Auto-connect docker to network-control

store-requests
1

@jdstrand :wave:

The latest release of Docker (19.03.11) needs to write to /proc/sys/net/ipv6/conf/docker0/accept_ra for mitigation of CVE-2020-13401. @ijohnson suggested the right solution is probably just to add the network-control plug to dockerd, and ask for it to be auto-connected. :pray: :heart:

@ijohnson also did some testing and found that adding network-control was sufficient to resolve the issue (and IMO makes sense, since Docker expects to mange the interfaces it creates too, but happy to discuss/adjust :+1:).

2 Likes
2

For reference an example denial is:

Jun 08 11:55:40 kernel: audit: type=1400 audit(1591635340.644:10174): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/sys/net/ipv6/conf/docker0/accept_ra" pid=168443 comm="dockerd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

and example docker logs:

2020-06-08T16:55:41Z docker.dockerd[168443]: failed to start daemon: Error initializing network controller: Error creating default "bridge" network: libnetwork: Unable to disable IPv6 router advertisement: open /proc/sys/net/ipv6/conf/docker0/accept_ra: permission denied
3

+1 for auto-connecting network-control. TBH, I’m shocked it didn’t need it before now. @reviewers - can others please vote?

4

+1 for auto-connecting network-control from me as well.

5

I’m going to fast track the vote since the most recent docker includes an important CVE fix but the lack of (an auto-connecting) network-control is causing a regression in certain situations. @reviewers - please comment as desired if you feel this is in error and we can revisit the auto-connection.

2 votes for, 0 against. Granting auto-connection for network-control. This is now live.

2 Likes
6

@tianon any hint on when a snap that declares the network-control plug is going to be released?

7

@abeato it is already available in stable.

1 Like