Handling Docker 'Operation not permitted' Error

This article was originally published on bmf-tech.com.

Overview

While running tests in golang using Docker Compose, I encountered an Operation not permitted error.

Solution

Docker Documentation - runtime-privilege-and-linux-capabilities

Adjusting the privilege settings of the Docker container resolves the issue.

  gobel_test_db:
    container_name: "gobel_test_db"
    build: ./docker/mysql
    ports:
      - "3305:3306"
    volumes:
      - mysql_gobel_test_db:/var/lib/mysql:delegated
      - ./docker/mysql/initdb.d/gobel_test_db:/docker-entrypoint-initdb.d
    environment:
      - MYSQL_DATABASE=gobel_test
      - MYSQL_ROOT_PASSWORD=password
    privileged: true  // add this option

Since I wasn't entirely sure about the security implications of the above, I configured it to restrict permissions further.

  gobel_test_db:
    container_name: "gobel_test_db"
    build: ./docker/mysql
    ports:
      - "3305:3306"
    volumes:
      - mysql_gobel_test_db:/var/lib/mysql:delegated
      - ./docker/mysql/initdb.d/gobel_test_db:/docker-entrypoint-initdb.d
    environment:
      - MYSQL_DATABASE=gobel_test
      - MYSQL_ROOT_PASSWORD=password
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined

cap_add is an option to add Linux capabilities, and here it adds permissions for system administration operations.

Linux capabilities are a feature that subdivides superuser privileges.

seccomp is a security feature that restricts system call issuance in the Linux kernel.

Here, it is set to unconfined, which means disabled.

Unconfined literally translates to "not confined."

Thoughts

speakerdeck - Fully Understanding Containers

I studied containers briefly before, but my understanding is still shallow.

References

• Qiita - systemd in docker container without --privileged