Whenever I use the function “setfacl” to change the access control list properties of a file stored in the shared memory space /dev/shm/
For example:
user@693d06f79432:/dev/shm$ setfacl -m u:user:rwx /dev/shm/myfile
setfacl: /dev/shm/myfile: Operation not supported
When starting my container, I am trying different approaches, none of them working:
--ipc=host
--ipc=shareable
--ipc=private
The following other options have been used:
--cap-add IPC_OWNER --cap-add IPC_LOCK --cap-add SETFCAP --cap-add FOWNER
I have the suspicion, that the kernel running on the underlying virtual machine “DockerDesktopVM” running on Hyper-V contains a linux kernel in which the tmpfs was not configured with the POSIX Access Control List optional drivers enabled and thus does not support setting the acl.
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
As seen, the /dev/shm is tmpfs, and does not have the “acl” option enabled.
However, the call to getfacl does work…
user@693d06f79432:/dev/shm$ getfacl myfile
# file: myfile
# owner: user
# group: user
user::rw-
group::r--
other::r--
setfacl does work on other files on the filesystem (which are not tmpfs)
user@693d06f79432:~$ setfacl -m u:user:rwx myb
user@693d06f79432:~$ getfacl myb
# file: myb
# owner: user
# group: user
user::rw-
user:user:rwx
group::r--
mask::rwx
other::r--
Docker running on Linux natively, do not present this issue, and that is why I assume that it is actually the kernel build options that are not enabled.
My “docker info”
docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 119
Server Version: 19.03.2
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.9.184-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.769GiB
Name: docker-desktop
ID: <SOME ID>
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 29
Goroutines: 44
System Time: 2019-09-26T12:10:54.5062234Z
EventsListeners: 1
HTTP Proxy: docker.for.win.localhost:3128
HTTPS Proxy: docker.for.win.localhost:3128
No Proxy: mycompany.com
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Finally, having a look at the configuration used for linuxkit:
CONFIG_TMPFS=y
# CONFIG_TMPFS_POSIX_ACL is not set
CONFIG_TMPFS_XATTR=y
# CONFIG_TMPFS_POSIX_ACL is not set
We see that the ACL is not set for tmpfs, yet I am not 100% sure if this is the configuration used for the linuxkit 4.9.184-linux on the virtual machine. But it seems to be the issue.