Compose: docker-compose not properly passing seccomp profile

Created on 3 Feb 2016 · 18Comments · Source: docker/compose

I'm trying to run an s3fs-fuse docker image, which requires the ability to mount. When running in Docker 1.10, I need to provide my own seccomp profile to allow mounting.

This works fine:

$ docker run -it --cap-add mknod --cap-add sys_admin --device /dev/fuse --security-opt seccomp:./my_seccomp_profile.json myimage

This docker-compose file does not:

service:
  image: myimage
  security_opt:
    - seccomp:./my_seccomp_profile.json
  devices:
    - /dev/fuse
  cap_add:
    - mknod
    - sys_admin

$ docker-compose up
ERROR: Cannot start container 4b13ef917b9f3267546e6bb8d8f226460c903e8f12a1d068aff994653ec12d0b: Decoding seccomp profile failed: invalid character '.' looking for beginning of value

If I provide a full path to the profile, I get the same error (except '/' instead of '.').

environment

$ docker version  
Client:
 Version:      1.10.0-rc3
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   08c24cc
 Built:        Tue Feb  2 23:01:16 2016
 OS/Arch:      darwin/amd64

Server:
 Version:      1.10.0-rc1
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   677c593
 Built:        Fri Jan 15 18:17:17 2016
 OS/Arch:      linux/amd64
$ docker-compose version
docker-compose version 1.6.0rc2, build 695c692
docker-py version: 1.7.0-rc3
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014

areconfig kinbug kinparity

Source

hairyhenderson

👍4

Most helpful comment

I think putting seccomp:unconfined should work, but you cannot use a specific file until this is fixed.

justincormack on 30 Mar 2016

👍3

All 18 comments

I'm suffering from the same issue and getting the same error output. My environment details in case it's useful;

$ sudo docker version
Client:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:40:35 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:40:35 2016
 OS/Arch:      linux/amd64

$ sudo docker-compose version
docker-compose version 1.6.2, build 4d72027
docker-py version: 1.7.2
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013

sjiveson on 2 Mar 2016

Seeing this also, similar configuration to the @sjiveson

Rucknar on 8 Mar 2016

Confirmed here too.

endophage on 30 Mar 2016

The seccomp file is client side, and so compose needs to provide the contents of it to the API call, it is a bit unusual as a config option. See https://github.com/docker/docker/pull/19060 for where this was added in engine.

justincormack on 30 Mar 2016

@justincormack Fine with that but how do we achieve this?
If i want to deploy a container through compose and enable a specific syscall, how would i achieve it?

Rucknar on 30 Mar 2016

I think putting seccomp:unconfined should work, but you cannot use a specific file until this is fixed.

justincormack on 30 Mar 2016

👍3

Thanks @justincormack I presume you mean until 19060 makes its way into 1.11?

Rucknar on 30 Mar 2016

No 19060 was just for reference as to what needs implementing, it has been in for ages. Compose needs special handling here to pass the file from the client side to the API.

justincormack on 30 Mar 2016

Confirmed here also, any updates on when this will be resolved? Need to be able to allow the mount syscall via a custom seccomp profile for FUSE usage.

CpuID on 25 Jul 2016

If you use docker 1.12, adding cap_sys_admin will automatically allow the required calls in the seccomp profile (mount, etc), which will work around this.

justincormack on 25 Jul 2016

Is that actually documented anywhere please @justincormack? Also, can we ever expect real compose support rather than a workaround?

sjiveson on 19 Dec 2016

@sjiveson hmm, I thought it was documented but I cant find the docs now, will have to check and open a docs PR. Generally it is better to use this feature than to try to modify the seccomp profile, which is complicated and error prone. Since 1.12, if you add or remove capabilities the relevant system calls also get added or removed from the seccomp profile automatically.

justincormack on 19 Dec 2016

Thank you. Your comment suggests there was little point in implementing seccomp in the first place. Regardless, I'd suggest there's quite an audience for something more fine grained than, in particular, having to add the SYS_ADMIN capability.

sjiveson on 19 Dec 2016

👍1

@sjiveson no its pretty useful, and protected against several exploits, but the format is not user friendly. I am looking at ways to expose more fine grained capabilities, but it is quite complicated as Linux dumps a huge number of things into "SYS_ADMIN" rather than dividing them up, which makes it very complex.

justincormack on 19 Dec 2016

Indeed, quite the dumping ground. Makes for a good example of technical debt.

sjiveson on 19 Dec 2016

I'm having real issues with seccomp and Couchbase (CB), so much so that I'd to revert to using an older version of CB. CB 4.5 crashes constantly after upgrading to Docker 2.13 and Compose 1.8. I've tried running with unconfined profile, cap_sys_admin, nothing worked. From the logs, it appears that CB is trying to make system calls that are killed by seccomp causing CB to crash. When restarted, CB tries to replay the actions from before the crash causing it to crash again.
IT won't let me share the logs on a public forum but I'm now beginning to question if the introduction of seccomp warranted more thought than was allotted.