Comments (31)
Dramelac
commented on September 16, 2024
1
I reproduce locally and indeed docker cannot mount volume of type fuse.gocryptfs even in privileged mode..
It's probably a security restriction from fuse.gocryptfs (or docker do not support this mount type).
Feel free to create an issue in the project https://github.com/rfjakob/gocryptfs asking why / if it's intended that gocryptfs cannot be mounted inside a docker container. Maybe they can add support for it or give more explanation on retrictions.
Otherwise, in the current situation, if you wan to use gocryptfs with exegol you can, but you have to mount it from exegol, not from the host. The following setup works but give extra-permission to the exegol container (so be very carefull with that, these are dangerous permissions):
- Create a privileged exegol:
exegol start newcontainer full -V ./crypt_workspace:/crypt --privileged - Setup inside exegol:
apt update && apt install -y gocryptfs && \
gocryptfs /crypt /workspace && \
cd /workspace
If you want, you can automate the installation of gocryptfs with my-resources.
I'm now closing this issue, if you found more information on restriction and how we could integrate this further, don't hesitate to re-open it.
from exegol.
ShutdownRepo
commented on September 16, 2024
Thank you for raising the issue
Please provide debug logs, stack trace that shows what failing so that we can look for the bug in the code if any
from exegol.
Lucstay11
commented on September 16, 2024
[*] Exegol is currently in version v4.3.1
[*] Exegol Discord serv.: https://discord.gg/cXThyp7D6P
[*] Exegol documentation: https://exegol.rtfd.io/
[+] We thank Capgemini for supporting the project (helping with dev) π
[+] We thank HackTheBox for sponsoring the multi-arch support π
[D] Pip installation: On β
[D] Git source installation: Off πͺ
[D] Host OS: Linux (Kernel)
[D] Arch: amd64
[D] Raw arch: x86_64
[D] Docker desktop: Off πͺ
[D] Shell type: Linux
[D] Last wrapper update check: 01/02/2024
[*] Starting exegol
[*] Arguments supplied with the command, skipping interactive mode
[D] Attribute not found in parameters: multicontainertag
[V] Configuring new exegol container
[D] Attribute not found in parameters: multiimagetag
[D] βββ full β (remote) sha256:a87696f3b27523be0dc5b915d7efcd6ef09bbd8f31f0ab61e8048b1f17c659e0
[D] Auto-load remote version for the specific image 'full'
[V] Config: Enabling display sharing
[V] Config: Enabling host timezones
[V] Volume was successfully added for /etc/timezone
[V] Volume was successfully added for /etc/localtime
[V] Config: Enabling my-resources volume
[V] Updating the permissions of /home/alex/.exegol/my-resources (and sub-folders) to allow file sharing between the container and the host user
[D] Adding setgid permission recursively on directories from /home/alex/.exegol/my-resources
[D] Loading git at /home/alex/.exegol/exegol-resources
[D] Repo path: /home/alex/.exegol/exegol-resources/.git
[D] Git repository successfully loaded
[V] Config: Enabling exegol resources volume
[V] Config: Sharing workspace directory /home/alex/test
β Container summary
ββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Name β demo β
β Image β full - v.3.1.2 (Up to date) (amd64) β
ββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Credentials β root : svGGLUTpNRCMr6ENBrLSH6QJDlTNAI β
β Desktop β Off πͺ β
β X11 β On β β
β Network β host β
β Timezone β On β β
β Exegol resources β On β (/opt/resources) β
β My resources β On β (/opt/my-resources) β
β Shell logging β Off πͺ β
β Privileged β Off β β
β Workspace β /home/alex/test (/workspace) β
β Envs β DISPLAY=:0 β
β β _JAVA_AWT_WM_NONREPARENTING=1 β
