Docker and PaX host

Question

I've spent the last few days messing with trying to get docker containers to run correctly on Gentoo Hardened.

The first problem that took me days to discover was motivated by my own paranoia: The partition I placed the Docker root into was mounted with nosuid and noexec. As a result, devicemapper driver worked on it, since it creates numerous loop devices to do its thing, but overlay driver did not, because it inherited the noexec flag from the top, so no executables within containers would run. I'll just leave this piece of knowledge for someone to discover here...

With that out of the way, however, I tripped over another problem: PaX flags.

PaX mandates that executables that require to create new memory pages containing code be marked with either special ELF headers or extended filesystem attributes, preferably both, because the recommended setting for Gentoo is to use the extended attributes and ignore the ELF headers. Executables that don't comply get killed the moment they try.

Unfortunately the list of programs that just have to try includes nodejs, python, and pretty much every other modern interpreter, not to mention mongodb. There are probably other problem executables, but these are the primary culprits, and also the thing you frequently want to see in containers.

Even more unfortunately, even though docker images are supposed to be capable of containing files marked by extended attributes, none of the official images for common software which requires such flags -- mongodb and nodejs in particular -- appear to have those.

For the moment, I've been hacking around the problem by locating the actual file on disk and setting its xattr from outside the container. This is obviously a royally bad idea.

What is the proper way to solve this problem, and for that matter, is there a particular reason nobody else seems to have it, as copious googling appears to indicate? Is there, perhaps, another kernel option I missed, (I tend to do that a lot) or a specific recommended way to set them so it remains secure and actually works? Beside turning PaX off, that is.

Answer 1

I've been struggling with this as well. With your excellent explanation as inspiration, I was able to set the extended attributes from within the docker container in question.

The essential command to run in the container is:

setfattr -n user.pax.flags -v "emr" /container's/path/to/binary

Note that the docker container itself will need the attr package installed. If you are building the container yourself, you can install and run the above command as a RUN command. Here's an example extending the python official image:

FROM python:3-slim

RUN apt-get update && apt-get install -y attr
RUN setfattr -n user.pax.flags -v "emr" /usr/local/bin/python3.5
RUN setfattr -n user.pax.flags -v "emr" /usr/local/bin/pip

If not, then you can enter the running container with docker exec container_name /bin/bash and do the above commands manually.