Enable CONFIG_SECURITY support on 6.6.X-linuxkit+ · Issue #7250 · docker/for-mac (original) (raw)
Description
When trying to run eBPF-based security tools, like Tetragon (also see related Tetragon GH issue), on Docker Desktop-based KIND clusters, we're seeing issues like the following one, as the Docker Desktop (4.28.0 (139021), Server Version: 25.0.3) shipped Kernel 6.6.16-linuxkit doesn't have CONFIG_SECURITY=y set at kernel compilation time:
... aborting could not load BPF programs: failed prog /var/lib/tetragon/bpf_execve_bprm_commit_creds.o kern_version 394768 loadInstance: attaching 'tg_kp_bprm_committing_creds' failed: creating perf_kprobe PMU (arch-specific fallback for "security_bprm_committing_creds"): token __arm64_security_bprm_committing_creds: not found: no such file or directory
It's not set on the Docker Desktop included VM:
$ docker run -it --rm --privileged --pid=host ubuntu nsenter -t 1 -m -u -n -i sh -c 'cat /proc/config.gz | gunzip | grep CONFIG_SECURITY' CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
However, on the upstream linuxkit/linuxkit project it's already enabled for x86_64 and aarch64.
Can we please get CONFIG_SECURITY=y set on the Docker Desktop linuxkit VM as well?
Reproduce
- Install Docker Desktop (
v4.28.0) with kernel6.6.16-linuxkiton an ARM64 Mac - Run
docker run -it --rm --privileged --pid=host ubuntu nsenter -t 1 -m -u -n -i sh -c 'cat /proc/config.gz | gunzip | grep CONFIG_SECURITY'
Expected behavior
No response
docker version
Client: Cloud integration: v1.0.35+desktop.11 Version: 25.0.3 API version: 1.44 Go version: go1.21.6 Git commit: 4debf41 Built: Tue Feb 6 21:13:26 2024 OS/Arch: darwin/arm64 Context: desktop-linux
Server: Docker Desktop 4.28.0 (139021) Engine: Version: 25.0.3 API version: 1.44 (minimum version 1.24) Go version: go1.21.6 Git commit: f417435 Built: Tue Feb 6 21:14:22 2024 OS/Arch: linux/arm64 Experimental: false containerd: Version: 1.6.28 GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb runc: Version: 1.1.12 GitCommit: v1.1.12-0-g51d5e94 docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Client: Version: 25.0.3 Context: desktop-linux Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.12.1-desktop.4 Path: /Users/user/.docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.24.6-desktop.1 Path: /Users/user/.docker/cli-plugins/docker-compose debug: Get a shell into any image or container. (Docker Inc.) Version: 0.0.24 Path: /Users/user/.docker/cli-plugins/docker-debug dev: Docker Dev Environments (Docker Inc.) Version: v0.1.0 Path: /Users/user/.docker/cli-plugins/docker-dev extension: Manages Docker extensions (Docker Inc.) Version: v0.2.22 Path: /Users/user/.docker/cli-plugins/docker-extension feedback: Provide feedback, right in your terminal! (Docker Inc.) Version: v1.0.4 Path: /Users/user/.docker/cli-plugins/docker-feedback init: Creates Docker-related starter files for your project (Docker Inc.) Version: v1.0.1 Path: /Users/user/.docker/cli-plugins/docker-init sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.) Version: 0.6.0 Path: /Users/user/.docker/cli-plugins/docker-sbom scout: Docker Scout (Docker Inc.) Version: v1.5.0 Path: /Users/user/.docker/cli-plugins/docker-scout WARNING: Plugin "/Users/user/.docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /Users/user/.docker/cli-plugins/docker-scan: no such file or directory
Server: Containers: 30 Running: 4 Paused: 0 Stopped: 26 Images: 52 Server Version: 25.0.3 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: runc io.containerd.runc.v2 Default Runtime: runc Init Binary: docker-init containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb runc version: v1.1.12-0-g51d5e94 init version: de40ad0 Security Options: seccomp Profile: unconfined cgroupns Kernel Version: 6.6.16-linuxkit Operating System: Docker Desktop OSType: linux Architecture: aarch64 CPUs: 10 Total Memory: 11.67GiB Name: docker-desktop ID: 03bc7779-afb1-46ce-a5ba-5f0ef9409d97 Docker Root Dir: /var/lib/docker Debug Mode: false HTTP Proxy: http.docker.internal:3128 HTTPS Proxy: http.docker.internal:3128 No Proxy: hubproxy.docker.internal Experimental: false Insecure Registries: hubproxy.docker.internal:5555 127.0.0.0/8 Live Restore Enabled: false
WARNING: daemon is not using the default seccomp profil
Diagnostics ID
D157BC07-AB5D-4FE5-8D0B-647AB720B1AC/20240415141419
Additional Info
No response