GID changed to use root vs what is on the host for "devices"

[EnorMOZ]

GID changed to use root vs what is on the host for "devices"

Host:
ls -lrt /dev/dri
crw-rw---- 1 root video 226, 128 Feb 19 13:27 renderD128
crw-rw---- 1 root video 226, 0 Feb 19 13:27 card0

Container:
docker exec -i -t container ls -lrt /dev/dri/
crw-rw---- 1 root root 226, 128 Feb 28 10:15 renderD128
crw-rw---- 1 root root 226, 0 Feb 28 10:15 card0

Steps to reproduce the issue:

1. Add /dev/dri as a device

Describe the results you received:
crw-rw---- 1 root root 226, 128 Feb 28 10:15 renderD128
crw-rw---- 1 root root 226, 0 Feb 28 10:15 card0

Describe the results you expected:
crw-rw---- 1 root video 226, 128 Feb 28 10:15 renderD128
crw-rw---- 1 root video 226, 0 Feb 28 10:15 card0

Additional information you deem important (e.g. issue happens only occasionally):
Happens on 17.12.1 but not 17.12 or below
Happens on 18.02 and above
Output of docker version:

Client:
 Version:	18.01.0-ce
 API version:	1.35
 Go version:	go1.9.2
 Git commit:	03596f5
 Built:	Wed Jan 10 20:11:05 2018
 OS/Arch:	linux/amd64
 Experimental:	false
 Orchestrator:	swarm

Server:
 Engine:
  Version:	18.01.0-ce
  API version:	1.35 (minimum version 1.12)
  Go version:	go1.9.2
  Git commit:	03596f5
  Built:	Wed Jan 10 20:09:37 2018
  OS/Arch:	linux/amd64
  Experimental:	false

Output of docker info:

Containers: 11
 Running: 11
 Paused: 0
 Stopped: 0
Images: 13
Server Version: 18.01.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.13.0-32-generic
Operating System: Ubuntu 16.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.21GiB
Name: myserver.com
ID: CP2K:4ZJZ:HOVE:ZUCJ:H4YJ:MKM2:D7Z2:I7XA:APR7:ARNX:GVS7:OMUO
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical

[thaJeztah]

ping @kolyshkin PTAL

[thaJeztah]

Actually, this looks like a bug in runc 1.0.0-rc4 and up: opencontainers/runc#1742 and is fixed in opencontainers/runc#1743, which is part of runc 1.0.0-rc5

[EnorMOZ]

@thaJeztah Thanks for the info ! How long does it take for the fix to get pushed to the next release ? Is there a workaround until then ?

[thaJeztah]

hm, you can install a custom runc binary and add it as additional runtime; https://docs.docker.com/engine/reference/commandline/dockerd//#docker-runtime-execution-options

or temporarily replace the docker-runc binary with 1.0.0-rc5, but test if that works

[thaJeztah]

I opened a pull-request to update the version of runc on master; #36449

[EnorMOZ]

Thanks again !! Confirmed that the updated runc fixes the issue.

[mviereck]

As a workaround it is possible to add the devices as a volume, too:

--device /dev/dri:dev/dri:rw  --volume /dev/dri:/dev/dri:rw

Looks strange, but runs fine so far without obvious issues. The GID matches to the host GID again. Thanks @ehough who found that out.

[thaJeztah]

Fix has been merged to master, and will be included in nightly builds of docker soon (e.g. https://download.docker.com/linux/ubuntu/dists/xenial/pool/nightly/amd64/). I also opened a ticket to request including the fix in the upcoming 18.03 Docker release (but it's up to the release team to decide if it will be included 😅 )