[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985481: debootstrap: Detection of docker container is broken with cgroup v2



I just noticed that there is snippet in scripts/debian-common:

        if doing_variant fakechroot || [ "$CONTAINER" = "docker" ]; then
                setup_proc_symlink
        fi

The following bugs are related to docker and /proc, and are possibly related:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921815

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968927

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953637


On Fri, 19 Mar 2021 10:02:44 +0700 Arnaud Rebillout <arnaudr@kali.org> wrote:

> Package: debootstrap
> Version: 1.0.123
> Severity: normal
> Tags: patch
> User: devel@kali.org
> Usertags: origin-kali
>
> Dear Maintainer,
>
> The code that is meant to detect if debootstrap is running from within a
> docker container is broken with cgroup v2. Talking about this particular
> function and line in the file `functions`:
>
> detect_container () {
> [...]
> elif grep -qs '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo; then
> CONTAINER="docker"
>
> This code only works for cgroup v1.
>
> After some research, and also after looking into the code of
> systemd-detect-virt, it seems that the right way to detect a docker
> container these days is to check for the file '/.dockerenv'.
>
> Hence I'm proposing this patch:
> https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/52
>
> Thanks!
>
>
> -- More debug logs:
>
> Here's what I get on current Debian sid:
>
> $ cat /proc/cmdline
> BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> tro quiet
>
> $ mount | grep cgroup
> cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
>
> $ sudo docker run --rm -it debian:testing grep '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo
> .... no ouput, the detection code is broken!
>
> $ sudo docker run --rm -it debian:testing ls -l /.dockerenv
> -rwxr-xr-x 1 root root 0 Mar 19 02:37 /.dockerenv
>
> Just out of curiosity, I tried to get the current detection code to
> work, by booting my system with cgroup v1 only. This is done by setting
> the two boot parameters `systemd.unified_cgroup_hierarchy=0` and
> `systemd.legacy_systemd_cgroup_controller=1`.
>
> Here are the logs:
>
> $ cat /proc/cmdline
> BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> ro quiet systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller=1
>
> $ mount | grep cgroup
> tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755) > cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd) > cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)


Reply to: