Setting POSIX ACL (setfacl) not supported for files within a tmpfs mount in docker desktop for windows

juancarlosgarza1 · September 26, 2019, 12:20pm

Whenever I use the function “setfacl” to change the access control list properties of a file stored in the shared memory space /dev/shm/

For example:

user@693d06f79432:/dev/shm$ setfacl -m u:user:rwx /dev/shm/myfile
setfacl: /dev/shm/myfile: Operation not supported

When starting my container, I am trying different approaches, none of them working:

--ipc=host
--ipc=shareable
--ipc=private

The following other options have been used:

--cap-add IPC_OWNER --cap-add IPC_LOCK --cap-add SETFCAP --cap-add FOWNER

I have the suspicion, that the kernel running on the underlying virtual machine “DockerDesktopVM” running on Hyper-V contains a linux kernel in which the tmpfs was not configured with the POSIX Access Control List optional drivers enabled and thus does not support setting the acl.

shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)

As seen, the /dev/shm is tmpfs, and does not have the “acl” option enabled.

However, the call to getfacl does work…

user@693d06f79432:/dev/shm$ getfacl myfile
# file: myfile
# owner: user
# group: user
user::rw-
group::r--
other::r--

setfacl does work on other files on the filesystem (which are not tmpfs)

user@693d06f79432:~$ setfacl -m u:user:rwx myb
user@693d06f79432:~$ getfacl myb
# file: myb
# owner: user
# group: user
user::rw-
user:user:rwx
group::r--
mask::rwx
other::r--

Docker running on Linux natively, do not present this issue, and that is why I assume that it is actually the kernel build options that are not enabled.

My “docker info”

docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 119
Server Version: 19.03.2
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.184-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.769GiB
Name: docker-desktop
ID: <SOME ID>
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 29
 Goroutines: 44
 System Time: 2019-09-26T12:10:54.5062234Z
 EventsListeners: 1
HTTP Proxy: docker.for.win.localhost:3128
HTTPS Proxy: docker.for.win.localhost:3128
No Proxy: mycompany.com
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Finally, having a look at the configuration used for linuxkit:

github.com

linuxkit/linuxkit/blob/master/kernel/config-4.9.x-x86_64

#
# Automatically generated file; DO NOT EDIT.
# Linux/x86 4.9.192 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
CONFIG_X86=y
CONFIG_INSTRUCTION_DECODER=y
CONFIG_OUTPUT_FORMAT="elf64-x86-64"
CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
CONFIG_LOCKDEP_SUPPORT=y
CONFIG_STACKTRACE_SUPPORT=y
CONFIG_MMU=y
CONFIG_ARCH_MMAP_RND_BITS_MIN=28
CONFIG_ARCH_MMAP_RND_BITS_MAX=32
CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
CONFIG_NEED_DMA_MAP_STATE=y
CONFIG_NEED_SG_DMA_LENGTH=y
CONFIG_GENERIC_ISA_DMA=y

This file has been truncated. show original

CONFIG_TMPFS=y
# CONFIG_TMPFS_POSIX_ACL is not set
CONFIG_TMPFS_XATTR=y

# CONFIG_TMPFS_POSIX_ACL is not set

We see that the ACL is not set for tmpfs, yet I am not 100% sure if this is the configuration used for the linuxkit 4.9.184-linux on the virtual machine. But it seems to be the issue.