[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985481: debootstrap: Detection of docker container is broken with cgroup v2

Package: debootstrap
Version: 1.0.123
Severity: normal
Tags: patch
User: devel@kali.org
Usertags: origin-kali

Dear Maintainer,

The code that is meant to detect if debootstrap is running from within a
docker container is broken with cgroup v2. Talking about this particular
function and line in the file `functions`:

    detect_container () {
        elif grep -qs '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo; then

This code only works for cgroup v1.

After some research, and also after looking into the code of
systemd-detect-virt, it seems that the right way to detect a docker
container these days is to check for the file '/.dockerenv'.

Hence I'm proposing this patch:


-- More debug logs:

Here's what I get on current Debian sid:

    $ cat /proc/cmdline
    BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> tro quiet

    $ mount | grep cgroup
    cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)

    $ sudo docker run --rm -it debian:testing grep '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo
    .... no ouput, the detection code is broken!

    $ sudo docker run --rm -it debian:testing ls -l /.dockerenv
    -rwxr-xr-x 1 root root 0 Mar 19 02:37 /.dockerenv

Just out of curiosity, I tried to get the current detection code to
work, by booting my system with cgroup v1 only. This is done by setting
the two boot parameters `systemd.unified_cgroup_hierarchy=0` and

Here are the logs:

    $ cat /proc/cmdline
    BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> ro quiet systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller=1

    $ mount | grep cgroup
    tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755)
    cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
    cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
    cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
    cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
    cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
    cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
    cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
    cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
    cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
    cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
    cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
    cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)

    $ sudo docker run --rm -it debian:testing grep '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo
    795 794 0:29 /docker/<<id>> /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime master:10 - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
    797 794 0:33 /docker/<<id>> /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime master:15 - cgroup cgroup rw,memory
    818 794 0:35 /docker/<<id>> /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime master:17 - cgroup cgroup rw,net_cls,net_prio
    819 794 0:36 /docker/<<id>> /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime master:18 - cgroup cgroup rw,cpu,cpuacct
    853 794 0:37 /docker/<<id>> /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime master:19 - cgroup cgroup rw,blkio
    854 794 0:38 /docker/<<id>> /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime master:20 - cgroup cgroup rw,devices
    872 794 0:39 /docker/<<id>> /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime master:21 - cgroup cgroup rw,pids
    873 794 0:40 /docker/<<id>> /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime master:22 - cgroup cgroup rw,cpuset
    891 794 0:41 /docker/<<id>> /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime master:23 - cgroup cgroup rw,freezer
    892 794 0:42 /docker/<<id>> /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime master:24 - cgroup cgroup rw,perf_event
    910 794 0:43 /docker/<<id>> /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime master:25 - cgroup cgroup rw,hugetlb

Conclusion: the debootstrap code that detects a docker container used to
work for cgroup v1, but it's broken for cgroup v2.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debootstrap depends on:
ii  wget  1.21-1+b1

Versions of packages debootstrap recommends:
ii  arch-test               0.17-1
ii  debian-archive-keyring  2021.1.1
ii  gnupg                   2.2.27-1

Versions of packages debootstrap suggests:
pn  squid-deb-proxy-client  <none>
pn  ubuntu-archive-keyring  <none>

-- no debconf information

Reply to: