docker-bench-security icon indicating copy to clipboard operation
docker-bench-security copied to clipboard
verified publisher icon docker

Running docker-bench-security under WSL1

Open sbutt opened this issue 5 years ago • 7 comments

Hi,

I'm trying to run under WSL1 (can't upgrade to WSL2 just yet) using these instructions https://nickjanetakis.com/blog/setting-up-docker-for-windows-and-wsl-to-work-flawlessly. Seems to work OK, and gives hello-world is working OK. However, when I try to run docker-bench-security, under Ubuntu 18.04 (under WSL)...

docker run -it --net host --pid host --userns host --cap-add audit_control -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST -v /etc:/etc:ro -v /lib/systemd/system:/lib/systemd/system:ro -v /usr/bin/containerd:/usr/bin/containerd:ro -v /usr/bin/runc:/usr/bin/runc:ro -v /usr/lib/systemd:/usr/lib/systemd:ro -v /var/lib:/var/lib:ro -v /var/run/docker.sock:/var/run/docker.sock:ro --label docker_bench_security docker/docker-bench-security

I get the following error.

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/docker/containers/33b215e1abbbf3493dc0a2717e4c1b8ce4f747a60681f5b318fdf7b4516624da/hostname\\\" to rootfs \\\"/var/lib/docker/overlay2/fc341fa540cf7cc0af3c1c39a1453adbbfbc89d6a0ac52db65b280453eedd25d/merged\\\" at \\\"/var/lib/docker/overlay2/fc341fa540cf7cc0af3c1c39a1453adbbfbc89d6a0ac52db65b280453eedd25d/merged/etc/hostname\\\" caused \\\"open /var/lib/docker/overlay2/fc341fa540cf7cc0af3c1c39a1453adbbfbc89d6a0ac52db65b280453eedd25d/merged/etc/hostname: read-only file system\\\"\"": unknown. ERRO[0001] error waiting for container: context canceled

Perhaps this is more of a WSL problem than docker-bench-security?? Any pointers would be much appreciated.

sbutt avatar Oct 13 '20 16:10 sbutt

Hi @sbutt, can you try running the script and see if it works at all?

Note that the available docker image is old (see https://github.com/docker/docker-bench-security/issues/405), so you should build your own version to make sure everything is up-to-date.

konstruktoid avatar Oct 13 '20 17:10 konstruktoid

Seems to build OK...

[+] Building 23.3s (10/10) FINISHED
 => [internal] load .dockerignore                                                                                               0.0s
 => => transferring context: 34B                                                                                                0.0s
 => [internal] load build definition from Dockerfile                                                                            0.0s
 => => transferring dockerfile: 38B                                                                                             0.0s
 => [internal] load metadata for docker.io/library/alpine:3.12                                                                  0.0s
 => [internal] load build context                                                                                               0.0s
 => => transferring context: 697B                                                                                               0.0s
 => CACHED [1/5] FROM docker.io/library/alpine:3.12                                                                             0.0s
 => [2/5] RUN set -eux;   sed -i 's!http://dl-cdn.alpinelinux.org/!https://alpine.global.ssl.fastly.net/!g' /etc/apk/reposito  22.7s
 => [3/5] COPY ./*.sh /usr/local/bin/                                                                                           0.0s
 => [4/5] COPY ./tests/*.sh /usr/local/bin/tests/                                                                               0.0s
 => [5/5] WORKDIR /usr/local/bin                                                                                                0.0s
 => exporting to image                                                                                                          0.5s
 => => exporting layers                                                                                                         0.4s
 => => writing image sha256:399cd9d36d5a417a9c06c1a9c22dcbef82b53486c87d57ce9f95695f9a6cc30e                                    0.0s
 => => naming to docker.io/library/docker-bench-security                                                                        0.0s

However still doesn't run, and gives the same weird error message....

>     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
>     -v /etc:/etc:ro \
>     -v /usr/bin/containerd:/usr/bin/containerd:ro \
>     -v /usr/bin/runc:/usr/bin/runc:ro \
>     -v /usr/lib/systemd:/usr/lib/systemd:ro \

>     -v /var/lib:/var/lib:ro \
>     -v /var/run/docker.sock:/var/run/docker.sock:ro \
>     --label docker_bench_security \
>     docker-bench-security
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/docker/containers/b0183763e5674dd2b3048cd43856cacf2c6344a8cca553865e7c806a3adac971/hostname\\\" to rootfs \\\"/var/lib/docker/overlay2/18ca2a9e152cc3180f82ba7bf508387063ac38ec24de1d7e52f033cb7b519e15/merged\\\" at \\\"/var/lib/docker/overlay2/18ca2a9e152cc3180f82ba7bf508387063ac38ec24de1d7e52f033cb7b519e15/merged/etc/hostname\\\" caused \\\"open /var/lib/docker/overlay2/18ca2a9e152cc3180f82ba7bf508387063ac38ec24de1d7e52f033cb7b519e15/merged/etc/hostname: read-only file system\\\"\"": unknown.
ERRO[0001] error waiting for container: context canceled

So, I guess that's a WSL1 problem.

When I run the script alone, it seems to be fine 👍

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/docker/containers/05e7e543b415540f62b1017ac1ce606e96fcf982429987e63673d30fe67810b5/hostname\\\" to rootfs \\\"/var/lib/docker/overlay2/921fd198fa77a3207dc460594cc65cb10a8a43db52be4182f018666566ac9a1e/merged\\\" at \\\"/var/lib/docker/overlay2/921fd198fa77a3207dc460594cc65cb10a8a43db52be4182f018666566ac9a1e/merged/etc/hostname\\\" caused \\\"open /var/lib/docker/overlay2/921fd198fa77a3207dc460594cc65cb10a8a43db52be4182f018666566ac9a1e/merged/etc/hostname: read-only file system\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled
steve@LAP:/c/Users/steve.button/docker-bench-security$

So, I think it makes sense to close this issue (unless you have other suggestions?) . Thanks for your help.

sbutt avatar Oct 14 '20 11:10 sbutt

Does /var/lib/docker exist? It could be a windows pathing issue.

konstruktoid avatar Oct 14 '20 11:10 konstruktoid

/var/lib/docker does not exist. So, yes I guess that's the problem.

sbutt avatar Oct 14 '20 11:10 sbutt

I guess all paths need to be corrected under WSL, I haven't used docker in that enviroment so that needs some investigation.

konstruktoid avatar Oct 14 '20 12:10 konstruktoid

Can docker bench security script be run on windows host which has a WSL 1 or 2? If yes then the findings observed do they need to be patched for windows host or the WSL2 linux system?

chougulenishant8 avatar Mar 26 '21 18:03 chougulenishant8

Related https://github.com/docker/docker-bench-security/issues/261

konstruktoid avatar Mar 07 '22 12:03 konstruktoid