"rootless" docker gets permission denied, but account running docker does not - why? - docker

I am running docker "rootless" according to this guide: https://docs.docker.com/engine/security/rootless/
The user which actually runs docker is svc_test.
When I try and start a docker container which has diretory mounts which don't exists - the docker daemon (a.k.a. svc_test user) attempts to mkdir these directories, but fails with
docker: Error response from daemon: error while creating mount source path '/dir_path/dir_name': mkdir /dir_path/dir_name: permission denied.
When I (svc_test) them attempt to do mkdir /dir_path/dir_name I succeed without any issues.
What is going on here and why does this happen?
Clearly I am missing something, but I can't trace what is that exactly.
Update 1:
This is the specific docker cmd I use to run the container:
docker run -d --restart unless-stopped \
--name questdb \
-e QDB_METRICS_ENABLED=TRUE \
--network="host" \
-v /my_mounted_volume/questdb:/questdb \
-v /my_mounted_volume/questdb/public:/questdb/public \
-v /my_mounted_volume/questdb/conf:/questdb/conf \
-v /my_mounted_volume/questdb/db:/questdb/db \
-v /my_mounted_volume/questdb/log:/questdb/log \
questdb/questdb:6.5.2 /usr/bin/env QDB_PACKAGE=docker /app/bin/java \
-m io.questdb/io.questdb.ServerMain \
-d /questdb \
-f
For clarity: my final goal is to be able to run the docker container in question from the same user form which I run my docker daemon (the svc_test user). Hence how I stumbled on this problem.

Related

Jenkins build - docker: not found [duplicate]

I have a Jenkins running as a docker container, now I want to build a Docker image using pipeline, but Jenkins container always tells Docker not found.
[simple-tdd-pipeline] Running shell script
+ docker build -t simple-tdd .
/var/jenkins_home/workspace/simple-tdd-pipeline#tmp/durable-
ebc35179/script.sh: 2: /var/jenkins_home/workspace/simple-tdd-
pipeline#tmp/durable-ebc35179/script.sh: docker: not found
Here is how I run my Jenkins image:
docker run --name myjenkins -p 8080:8080 -p 50000:50000 -v
/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock
jenkins
And the DockerFile of Jenkins image is:
https://github.com/jenkinsci/docker/blob/9f29488b77c2005bbbc5c936d47e697689f8ef6e/Dockerfile
You're missing the docker client. Install it as this in Dockerfile:
RUN curl -fsSLO https://get.docker.com/builds/Linux/x86_64/docker-17.04.0-ce.tgz \
&& tar xzvf docker-17.04.0-ce.tgz \
&& mv docker/docker /usr/local/bin \
&& rm -r docker docker-17.04.0-ce.tgz
Source
In your Jenkins interface go to "Manage Jenkins/Global Tool Configuration"
Then scroll down to Docker Installations and click "Add Docker". Give it a name like "myDocker"
Make sure to check the box which says "Install automatically". Click "Add Installer" and select "Download from docker.com". Leave "latest" in the Docker version. Make sure you click Save.
In your Jenkinsfile add the following stage before you run any docker commands:
stage('Initialize'){
def dockerHome = tool 'myDocker'
env.PATH = "${dockerHome}/bin:${env.PATH}"
}
Edit: May 2018
As pointed by Guillaume Husta, this jpetazzo's blog article discourages this technique:
Former versions of this post advised to bind-mount the docker binary from the host to the container. This is not reliable anymore, because the Docker Engine is no longer distributed as (almost) static libraries.
Docker client should be installed inside a container as described here. Also, jenkins user should be in docker group, so execute following:
$ docker exec -it -u root my-jenkins /bin/bash
# usermod -aG docker jenkins
and finally restart my-jenkins container.
Original answer:
You could use host's docker engine like in this #Adrian Mouat blog article.
docker run -d \
--name my-jenkins \
-v /var/jenkins_home:~/.jenkins \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8080:8080 jenkins
This avoids having multiple docker engine version on host and jenkins container.
The problem is in your Jenkins, it isn't capable to use the docker engine, even if you do install the docker from the plugin manager. From what I got researching there are some alternatives to workaround this issue:
1: Build a image using some docker image with pre-installed docker in it like provided by getintodevops/jenkins-withdocker:lts
2: Build the images from jenkins/jenkins mounting the volumes to your host then install the docker all by yourself by creating another container with same volumes and executing the bash cmd to install the docker or using Robert suggestion
docker run -p 8080:8080 -p 50000:50000 -v $HOME/.jenkins/:/var/jenkins_home
-v /var/run/docker.sock:/var/run/docker.sock jenkins/jenkins:latest
or 3: The most simple, just add the installed docker path from your host machine to be used by your jenkins container with: -v $(which docker):/usr/bin/docker
Your docker command should look like this:
docker run \
--name jenkins --rm \
-u root -p 8080:8080 -p 50000:50000 \
-v $(which docker):/usr/bin/docker\
-v $HOME/.jenkins/:/var/jenkins_home
-v /var/run/docker.sock:/var/run/docker.sock \
jenkins/jenkins:latest
[Source]https://forums.docker.com/t/docker-not-found-in-jenkins-pipeline/31683
Extra option: Makes no sense if you just want to make use of a single Jenkis server but it's always possible to install a OS like Ubuntu using an image and install the jenkins .war file from there
docker run -d \
--group-add docker \
-v $(pwd)/jenkins_home:/var/jenkins_home \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(which docker):/usr/bin/docker \
-p 8080:8080 -p 50000:50000 \
jenkins/jenkins:lts
Just add option --group-add docker when docker run.
Add docker path i.e -v $(which docker):/usr/bin/docker to container in volumes like
docker run -d \
--name my-jenkins \
-v $(which docker):/usr/bin/docker \
-v /var/jenkins_home:~/.jenkins \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8080:8080 jenkins
This section helped me install docker inside the jenkins container: https://www.jenkins.io/doc/book/installing/docker/#downloading-and-running-jenkins-in-docker
Also, I had to replace FROM jenkins/jenkins:2.303.1-lts-jdk11 in the Dockerfile in step 4(a) with jenkins/jenkins.

