Why does sudo fail inside docker complaining about nosuid

dockermountsudo

Running sudo inside a Docker container produces the error

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Permissions for sudo are set correctly:

-rwsr-xr-x 1 root root 149080 gen 18  2018 /usr/bin/sudo

Also, the root filesystem is not mounted as nosuid. (mount | grep nosuid does not include / as a mount point.)

What could be wrong?

Best Answer

According to this GitHub post by asbe,

Containers on one host could sudo just fine, but on a nearly equivalent host the error occured. Finally figured out that the cause was because the problematic host used "overlay" as storage driver and the other "aufs". Both docker installations had moved /var/lib/docker to a drive mounted with "nosuid". Turns out "overlay" respects the "nosuid". Just making sure that /var/lib/docker was mounted on a disk with "nosuid" removed resolved all issues. (Curiously - this does not happen with the setup using "aufs")

(Emphasis added by me.)

Indeed, I was mounting /var/lib/docker from another drive with the nosuid option enabled. I disabled nosuid with this command: 

sudo mount -n -o remount,suid /mount/for/var/lib/docker

Then sudo worked after restarting the container.

Related Question