β β QT_X11_NO_MITSHM=1 β
β Volumes β (RO) /home/alex/.local/lib/python3.10/site-packages/exegol/utils/imgsync/spawn.sh β‘ /.exegol/spawn.sh β
β β (RW) /tmp/.X11-unix β‘ /tmp/.X11-unix β
β β (RO) /etc/timezone β‘ /etc/timezone β
β β (RO) /etc/localtime β‘ /etc/localtime β
β β (RW) /home/alex/.exegol/my-resources β‘ /opt/my-resources β
β β (RW) /home/alex/.exegol/exegol-resources β‘ /opt/resources β
ββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[*] Creating new exegol container
[!] The file sharing permissions between the container and the host will not be applied automatically by Exegol. (Use the --update-fs option to enable the feature)
[D] demo - full
Privileged: False
Capabilities: []
Sysctls: {}
X: True
TTY: True
Network host: host
Ports: {}
Share timezone: True
Common resources: True
Envs (3): {'DISPLAY': ':0', '_JAVA_AWT_WM_NONREPARENTING': '1', 'QT_X11_NO_MITSHM': '1'}
Labels (0): {}
Shares (7): [{'Target': '/.exegol/spawn.sh', 'Source': '/home/alex/.local/lib/python3.10/site-packages/exegol/utils/imgsync/spawn.sh', 'Type': 'bind', 'ReadOnly': True}, {'Target': '/tmp/.X11-unix',
'Source': '/tmp/.X11-unix', 'Type': 'bind', 'ReadOnly': False}, {'Target': '/etc/timezone', 'Source': '/etc/timezone', 'Type': 'bind', 'ReadOnly': True}, {'Target': '/etc/localtime', 'Source':
'/etc/localtime', 'Type': 'bind', 'ReadOnly': True}, {'Target': '/opt/my-resources', 'Source': '/home/alex/.exegol/my-resources', 'Type': 'bind', 'ReadOnly': False}, {'Target': '/opt/resources', 'Source':
'/home/alex/.exegol/exegol-resources', 'Type': 'bind', 'ReadOnly': False}, {'Target': '/workspace', 'Source': '/home/alex/test', 'Type': 'bind', 'ReadOnly': False}]
Devices (0): []
VPN: N/A
[D] Entrypoint: ['/bin/bash', '/.exegol/entrypoint.sh']
[D] Cmd: ['load_setups', 'endless']
[-] invalid mount config for type "bind": stat /home/alex/test: permission denied
[D] 400 Client Error for http+docker://localhost/v1.43/containers/create?name=exegol-demo: Bad Request ("invalid mount config for type "bind": stat /home/alex/test: permission denied")
[!] Error while creating exegol container. Exiting.
from exegol.
ShutdownRepo
commented on September 16, 2024
can you run whoami && ls -al ~/test?
from exegol.
Lucstay11
commented on September 16, 2024
alex total 8 drwxrwxr-x 2 alex alex 4096 feb 2 01:42 . drwxr-x---+ 69 alex alex 4096 feb 2 01:44 ..
Even giving the rights with chmod 755 test or chown -R alex:alex /home/alex/test changes nothing. I believe that the problem is probably linked to the docker permission which certainly does not have access to the mount folder, do you know how to resolve this problem?
from exegol.
ShutdownRepo
commented on September 16, 2024
weird, @Dramelac @QU35T-code any idea on this? I don't have much time to think on it rn
from exegol.
Dramelac
commented on September 16, 2024
Hello @Lucstay11 are you using rootless docker ? If so, it's not fully supported by exegol there is a lot a limitation (as you can see), try to use 'standard' docker and follow the exegol doc (either install exegol as root to run it with sudo OR add yourself to the docker group to use a user-installed exegol).
from exegol.
ShutdownRepo
commented on September 16, 2024
Hello @Lucstay11 are you using rootless docker ? If so, it's not fully supported by exegol there is a lot a limitation (as you can see), try to use 'standard' docker and follow the exegol doc (either install exegol as root to run it with sudo OR add yourself to the docker group to use a user-installed exegol).
Do we have an easy way of knowing if docker's install is rootless? Would be nice to catch it in the wrapper imo
from exegol.
