linux features/syscalls enabled in a container | Dagger | Page 1

ivory crater Aug 30, 2024, 10:08 AM

#

Hi,

I'm working on an application using io_uring, I'm trying to use dagger for development, specifically on macOS since it doesn't exist there, but I can't make it work.

I'm testing with this example code https://github.com/axboe/liburing/blob/master/examples/io_uring-cp.c, I'm getting an "operation not permitted" error when calling io_uring_queue_init.
However when I simply build a docker image and docker run it the code does work so I'm wondering if there's anything special in how Dagger execute its containers ?

I've seen things related to seccomp for Docker that controls the syscalls that are authorized but I don't know if Dagger changes anything.

tight lake Aug 30, 2024, 10:50 AM

#

are you setting InsecureRootCapabilities in your WithExec?

#

i'm not too familiar with io_uring, but do you need some capabilities/seccomp filters disabled when you do it with docker run?

ivory crater Aug 30, 2024, 12:05 PM

#

I'll try with InsecureRootCapabilities.
With docker run I don't need to do anything special no, it works by default

#

ok invoked like this it works:

        WithExec([]string{"io_uring-cp", "/foo", "/home/foobar/foo"}, dagger.ContainerWithExecOpts{
            InsecureRootCapabilities: true,
        }).

tight lake Aug 30, 2024, 12:09 PM

#

hmmm, interesting 🤔 i wonder what's different from what we do with docker run
i'm not entirely sure, but if you have a super simple repro or similar, it would definitely be great to have an issue for this

ivory crater Aug 30, 2024, 12:10 PM

#

yeah I can do that

#

follow up question, is there a way to set InsecureRootCapabilities on the command line ? I opened a terminal using something like this:

dagger call foo --src=. terminal

where foo returns a container. can I make it so the terminal has insecure root capabilities ?

tight lake Aug 30, 2024, 12:13 PM

#

ahh you should be able to pass --insecure-root-capabilities to terminal
you can see all the options available for terminal by appending --help

ivory crater Aug 30, 2024, 12:17 PM

#

oh yeah I forgot that opts are available as flag, thanks.

however --help only shows the flags for my function foo, weirdly enough:

$ dagger call foo  --source=. --platform=linux/arm64 --help
...
ARGUMENTS
      --platform Platform   [required] (default )
      --source Directory    [required] (default )

Use "dagger call foo [command] --help" for more information about a command.

ivory crater Aug 30, 2024, 12:51 PM

#

(issue opened here: https://github.com/dagger/dagger/issues/8279)

GitHub

Issues · dagger/dagger

An engine to run your pipelines in containers. Contribute to dagger/dagger development by creating an account on GitHub.

tight lake Aug 30, 2024, 12:52 PM

#

ah, if you add terminal --help then it should show the help for terminal specifically

#

sadly, we can't really show every nested level, since that would dump so much stuff into the terminal that's not super useful most of the time

#linux features/syscalls enabled in a container