Package: debootstrap
Version: 1.0.123
Severity: normal
Tags: patch
User: de...@kali.org
Usertags: origin-kali
Dear Maintainer,
The code that is meant to detect if debootstrap is running from within a
docker container is broken with cgroup v2. Talking about this particular
function and line in the file `functions`:
detect_container () {
[...]
elif grep -qs '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo;
then
CONTAINER="docker"
This code only works for cgroup v1.
After some research, and also after looking into the code of
systemd-detect-virt, it seems that the right way to detect a docker
container these days is to check for the file '/.dockerenv'.
Hence I'm proposing this patch:
https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/52
Thanks!
-- More debug logs:
Here's what I get on current Debian sid:
$ cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> tro quiet
$ mount | grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2
(rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
$ sudo docker run --rm -it debian:testing grep
'[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo
.... no ouput, the detection code is broken!
$ sudo docker run --rm -it debian:testing ls -l /.dockerenv
-rwxr-xr-x 1 root root 0 Mar 19 02:37 /.dockerenv
Just out of curiosity, I tried to get the current detection code to
work, by booting my system with cgroup v1 only. This is done by setting
the two boot parameters `systemd.unified_cgroup_hierarchy=0` and
`systemd.legacy_systemd_cgroup_controller=1`.
Here are the logs:
$ cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> ro quiet
systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller=1
$ mount | grep cgroup
tmpfs on /sys/fs/cgroup type tmpfs
(ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/memory type cgroup
(rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/rdma type cgroup
(rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup
(rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup
(rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/blkio type cgroup
(rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/pids type cgroup
(rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/cpuset type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/freezer type cgroup
(rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/perf_event type cgroup
(rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/hugetlb type cgroup
(rw,nosuid,nodev,noexec,relatime,hugetlb)
$ sudo docker run --rm -it debian:testing grep
'[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo
795 794 0:29 /docker/<<id>> /sys/fs/cgroup/systemd
ro,nosuid,nodev,noexec,relatime master:10 - cgroup cgroup
rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
797 794 0:33 /docker/<<id>> /sys/fs/cgroup/memory
ro,nosuid,nodev,noexec,relatime master:15 - cgroup cgroup rw,memory
818 794 0:35 /docker/<<id>> /sys/fs/cgroup/net_cls,net_prio
ro,nosuid,nodev,noexec,relatime master:17 - cgroup cgroup rw,net_cls,net_prio
819 794 0:36 /docker/<<id>> /sys/fs/cgroup/cpu,cpuacct
ro,nosuid,nodev,noexec,relatime master:18 - cgroup cgroup rw,cpu,cpuacct
853 794 0:37 /docker/<<id>> /sys/fs/cgroup/blkio
ro,nosuid,nodev,noexec,relatime master:19 - cgroup cgroup rw,blkio
854 794 0:38 /docker/<<id>> /sys/fs/cgroup/devices
ro,nosuid,nodev,noexec,relatime master:20 - cgroup cgroup rw,devices
872 794 0:39 /docker/<<id>> /sys/fs/cgroup/pids
ro,nosuid,nodev,noexec,relatime master:21 - cgroup cgroup rw,pids
873 794 0:40 /docker/<<id>> /sys/fs/cgroup/cpuset
ro,nosuid,nodev,noexec,relatime master:22 - cgroup cgroup rw,cpuset
891 794 0:41 /docker/<<id>> /sys/fs/cgroup/freezer
ro,nosuid,nodev,noexec,relatime master:23 - cgroup cgroup rw,freezer
892 794 0:42 /docker/<<id>> /sys/fs/cgroup/perf_event
ro,nosuid,nodev,noexec,relatime master:24 - cgroup cgroup rw,perf_event
910 794 0:43 /docker/<<id>> /sys/fs/cgroup/hugetlb
ro,nosuid,nodev,noexec,relatime master:25 - cgroup cgroup rw,hugetlb
Conclusion: the debootstrap code that detects a docker container used to
work for cgroup v1, but it's broken for cgroup v2.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages debootstrap depends on:
ii wget 1.21-1+b1
Versions of packages debootstrap recommends:
ii arch-test 0.17-1
ii debian-archive-keyring 2021.1.1
ii gnupg 2.2.27-1
Versions of packages debootstrap suggests:
pn squid-deb-proxy-client <none>
pn ubuntu-archive-keyring <none>
-- no debconf information