Lucstay11
commented on September 16, 2024
Bonjour @Lucstay11utilisez-vous rootless docker ? Si c'est le cas, il n'est pas entiΓ¨rement pris en charge par exegol il y a beaucoup de limitations (comme vous pouvez le voir), essayez d'utiliser 'standard' docker et suivez le doc d'exΓ©gol (soit installer exΓ©gol en tant que root pour l'exΓ©cuter avec sudo OU ajouter vous-mΓͺme au groupe docker pour utiliser un exΓ©gol installΓ© par l'utilisateur).
To be honest I have never used docker so I would not answer you nevertheless especially since it is a docker modified in a wrapper to make exegol work, I installed exegol as mentioned in the doc and that's it. The reason for the problem is that exegol cannot access a mount workspace!
from exegol.
Dramelac
commented on September 16, 2024
The problem you have is not an Exegol error.
This error is from the docker daemon when exegol tried to start your container:
[D] 400 Client Error for http+docker://localhost/v1.43/containers/create?name=exegol-demo: Bad Request ("invalid mount config for type "bind": stat /home/alex/test: permission denied")
What do you mean by it is a docker modified ?
Maybe try to reinstall docker on your host, you can follow the install doc of docker on the exegol documentation or directly from the official docker website.
from exegol.
Lucstay11
commented on September 16, 2024
I installed docker as mentioned above and gave rights to the docker group but I got the same error:
exegol start cryptsetup -w /home/alex/exegolspace
[] Exegol is currently in version v4.3.1
[] Exegol Discord serv.: https://discord.gg/cXThyp7D6P
[] Exegol documentation: https://exegol.rtfd.io/
[+] We thank Capgemini for supporting the project (helping with dev) π
[+] We thank HackTheBox for sponsoring the multi-arch support π
[] Starting exegol
[*] Arguments supplied with the command, skipping interactive mode
πΈ Available images
βββββββββββββ¬ββββββββββ¬βββββββββββββββββββββββ
β Image tag β Size β Status β
βββββββββββββΌββββββββββΌβββββββββββββββββββββββ€
β full β 50.7GB β Up to date (v.3.1.2) β
β web β ~23.5GB β Not installed β
β osint β ~13.3GB β Not installed β
β light β ~14.2GB β Not installed β
β ad β ~40.4GB β Not installed β
β nightly β ~55.2GB β Not installed β
βββββββββββββ΄ββββββββββ΄βββββββββββββββββββββββ
[*] You can use a name that does not already exist to build a new image from local sources
[?] Select an image by its name (full): full
β Container summary
ββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ
β Name β cryptsetup β
β Image β full - v.3.1.2 (Up to date) β
ββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββ€
β Credentials β root : G5NHik0TfMe7Jt2KGJxGAaynejpVUc β
β Desktop β Off πͺ β
β X11 β On β β
β Network β host β
β Timezone β On β β
β Exegol resources β On β (/opt/resources) β
β My resources β On β (/opt/my-resources) β
β Shell logging β Off πͺ β
β Privileged β Off β β
β Workspace β /home/alex/exegolspace (/workspace) β
ββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ
[*] Creating new exegol container
[!] The file sharing permissions between the container and the host will not be applied automatically by Exegol. (Use the --update-fs option to enable the feature)
[-] invalid mount config for type "bind": stat /home/alex/exegolspace: permission denied
[!] Error while creating exegol container. Exiting.`
from exegol.
Dramelac
commented on September 16, 2024
Can you try to create a simple docker container ? Maybe we will have more information on the docker error:
docker run --rm -it --mount type=bind,source=/home/alex/exegolspace,destination=/workspace debian /bin/bash -c 'ls -lha /workspace'
If you still have the error, try with sudo to see if you have the same outcome.
from exegol.
