From cd0f36e10d9a027633de17b1382a6e737200d91f Mon Sep 17 00:00:00 2001 From: madelen-axis Date: Tue, 28 Nov 2023 16:27:46 +0100 Subject: [PATCH 1/4] Added support for secondary groups NB! If a container needs sub-group access it has to use the group-add flag. --- README.md | 29 ++++++++++++++++++++++++++++- app/manifest.json | 4 +++- app/postinstallscript.sh | 13 ++++++++++--- app/preuninstallscript.sh | 4 ++-- 4 files changed, 43 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 16240b0..bcfe1bc 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ device. In addition it bundles the docker CLI and the docker Compose CLI. > * Only uid and gid are properly mapped between device and containers, not the other groups that > the user is a member of. This means that resources on the device, even if they are volume or device > mounted can be inaccessible inside the container. This can also affect usage of unsupported dbus -> methods from the container. +> methods from the container. See [Using host user secondary groups in container](#using-host-user-secondary-groups-in-container) +> for how to handle this. > * iptables use is disabled. > * The docker.socket group ownership is set to `addon`. @@ -39,6 +40,7 @@ device. In addition it bundles the docker CLI and the docker Compose CLI. - [Using the Docker Compose ACAP remotely](#using-the-docker-compose-acap-remotely) - [Test that the Docker ACAP can run a container](#test-that-the-docker-acap-can-run-a-container) - [Loading images onto a device](#loading-images-onto-a-device) + - [Using host user secondary groups in container](#using-host-user-secondary-groups-in-container) - [Building the Docker Compose ACAP](#building-the-docker-compose-acap) - [Installing a locally built Docker Compose ACAP](#installing-a-locally-built-docker-compose-acap) - [Contributing](#contributing) @@ -337,6 +339,31 @@ and `load` can be used. docker save | docker --tlsverify --host tcp://$DEVICE_IP:$DOCKER_PORT load ``` +#### Using host user secondary groups in container + +The Docker Compose ACAP is run by a non-root user on the device. This user is set +up to be a member in a number of secondary groups as listed in the +[manifest.json](https://github.com/AxisCommunications/docker-compose-acap/blob/rootless-preview/app/manifest.json#L6-L11) +file. When running a container a user called `root`, (uid 0), belonging to group `root`, (gid 0) +will be the default user inside the container. It will be mapped to the non-root user on +the device, and the group will be mapped to the non-root users primary group. +In order to get access inside the container to resources on the device that are group owned by any +of the non-root users secondary groups these need to be added for the container user. +This can be done by using `group_add` in a docker-compose.yaml (`--group-add` if using Docker cli). +Unfortunately, adding the names of the secondary groups are not supported, instead the *mapped* ids +of the groups need to be used. At the moment of writing this the mappings are + +| device group | container group id | +| ------------ | ------------------ | +| datacache | "1" | +| sdk | "2" | +| sdk | "2" | +| storage | "3" | +| vdo | "4" | +| optics | "5" | + +Note that the names of the groups will not be correctly displayed inside the container. + ## Building the Docker Compose ACAP To build the Docker Compose ACAP use docker buildx with the provided Dockerfile: diff --git a/app/manifest.json b/app/manifest.json index 6d031c9..087e150 100644 --- a/app/manifest.json +++ b/app/manifest.json @@ -4,6 +4,8 @@ "linux": { "user": { "groups": [ + "datacache", + "optics", "sdk", "storage", "vdo" @@ -20,7 +22,7 @@ "embeddedSdkVersion": "3.0", "vendorUrl": "https://www.axis.com", "runMode": "once", - "version": "2.0.0-preview" + "version": "2.0.1-preview" }, "installation": { "postInstallScript": "postinstallscript.sh" diff --git a/app/postinstallscript.sh b/app/postinstallscript.sh index 8599f95..a31fc31 100644 --- a/app/postinstallscript.sh +++ b/app/postinstallscript.sh @@ -10,7 +10,9 @@ _appname=dockerdwrapperwithcompose _appdirectory=/usr/local/packages/$_appname _uname="$(stat -c '%U' "$_appdirectory")" _uid="$(id "$_uname" -u)" +_gid="$(id "$_uname" -g)" _gname="$(id "$_uname" -gn)" +_grpsid="$(id "$_uname" -G)" # If the device supports cgroups v2 we need to start the user.service if [ ! -d /sys/fs/cgroup/unified ]; then @@ -27,9 +29,14 @@ Wants=acap-user@$_uid.service" >> /etc/systemd/system/sdkdockerdwrapperwithcompo fi -# Create mapping for subuid and subgid - both shall use user name! -echo "$_uname:100000:65536" > /etc/subuid -echo "$_uname:100000:65536" > /etc/subgid +# Create mapping for subuid and subgid - both shall use user id! +echo "$_uid:100000:65536" >> /etc/subuid +for gid in $_grpsid ; do + if [ "$gid" -ne "$_gid" ]; then + echo "$_uid:$gid:1" >> /etc/subgid + fi +done +echo "$_uid:100000:65536" >> /etc/subgid # Let root own these two utilities and make the setuid chown root:root newuidmap diff --git a/app/preuninstallscript.sh b/app/preuninstallscript.sh index 2de55ba..1d52ce8 100644 --- a/app/preuninstallscript.sh +++ b/app/preuninstallscript.sh @@ -30,5 +30,5 @@ rm -Rf /etc/systemd/system/acap-user-runtime-dir@.service rm -Rf /etc/systemd/system/acap-user@.service # Remove the subuid/subgid mappings -sed -i "/$_uname:100000:65536/d" /etc/subuid -sed -i "/$_uname:100000:65536/d" /etc/subgid +sed -i "/$_uid/d" /etc/subuid +sed -i "/$_uid/d" /etc/subgid From 992486234d7451b9babaef5ec0acf9620d5ac13a Mon Sep 17 00:00:00 2001 From: madelen-axis Date: Wed, 29 Nov 2023 08:41:24 +0100 Subject: [PATCH 2/4] tweak --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 3dcdc9a..a421777 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,6 @@ device. In addition it bundles the docker CLI and the docker Compose CLI. * [Contributing](#contributing) * [License](#license) - ## Overview The Docker Compose ACAP provides the means to run a Docker daemon on an Axis device, thereby @@ -47,7 +46,7 @@ will run in rootless mode, i.e. the user owning the daemon process will not be r and in extension, the containers will not have root access to the host system. See [Rootless Mode][docker-rootless-mode] on Docker.com for details. That page also contains known limitations when running rootless Docker. -In addition the [docker CLI[dockerCLI]] and [docker compose CLI][dockerComposeCLI] +In addition the [docker CLI][dockerCLI] and [docker compose CLI][dockerComposeCLI] are included in the application, thereby providing the means to access these e.g. from a separate ACAP application running on the device. From 1cba07c2b1e08e60bdf4c6063b82bccd5321b143 Mon Sep 17 00:00:00 2001 From: madelen-axis Date: Thu, 30 Nov 2023 14:46:33 +0100 Subject: [PATCH 3/4] review fixes --- README.md | 1 - app/postinstallscript.sh | 16 ++++++++-------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index a421777..4964341 100644 --- a/README.md +++ b/README.md @@ -349,7 +349,6 @@ of the groups need to be used. At the moment of writing this the mappings are | ------------ | ------------------ | | datacache | "1" | | sdk | "2" | -| sdk | "2" | | storage | "3" | | vdo | "4" | | optics | "5" | diff --git a/app/postinstallscript.sh b/app/postinstallscript.sh index a31fc31..dd39c46 100644 --- a/app/postinstallscript.sh +++ b/app/postinstallscript.sh @@ -9,10 +9,10 @@ fi _appname=dockerdwrapperwithcompose _appdirectory=/usr/local/packages/$_appname _uname="$(stat -c '%U' "$_appdirectory")" -_uid="$(id "$_uname" -u)" -_gid="$(id "$_uname" -g)" -_gname="$(id "$_uname" -gn)" -_grpsid="$(id "$_uname" -G)" +_uid="$(id "$_uname" -u)" # user id +_gid="$(id "$_uname" -g)" # user group id +_gname="$(id "$_uname" -gn)" # user group name +_all_gids="$(id "$_uname" -G)" # user sub-group ids # If the device supports cgroups v2 we need to start the user.service if [ ! -d /sys/fs/cgroup/unified ]; then @@ -29,11 +29,11 @@ Wants=acap-user@$_uid.service" >> /etc/systemd/system/sdkdockerdwrapperwithcompo fi -# Create mapping for subuid and subgid - both shall use user id! +# Create mapping for subuid and subgid - both shall use user id as first value! echo "$_uid:100000:65536" >> /etc/subuid -for gid in $_grpsid ; do - if [ "$gid" -ne "$_gid" ]; then - echo "$_uid:$gid:1" >> /etc/subgid +for sub_group_id in $_all_gids ; do + if [ "$sub_group_id" -ne "$_gid" ]; then + echo "$_uid:$sub_group_id:1" >> /etc/subgid fi done echo "$_uid:100000:65536" >> /etc/subgid From a19d1dcd82a4e0cf5029ed55eccefa82b6ffe965 Mon Sep 17 00:00:00 2001 From: madelen-axis Date: Thu, 30 Nov 2023 15:14:32 +0100 Subject: [PATCH 4/4] review fixes --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4964341..1f75208 100644 --- a/README.md +++ b/README.md @@ -340,10 +340,10 @@ file. When running a container a user called `root`, (uid 0), belonging to group will be the default user inside the container. It will be mapped to the non-root user on the device, and the group will be mapped to the non-root users primary group. In order to get access inside the container to resources on the device that are group owned by any -of the non-root users secondary groups these need to be added for the container user. +of the non-root users secondary groups, these need to be added for the container user. This can be done by using `group_add` in a docker-compose.yaml (`--group-add` if using Docker cli). -Unfortunately, adding the names of the secondary groups are not supported, instead the *mapped* ids -of the groups need to be used. At the moment of writing this the mappings are +Unfortunately, adding the name of a secondary group is not supported. Instead the *mapped* id +of the group need to be used. At the moment of writing this the mappings are: | device group | container group id | | ------------ | ------------------ |