Discussion:
[docker] TCPDump in Privileged Ubuntu Container
Mehrdad Moradi
2015-06-23 20:46:44 UTC
Permalink
Hi All,

When I run an ubuntu container with privileged mode which is needed to run
Mininet, I cannot successfully install tcpdump. What's the solution for the
error: libcrypto.so.1.0.0: cannot open shared object file: Permission
denied?

To reproduce this issue:
sudo docker run --name="ryu-mininet" --privileged=true -it
imehrdad2012/mininet /bin/bash
***@152f3f1 <https://github.com/root/docker/commit/152f3f17bef3>:/# sudo
apt-get install tcpdump
tcpdump: error while loading shared libraries: libcrypto.so.1.0.0: cannot
open shared object file: Permission denied

Best Regards,
Shamiq Islam
2015-06-23 20:52:08 UTC
Permalink
Not an expert, but:

For interacting with the network stack, instead of using --privileged they
should use --cap-add=NET_ADMIN to modify the network interfaces.
from: https://docs.docker.com/reference/run/



__________
Shamiq Islam
c 361.877.3580
Post by Mehrdad Moradi
Hi All,
When I run an ubuntu container with privileged mode which is needed to run
Mininet, I cannot successfully install tcpdump. What's the solution for the
error: libcrypto.so.1.0.0: cannot open shared object file: Permission
denied?
sudo docker run --name="ryu-mininet" --privileged=true -it
imehrdad2012/mininet /bin/bash
apt-get install tcpdump
tcpdump: error while loading shared libraries: libcrypto.so.1.0.0: cannot
open shared object file: Permission denied
Best Regards,
Mehrdad Moradi
2015-06-23 21:03:29 UTC
Permalink
Thanks.

When I use —cap-add=Net_ADMIN instead of —privileged the Mininet does not run properly.
Is there any way to have best of both worlds?

Best Regards,
—Mehrdad
For interacting with the network stack, instead of using --privileged they should use --cap-add=NET_ADMIN to modify the network interfaces.
from: https://docs.docker.com/reference/run/ <https://docs.docker.com/reference/run/>
__________
Shamiq Islam
c 361.877.3580
Hi All,
When I run an ubuntu container with privileged mode which is needed to run Mininet, I cannot successfully install tcpdump. What's the solution for the error: libcrypto.so.1.0.0: cannot open shared object file: Permission denied?
sudo docker run --name="ryu-mininet" --privileged=true -it imehrdad2012/mininet /bin/bash
tcpdump: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: Permission denied
Best Regards,
Eric Windisch
2015-06-24 15:40:32 UTC
Permalink
I would say this is probably not AppArmor, but you can check in your dmesg
for failures. AppArmor on Ubuntu does ship a policy specific to tcpdump and
it's possible this is applying to your binary inside of the container. If
that were true, you could simply disable the policy for tcpdump by running:

# apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
Post by Mehrdad Moradi
Thanks.
When I use —cap-add=Net_ADMIN instead of —privileged the Mininet does not
run properly.
Is there any way to have best of both worlds?
Best Regards,
—Mehrdad
For interacting with the network stack, instead of using --privileged they
should use --cap-add=NET_ADMIN to modify the network interfaces.
from: https://docs.docker.com/reference/run/
__________
Shamiq Islam
c 361.877.3580
Post by Mehrdad Moradi
Hi All,
When I run an ubuntu container with privileged mode which is needed to
run Mininet, I cannot successfully install tcpdump. What's the solution for
the error: libcrypto.so.1.0.0: cannot open shared object file: Permission
denied?
sudo docker run --name="ryu-mininet" --privileged=true -it
imehrdad2012/mininet /bin/bash
sudo apt-get install tcpdump
tcpdump: error while loading shared libraries: libcrypto.so.1.0.0: cannot
open shared object file: Permission denied
Best Regards,
--
Regards,
Eric Windisch
Docker Security Team
Mehrdad Moradi
2015-06-24 16:01:51 UTC
Permalink
Thanks Eric.

It seems that if we move the tcpdump binary in the container to another location. The
problem gets solved temporarily (see https://github.com/docker/docker/issues/14140 <https://github.com/docker/docker/issues/14140>).
However, It seems this is not a long term solution.

Best Regards,
—Mehrdad
Post by Eric Windisch
apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
Eric Windisch
2015-06-24 16:49:23 UTC
Permalink
Yes, I'm aware of that issue. My workaround of disabling the policy for
tcpdump should work for you.

I also have a PR to fix #14140.
Post by Mehrdad Moradi
Thanks Eric.
It seems that if we move the tcpdump binary in the container to another location. The
problem gets solved temporarily (see
https://github.com/docker/docker/issues/14140).
However, It seems this is not a long term solution.
Best Regards,
—Mehrdad
apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
Ian Miell
2015-06-23 20:53:50 UTC
Permalink
Are you running in an selinux-enforcing env?
Post by Mehrdad Moradi
Hi All,
When I run an ubuntu container with privileged mode which is needed to run
Mininet, I cannot successfully install tcpdump. What's the solution for the
error: libcrypto.so.1.0.0: cannot open shared object file: Permission
denied?
sudo docker run --name="ryu-mininet" --privileged=true -it
imehrdad2012/mininet /bin/bash
apt-get install tcpdump
tcpdump: error while loading shared libraries: libcrypto.so.1.0.0: cannot
open shared object file: Permission denied
Best Regards,
Mehrdad Moradi
2015-06-23 21:01:41 UTC
Permalink
I am using Ubuntu 14.04 which uses Apparmor by default. Does removing Apparmor and
installing Selinux solve the issue?
Post by Ian Miell
selinux-enforcing env
Loading...