Reputation: 2397
Error when creating a network namespace inside a docker container. error: mount --make-shared /run/netns failed: Permission denied
I'm getting an error when creating a network namespace inside a docker container saying permission denied.
command
ip netns add red
error
mount --make-shared /run/netns failed: Permission denied
I am running an image ubuntu:20.10 and tried by adding specific capabilities to the container and it did not help.
docker run -it --rm --name=ubuntu --cap-add CAP_SYS_ADMIN --cap-add NET_ADMIN ubuntu:20.10
apt-get update && apt-get install -y net-tools && apt-get install -y iproute2
Even after adding all capabilities issue remain same.
docker run -it --rm --name=ubuntu --cap-add ALL ubuntu:20.10
Upvotes: 8
Views: 8233
Answers (2)
Reputation: 1625
The other answer suggests adding --privileged, but note that adding --privileged effectively removes all security features. If you are uncomfortable with this, you might prefer an approach that gives the container access only to what it needs.
The root cause is that Docker's default apparmor profile contains the rule deny mount which prevents mount from working inside Docker containers, which is what is causing the error message mount --make-shared /run/netns failed: Permission denied.
You can confirm that this is the root cause by observing what happens if you add --security-opt apparmor=unconfined to your command, which disables apparmor but preserves other security features. Notice that the mount command succeeds:
docker run -it --rm --name=ubuntu \
--cap-add CAP_SYS_ADMIN --cap-add NET_ADMIN \
--security-opt apparmor=unconfined \
ubuntu
apt-get update && apt-get install -y net-tools iproute2
ip netns add red # succeeds
If you don't want to fully opt out of apparmor, you can create a custom apparmor profile, then load it with apparmor_parser -r -W path/to/your/profile and then apply it to your docker command using --security-opt apparmor=your-profile-name. You can create a custom apparmor profile by copying Docker's template and then tweaking it to suit your needs.
At the time of writing, Docker does not have an easy way to show the apparmor profile it is currently using, but you can look at the source template and then expand the template manually (by following the template logic).
See https://docs.docker.com/engine/security/apparmor/
Upvotes: 8
Reputation: 2397
--cap-add & --privileged are not same.
Ref: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
Issue is sorted by running the container with privilege. Capabilities seems not required for adding network namespace.
docker run -d --name=<name> --network=none --privileged <image>:<tag>
Upvotes: 2
Related Questions
- Docker run "error while creating mount source path '[...]': mkdir [...]: permission denied"
- docker networking namespace not visible in ip netns list
- Why this error occurs 'You must run the container in the host namespace when running privileged mode'?
- Can't create Docker network
- docker network create error "numerical result out of range"
- Docker userns-remap cannot write to mounted directory
- Docker image fails to create netlink handle
- How to use docker remote api to create a container using another container's network namespace
- Docker mount namespace
- Docker Network Namespace