Container fails to start when running on Mac - bind failed: Operation not permitted

[antmerlino]

Behaviour

I am trying to run this container on Mac and the container immediately exits. Enabling a higher log level, I get the following:

added interface eth0 ip=172.17.0.2 bcast=172.17.255.255 netmask=255.255.0.0
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
uid=0 gid=0 euid=0 egid=0
messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted

Steps to reproduce this issue

 docker run -p 445:445 -v "$(pwd)/data:/data" -e SAMBA_LOG_LEVEL=3 --name samba-test crazymax/samba

config.yml

auth:
  - user: foo
    group: foo
    uid: 1000
    gid: 1000
    password: bar
  - user: baz
    group: xxx
    uid: 1100
    gid: 1200
    password_file: /run/secrets/baz_password

global:
  - "force user = foo"
  - "force group = foo"

share:
  - name: public
    comment: Public
    path: /samba/public
    browsable: yes
    readonly: yes
    guestok: yes
    veto: no
  - name: share
    path: /samba/share
    browsable: yes
    readonly: no
    guestok: yes
    writelist: foo
    veto: no

Expected behaviour

Container should run and be able to bind.

Actual behaviour

Container immediately exits

messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted

Configuration

• Docker version 20.10.17, build 100c701
• macOS Monterey Version 12.4 (21F79)

Docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.8.2)
  compose: Docker Compose (Docker Inc., v2.6.1)
  extension: Manages Docker extensions (Docker Inc., v0.2.7)
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 5
  Running: 3
  Paused: 0
  Stopped: 2
 Images: 36
 Server Version: 20.10.17
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc version: v1.1.2-0-ga916309
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.10.104-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 5
 Total Memory: 15.6GiB
 Name: docker-desktop
 ID: DJYW:4L2Q:KQKY:SJEN:3O4X:XDDL:VAMW:I5U4:YOS7:WLIC:YPFA:ZJOV
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5000
  127.0.0.0/8
 Live Restore Enabled: false

Logs

Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user foo/foo (1000:1000)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/tdbsam.so' loaded
Forcing Primary Group to 'Domain Users' for foo
Creating user baz/xxx (1100:1200)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/tdbsam.so' loaded
Forcing Primary Group to 'Domain Users' for baz
Add global option: force user = foo
Add global option: force group = foo
Creating share public
Creating share share
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

# Global parameters
[global]
	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Docker Samba Server
	smb ports = 445
	unix extensions = No
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	force group = foo
	force user = foo
	hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes


[public]
	comment = Public
	delete veto files = Yes
	guest ok = Yes
	path = /samba/public
	veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/


[share]
	delete veto files = Yes
	guest ok = Yes
	path = /samba/share
	read only = No
	veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
	write list = foo
added interface eth0 ip=172.17.0.2 bcast=172.17.255.255 netmask=255.255.0.0
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
uid=0 gid=0 euid=0 egid=0
messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted

[crazy-max]

Do you have the same issue with this cap?:

$ docker run --cap-add=sys_nice -p 445:445 -v "$(pwd)/data:/data" -e SAMBA_LOG_LEVEL=3 --name samba-test crazymax/samba

[antmerlino]

@crazy-max Yes same issue. No differences.

[crazy-max]

I'm not able to repro on an M1 mac mini (macOS Monterey 12.3.1) with Docker Desktop 4.10.1:

$ docker run --rm -it crazymax/samba 
Setting timezone to UTC
Initializing files and folders
Setting global configuration
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

# Global parameters
[global]
        disable netbios = Yes
        disable spoolss = Yes
        dns proxy = No
        local master = No
        map to guest = Bad User
        pam password change = Yes
        printcap name = /dev/null
        security = USER
        server role = standalone server
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Docker Samba Server
        smb ports = 445
        unix extensions = No
        usershare allow guests = Yes
        winbind scan trusted domains = Yes
        fruit:time machine = yes
        fruit:delete_empty_adfiles = yes
        fruit:wipe_intentionally_left_blank_rfork = yes
        fruit:veto_appledouble = no
        fruit:posix_rename = yes
        fruit:model = MacSamba
        fruit:metadata = stream
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0775
        force create mode = 0664
        force directory mode = 0775
        hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
        hosts deny = 0.0.0.0/0
        printing = bsd
        strict locking = No
        vfs objects = fruit streams_xattr
        wide links = Yes
smbd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021

Not sure what the issue is

[antmerlino]

The only thing I notice is that you are running Monterey 12.3.1 and I'm running 12.5. Perhaps they updated something security-wise that's having an effect?

[ludelafo]

I'm having the same issue on my MacBook Pro (Intel) running macOS Ventura 13.1 (22C65).

I'm ready to help debugging this issue if needed.

[ludelafo]

I'm able to start the container without any apparent issues with the following command:

$ docker run -p 445:445 -v "$(pwd)/data/config.yml:/data/config.yml" -e SAMBA_LOG_LEVEL=3 --name samba-test crazymax/samba

The only difference is the direct mapping of the configuration file instead of the entire data directory. Could it be permissions related?

Edit

A working example is available here: https://gitlab.com/coloc-malakof/coloc-malakof/-/tree/main/samba

I've been able to keep the cache directory as a Docker volume as the lib directory inside /data seems to cause the issue.

[thebalaa]

A working example is available here: https://gitlab.com/coloc-malakof/coloc-malakof/-/tree/main/samba

Thanks for that, super helpful!