimum authorised user to 0 (RUNROOTLESS=true)
/var/run/s6/etc/cont-init.d/02_userconf: line 134: /etc/rstudio/rserver.conf: Permission denied
deleting the default user (rstudio) since it is not needed.
userdel: user rstudio is currently used by process 1
chpasswd: (user root) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user root) password not changed
Changing password for root.
No sudoers changes needed when running rootless
[cont-init.d] 02_userconf: exited 0.
[cont-init.d] 03_setup_root_path.sh: executing...
foreground: warning: unable to spawn /var/run/s6/etc/cont-init.d/03_setup_root_path.sh: Permission denied
[cont-init.d] 03_setup_root_path.sh: exited 127.
[cont-init.d] done.
[services.d] starting services
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise rstudio: warning: unable to spawn ./run - waiting 10 seconds

So this is apparently how rootless mode works. But it also means I can break the container with (which is not really a big deal):

rm -rf /