Running docker-bench-security under WSL1

[sbutt]

Hi,

I'm trying to run under WSL1 (can't upgrade to WSL2 just yet) using these instructions https://nickjanetakis.com/blog/setting-up-docker-for-windows-and-wsl-to-work-flawlessly. Seems to work OK, and gives hello-world is working OK. However, when I try to run docker-bench-security, under Ubuntu 18.04 (under WSL)...

docker run -it --net host --pid host --userns host --cap-add audit_control -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST -v /etc:/etc:ro -v /lib/systemd/system:/lib/systemd/system:ro -v /usr/bin/containerd:/usr/bin/containerd:ro -v /usr/bin/runc:/usr/bin/runc:ro -v /usr/lib/systemd:/usr/lib/systemd:ro -v /var/lib:/var/lib:ro -v /var/run/docker.sock:/var/run/docker.sock:ro --label docker_bench_security docker/docker-bench-security

I get the following error.

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/docker/containers/33b215e1abbbf3493dc0a2717e4c1b8ce4f747a60681f5b318fdf7b4516624da/hostname\\\" to rootfs \\\"/var/lib/docker/overlay2/fc341fa540cf7cc0af3c1c39a1453adbbfbc89d6a0ac52db65b280453eedd25d/merged\\\" at \\\"/var/lib/docker/overlay2/fc341fa540cf7cc0af3c1c39a1453adbbfbc89d6a0ac52db65b280453eedd25d/merged/etc/hostname\\\" caused \\\"open /var/lib/docker/overlay2/fc341fa540cf7cc0af3c1c39a1453adbbfbc89d6a0ac52db65b280453eedd25d/merged/etc/hostname: read-only file system\\\"\"": unknown. ERRO[0001] error waiting for container: context canceled

Perhaps this is more of a WSL problem than docker-bench-security?? Any pointers would be much appreciated.

[konstruktoid]

Hi @sbutt, can you try running the script and see if it works at all?

Note that the available docker image is old (see #405), so you should build your own version to make sure everything is up-to-date.

[sbutt]

Seems to build OK...

[+] Building 23.3s (10/10) FINISHED
 => [internal] load .dockerignore                                                                                               0.0s
 => => transferring context: 34B                                                                                                0.0s
 => [internal] load build definition from Dockerfile                                                                            0.0s
 => => transferring dockerfile: 38B                                                                                             0.0s
 => [internal] load metadata for docker.io/library/alpine:3.12                                                                  0.0s
 => [internal] load build context                                                                                               0.0s
 => => transferring context: 697B                                                                                               0.0s
 => CACHED [1/5] FROM docker.io/library/alpine:3.12                                                                             0.0s
 => [2/5] RUN set -eux;   sed -i 's!http://dl-cdn.alpinelinux.org/!https://alpine.global.ssl.fastly.net/!g' /etc/apk/reposito  22.7s
 => [3/5] COPY ./*.sh /usr/local/bin/                                                                                           0.0s
 => [4/5] COPY ./tests/*.sh /usr/local/bin/tests/                                                                               0.0s
 => [5/5] WORKDIR /usr/local/bin                                                                                                0.0s
 => exporting to image                                                                                                          0.5s
 => => exporting layers                                                                                                         0.4s
 => => writing image sha256:399cd9d36d5a417a9c06c1a9c22dcbef82b53486c87d57ce9f95695f9a6cc30e                                    0.0s
 => => naming to docker.io/library/docker-bench-security                                                                        0.0s

However still doesn't run, and gives the same weird error message....

>     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
>     -v /etc:/etc:ro \
>     -v /usr/bin/containerd:/usr/bin/containerd:ro \
>     -v /usr/bin/runc:/usr/bin/runc:ro \
>     -v /usr/lib/systemd:/usr/lib/systemd:ro \

>     -v /var/lib:/var/lib:ro \
>     -v /var/run/docker.sock:/var/run/docker.sock:ro \
>     --label docker_bench_security \
>     docker-bench-security
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/docker/containers/b0183763e5674dd2b3048cd43856cacf2c6344a8cca553865e7c806a3adac971/hostname\\\" to rootfs \\\"/var/lib/docker/overlay2/18ca2a9e152cc3180f82ba7bf508387063ac38ec24de1d7e52f033cb7b519e15/merged\\\" at \\\"/var/lib/docker/overlay2/18ca2a9e152cc3180f82ba7bf508387063ac38ec24de1d7e52f033cb7b519e15/merged/etc/hostname\\\" caused \\\"open /var/lib/docker/overlay2/18ca2a9e152cc3180f82ba7bf508387063ac38ec24de1d7e52f033cb7b519e15/merged/etc/hostname: read-only file system\\\"\"": unknown.
ERRO[0001] error waiting for container: context canceled

So, I guess that's a WSL1 problem.

When I run the script alone, it seems to be fine 👍

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/docker/containers/05e7e543b415540f62b1017ac1ce606e96fcf982429987e63673d30fe67810b5/hostname\\\" to rootfs \\\"/var/lib/docker/overlay2/921fd198fa77a3207dc460594cc65cb10a8a43db52be4182f018666566ac9a1e/merged\\\" at \\\"/var/lib/docker/overlay2/921fd198fa77a3207dc460594cc65cb10a8a43db52be4182f018666566ac9a1e/merged/etc/hostname\\\" caused \\\"open /var/lib/docker/overlay2/921fd198fa77a3207dc460594cc65cb10a8a43db52be4182f018666566ac9a1e/merged/etc/hostname: read-only file system\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled
steve@LAP:/c/Users/steve.button/docker-bench-security$

So, I think it makes sense to close this issue (unless you have other suggestions?) . Thanks for your help.

[konstruktoid]

Does /var/lib/docker exist? It could be a windows pathing issue.

[sbutt]

/var/lib/docker does not exist. So, yes I guess that's the problem.

[konstruktoid]

I guess all paths need to be corrected under WSL, I haven't used docker in that enviroment so that needs some investigation.

[chougulenishant8]

Can docker bench security script be run on windows host which has a WSL 1 or 2? If yes then the findings observed do they need to be patched for windows host or the WSL2 linux system?

[konstruktoid]

Related #261