Lucstay11
commented on September 16, 2024
Can you try to create a simple docker container ? Maybe we will have more information on the docker error:
docker run --rm -it --mount type=bind,source=/home/alex/exegolspace,destination=/workspace debian /bin/bash -c 'ls -lha /workspace'If you still have the error, try with sudo to see if you have the same outcome.
docker run --rm -it --mount type=bind,source=/home/alex/exegolspace,destination=/workspace debian /bin/bash -c 'ls -lha /workspace' Unable to find image 'debian:latest' locally latest: Pulling from library/debian 7bb465c29149: Pull complete Digest: sha256:4482958b4461ff7d9fabc24b3a9ab1e9a2c85ece07b2db1840c7cbc01d053e90 Status: Downloaded newer image for debian:latest total 8.0K drwxrwxr-x 2 1000 1000 4.0K Feb 7 14:03 . drwxr-xr-x 1 root root 4.0K Feb 27 16:50 ..
from exegol.
Lucstay11
commented on September 16, 2024
I will explain in detail what I wanted to do. I would like to create a gocrypt encrypter container which would serve as a mount folder for the exegol workspace. But when I want to create a workspace in a folder mounted docker prevents me...
from exegol.
Dramelac
commented on September 16, 2024
Hello
I see. It's in the exegol roadmap to have encrypted workspace.
What was your mount setup when you tried the docker run command ?
from exegol.
Lucstay11
commented on September 16, 2024
I did not mount the folder during the previous test... When I mounted it even if I execute the command with sudo docker does not have permission to access the mount folder. The problem really comes from docker, how to give it the rights??
sudo docker run --rm -it --mount type=bind,source=/home/alex/exegolspace,destination=/workspace debian /bin/bash -c 'ls -lha /workspace'
docker: Error response from daemon: invalid mount config for type "bind": stat /home/alex/exegolspace: permission denied.
See 'docker run --help'.
from exegol.
Dramelac
commented on September 16, 2024
Indeed it is a docker error, it should work if your mount directory is accessible on your host ...
I suggest you can create an issue on the docker repository (maybe this one https://github.com/docker/cli) and detail how to reproduce your error by creating the same mount setup.
from exegol.
Lucstay11
commented on September 16, 2024
Indeed it is a docker error, it should work if your mount directory is accessible on your host ... I suggest you can create an issue on the docker repository (maybe this one https://github.com/docker/cli) and detail how to reproduce your error by creating the same mount setup.
Yes I would see but can you also try to create an exegol container in a mounter folder and show me what you get back?
from exegol.
Lucstay11
commented on September 16, 2024
Indeed it is a docker error, it should work if your mount directory is accessible on your host ... I suggest you can create an issue on the docker repository (maybe this one https://github.com/docker/cli) and detail how to reproduce your error by creating the same mount setup.
ok I understood the error because my folder is already mounted... Do you know how to do so that docker can mount the exegol workspace in a folder that is already mounted?
from exegol.
Dramelac
commented on September 16, 2024
To supplied a custom workspace directory to exegol, you can use -w /path/to/dir parameter. Docker should be able to use any folder event if it's mounted from a usb drive for exemple.
In your case, i don't know how you have mounted your folder, if you can describe how to setup this environment to reproduce maybe i can help.
But your error is a docker limitation for the moment and Exegol doesn't support encrypted workspace for the moment, it's in our roadmap.
from exegol.
Dramelac
commented on September 16, 2024
@Lucstay11 any update ?
from exegol.
Lucstay11
commented on September 16, 2024
@Dramelac
I encrypted my worskspace (.exegol/workspaces/myhackworkspace) with gocryptfs, you can try to reproduce my situation:
gocryptfs -init crypt_workspace myhackworkspace
but when I mount my myhackworkspace folder
gocryptfs crypt_workspace myhackworkspace
and I launch my exegol session on this mount folder, exegol cannot access it.
I'm sure it's a simple permissions problem but I can't seem to solve it...
Try it on your side!
from exegol.
Dramelac
commented on September 16, 2024
@Lucstay11 did you try with --cap SYS_ADMIN ? Or directly with --privileged ?
from exegol.
