Alpine container: Unable to start udev, container must be run in privileged mode to start udev

Product support balenaOS
1

I have an alpine container deployed to an Orange pi Zero using the local deployment method. The compose file contains privileged access for the container and UDEV is set in my dockerfile yet I am still getting the error: Unable to start udev, container must be run in privileged mode to start udev in the logs and USB drives won’t mount.

I have done a balena inspect on the running container and can confirm from the output that it has privileged mode enabled: "Privileged": true,

In the container I have run a printenv and can see: UDEV=on

I had a look at an example script that returns this error message: https://github.com/balena-io-library/base-images/blob/7f7d932e3b9349639a633ba75c44338b9aed0ca2/balena-base-images/i386/alpine/3.11/run/Dockerfile

It looks like it identifies whether the privileged access is granted by executing: mount -t devtmpfs none /tmp/_balena.

When I execute this command in my container I get the following error message: mount: /tmp/_balena: must be superuser to use mount.

This is presumably because in my Alpine Dockerfile I set the user to ‘nobody’ which provides limited access for security reasons: USER nobody.

This is the only reason I can think of that the mount -t devtmpfs none /tmp/_balena would be failing despite it having permission. When I connect to my container with root privileges (balena exec -it --user root nginx_3_1 sh) the same mount command executes fine.

Am I barking up the wrong tree here or likely on to the issue. And if on to the issue, any suggestions to overcome the restriction without having to give full admin privileges to the container?

4

Here is an example use case, nginx running as a user: https://github.com/TrafeX/docker-php-nginx/blob/master/Dockerfile

This of course would be run in a balena container and with udev enabled.

To provide a few of my own solutions, I could look to include a specific user in the NGINX config file, or to use the supervisord (used in the example container I provided) to run the process as a certain user, which would in turn allow me to run the container as root without sacrificing as much of the security of the container. These are all specific to my particular container case. Ideally though, being able to use non-root users in my Dockerfile would be ideal, and curious if there is a balena level solution that allows UDEV.

8

Hi there – thanks for your question. In the past, we have not had luck getting udev to work in an unprivileged container. It’s possible you may be able to find some combination of docker-compose fields to make this work, but I’m afraid we don’t have any suggestions on how to do that right now.

Another way to tackle this might be to leave out the USER stanza in your Dockerfile, and instead drop privileges at a suitable point in your startup script. This might let you run the mount commands as root, then use something like su to run the rest as your non-privileged user.

I hope that helps – let us know if you’re able to make progress on this!

All the best,
Hugh