Device permissions are broken in 18.02

[kitsunyan]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Expected behavior

[host]# docker run --device /dev/snd:/dev/snd -ti myimage
[container]# ls -la /dev/snd
total 0
drwxr-xr-x 2 root root     280 Feb 14 04:59 .
drwxr-xr-x 7 root root     400 Feb 14 04:59 ..
crw-rw---- 1 root audio 116,  2 Feb 14 05:01 controlC0
----
crw-rw---- 1 root audio 116,  1 Feb 14 05:01 seq
crw-rw---- 1 root audio 116, 33 Feb 14 05:01 timer

Actual behavior

[host]# docker run --device /dev/snd:/dev/snd -ti myimage
[container]# ls -la /dev/snd
total 0
drwxr-xr-x 2 root root     280 Feb 14 04:59 .
drwxr-xr-x 7 root root     400 Feb 14 04:59 ..
crw-rw---- 1 root root 116,  2 Feb 14 04:59 controlC0
----
crw-rw---- 1 root root 116,  1 Feb 14 04:59 seq
crw-rw---- 1 root root 116, 33 Feb 14 04:59 timer

For some reason after update to 18.02 all devices in /dev/snd have root group. In 18.01 they had audio group as well as on host.

Steps to reproduce the behavior

Run on 18.01 and 18.02:

[host]# docker run --device /dev/snd:/dev/snd -ti myimage
[container]# ls -la /dev/snd

Output of docker version:

Client:
 Version:	18.02.0-ce
 API version:	1.36
 Go version:	go1.9.4
 Git commit:	fc4de447b5
 Built:	Tue Feb 13 15:28:01 2018
 OS/Arch:	linux/amd64
 Experimental:	false
 Orchestrator:	swarm

Server:
 Engine:
  Version:	18.02.0-ce
  API version:	1.36 (minimum version 1.12)
  Go version:	go1.9.4
  Git commit:	fc4de447b5
  Built:	Tue Feb 13 15:28:34 2018
  OS/Arch:	linux/amd64
  Experimental:	false

Output of docker info:

Containers: 2
 Running: 0
 Paused: 0
 Stopped: 2
Images: 28
Server Version: 18.02.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9b55aab90508bd389d7654c4baf173a981477d55
runc version: 9f9c96235cc97674e935002fc3d78361b696a69e
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.15.3-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 31.38GiB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

[nRaecheR]

Same with the newly released 17.12.1ce-0ubuntu on my Ubuntu Server 17.10 AMD64 with custom 4.15.7 kernel installation. The permissions of my DVB adapters are root:root and not root:video anymore.

Going back to 17.12.0ce-0ubuntu makes the TVHeadend docker container working again with the expected file permissions. Recreating the container makes no difference.

[Luzifer]

Same behaviour with an USB CUL (expected root:dialout, actual root:root) on

Client:
 Version:       17.12.1-ce
 API version:   1.35
 Go version:    go1.9.4
 Git commit:    7390fc6
 Built: Tue Feb 27 22:17:40 2018
 OS/Arch:       linux/amd64

Server:
 Engine:
  Version:      17.12.1-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.4
  Git commit:   7390fc6
  Built:        Tue Feb 27 22:16:13 2018
  OS/Arch:      linux/amd64
  Experimental: false

Host: Linux wedel 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[fracarvic]

Same for me updating from 17.12.0 to 17.12.1. I have a device /dev/ttyACM0 with root:dialup owner, and in the container are root:root. Going back to 17.12.0 solves the problem.

[thaJeztah]

This is a duplicate of moby/moby#36457, and moby/moby#36446, and caused by a bug in runc 1.0.0-rc4 and up: opencontainers/runc#1742 and is fixed in opencontainers/runc#1743, which is part of runc 1.0.0-rc5

A fix (moby/moby#36449) has been merged to master, and will be included in nightly builds of docker soon (e.g. https://download.docker.com/linux/ubuntu/dists/xenial/pool/nightly/amd64/). I also opened a ticket to request including the fix in the upcoming 18.03 Docker release (but it's up to the release team to decide if it will be included 😅 )

Closing this issue, because a fix has been merged, but feel free to continue the conversation