Lucstay11
commented on September 16, 2024
@Lucstay11 did you try with
--cap SYS_ADMIN? Or directly with--privileged?
where should I place these parameters?
from exegol.
ShutdownRepo
commented on September 16, 2024
@Lucstay11 did you try with
--cap SYS_ADMIN? Or directly with--privileged?where should I place these parameters?
Something like
# exegol start [OPTIONS] <container> <image>
exegol start --cap SYS_ADMIN somecontainer
exegol start --privileged someothercontainerfrom exegol.
Lucstay11
commented on September 16, 2024
Not work is the same issue...
Can you try your hand and find a solution?
from exegol.
Lucstay11
commented on September 16, 2024
@Dramelac @ShutdownRepo Can you try it on your side and find any solution please?
from exegol.
Dramelac
commented on September 16, 2024
Did you create a new container with --privileged option and you still have the same problem ?
Because from what i saw in your previous message (using directly docker run commands) if the privileged mode doesn't work it's a docker issue and you should open an issue in their repo
Regarding gocryptfs, i'm not familiar with. I only used cryptsetup and luks in the past for encrypted volume.
Official support of encrypted volume are in the exegol roadmap but not yet here unfortunately. We can support you in best-effort but until their is an official feature i cannot guarantee you that docker itself support what you are trying to do :/
from exegol.
Dramelac
commented on September 16, 2024
Hello @Lucstay11
I have found a solution, it was as expected a restriction from gocryptfs.
- First you need to edit this file on your host
/etc/fuse.confand uncomment the lineuser_allow_other. - Then, you can mount on your host your private volume with the otpion
-allow_otherlike
gocryptfs -allow_other ./crypt_workspace/ ./workspace/ - And then create an exegol container with a custom workspace:
exegol start newcontainer full -w ./workspace
from exegol.
Lucstay11
commented on September 16, 2024
@Dramelac he work fine at the begining,but when at reboot my machine and i decrypt the workspace and I start the exegol container i have this ERROR
[] Exegol is currently in version v4.3.2
[] Exegol Discord serv.: https://discord.gg/cXThyp7D6P
[] Exegol documentation: https://exegol.rtfd.io/
[] Starting exegol
[] Arguments supplied with the command, skipping interactive mode
[] Location of the exegol workspace on the host :
/home/alex/exegolspace/testhack
[+] Opening shell in Exegol 'newcontainer'
OCI runtime exec failed: exec failed: unable to start container process: chdir to cwd ("/workspace") set in config.json failed: transport endpoint is not connected: unknown
from exegol.
Dramelac
commented on September 16, 2024
I don't have this error not matter what i try to do wrong. Even after reboot.
Dont forget the -allow_other parameter when you mount your workspace before starting your exegol container after rebooting. And always use the same mounting directory.
from exegol.
Related Issues (20)
- Installed image are not correctly reported with podman HOT 6
- [BUG] Desktop (beta) on a missing network interface leads to stacktrace on all wrapper commands HOT 4
- [BUG] Error with X11 folder bindind HOT 7
- Request to add a --run-script option for post install setup HOT 2
- WSL2 "Exec format error" when running 'cmd.exe' HOT 13
- Honour trusted certificates of host HOT 4
- [ERROR] The xhost command is not available on your host and can't access containers from previous install HOT 4
- Docker-desktop auth error HOT 3
- TypeError on Custom network mode VPN HOT 1
- Incorrect port syntax : using vpn HOT 4
- Exegol routed through tor ? HOT 2
- xhost: unable to open display ":0" HOT 9
- Upgrade of Wrapper v4.3.1 -> v4.3.2 on MacOS occurs a CRITICAL ERROR HOT 3
- Error while exegol update execution HOT 4
- Unable to install images due to docker disk space error HOT 2
- [Feature] - Log session
- Remote Desktop feature dont work HOT 8
- Add device /dev/net/tun for Docker Desktop HOT 1
- X11 (Xquartz) black background with unreadable text HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from exegol.