Podman in Podman, similar to Docker in Docker?

Is there a way to run Podman inside Podman, similar to the way you can run Docker inside Docker?
Here is a snippet of my Dockerfile which is strongly based on another question:
FROM debian:10.6
RUN apt update && apt upgrade -qqy && \
apt install -qqy iptables bridge-utils \
qemu-kvm libvirt-daemon libvirt-clients virtinst libvirt-daemon-system \
cpu-checker kmod && \
apt -qqy install curl sudo gnupg2 && \
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list && \
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/Release.key | sudo apt-key add - && \
apt update && \
apt -qqy install podman
Now trying some tests:
$ podman run -it my/test bash -c "podman --storage-driver=vfs info"
... (long output; this works fine)
$ podman run -it my/test bash -c "podman --storage-driver=vfs images"
ERRO[0000] unable to write system event: "write unixgram #000ec->/run/systemd/journal/socket: sendmsg: no such file or directory"
REPOSITORY TAG IMAGE ID CREATED SIZE
$ podman run -it my/test bash -c "podman --storage-driver=vfs run docker.io/library/hello-world"
ERRO[0000] unable to write system event: "write unixgram #000ef->/run/systemd/journal/socket: sendmsg: no such file or directory"
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
ERRO[0003] unable to write pod event: "write unixgram #000ef->/run/systemd/journal/socket: sendmsg: no such file or directory"
ERRO[0003] Error preparing container 66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94: error creating network namespace for container 66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94: mount --make-rshared /var/run/netns failed: "operation not permitted"
Error: failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94/userdata/shm": operation not permitted
I've also tried a suggestion from the other question, passing --cgroup-manager=cgroupfs, but without success:
$ podman run -it my/test bash -c "podman --storage-driver=vfs --cgroup-manager=cgroupfs run docker.io/library/hello-world"
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
ERRO[0003] unable to write pod event: "write unixgram #000f3->/run/systemd/journal/socket: sendmsg: no such file or directory"
ERRO[0003] Error preparing container c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3: error creating network namespace for container c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3: mount --make-rshared /var/run/netns failed: "operation not permitted"
Error: failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3/userdata/shm": operation not permitted
Seems like some network configuration is needed. I found the project below which suggests that some tweaking on network configurations might be necessary, but I don't know what would be the context of that and whether it would apply here or not.
https://github.com/joshkunz/qemu-docker
EDIT: I've just discovered /var/run/podman.sock, but also without success:
$ sudo podman run -it -v /run/podman/podman.sock:/run/podman/podman.sock my/test bash -c "podman --storage-driver=vfs --cgroup-manager=cgroupfs run docker.io/library/hello-world"
Trying to pull my/test...
denied: requested access to the resource is denied
Trying to pull my:test...
unauthorized: access to the requested resource is not authorized
Error: unable to pull my/text: 2 errors occurred:
* Error initializing source docker://my/test: Error reading manifest latest in docker.io/my/test: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
* Error initializing source docker://quay.io/my/test:latest: Error reading manifest latest in quay.io/my/test: unauthorized: access to the requested resource is not authorized
Seems like root cannot see the images I've created under my user.
Any ideas? Thanks.
Assume we would like to run ls / in a docker.io/library/alpine container.
Standard Podman
podman run --rm docker.io/library/alpine ls /
Podman in Podman
Let's run ls / in a docker.io/library/alpine container, but this time we run podman in a quay.io/podman/stable container.
Update June 2021
A GitHub issue comment shows an example of how to run Podman in Podman as a non-root user both on the host and in the outer container. Slightly modified it would look like this:
podman \
run \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
Here is a full example:
$ podman --version
podman version 3.2.1
$ cat /etc/fedora-release
Fedora release 34 (Thirty Four)
$ uname -r
5.12.11-300.fc34.x86_64
$ podman \
run \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b
Copying config sha256:d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83
Writing manifest to image destination
Storing signatures
bin
dev
etc
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$
To avoid repeatedly downloading the inner container image,
create a volume
podman volume create mystorage
and add the command-line option
-v mystorage:/home/podman/.local/share/containers:rw
to the outer Podman command. In other words
podman \
run \
-v mystorage:/home/podman/.local/share/containers:rw \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
Podman in Podman (outdated answer)
(The old outdated answer from Dec 2020. I'll probably remove this when it's clear that the method described here is outdated)
Let's run ls / in a docker.io/library/alpine container, but this time we run podman in a quay.io/podman/stable container.
The command will look like this:
podman \
run \
--privileged \
--rm \
--ulimit host \
-v /dev/fuse:/dev/fuse:rw \
-v ./mycontainers:/var/lib/containers:rw \
quay.io/podman/stable \
podman \
run \
--rm \
--user 0 \
docker.io/library/alpine ls
(The directory ./mycontainers is here used for container storage)
Here is a full example
$ podman --version
podman version 2.1.1
$ mkdir mycontainers
$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw quay.io/podman/stable podman run --rm --user 0 docker.io/library/alpine ls | head -5
Trying to pull docker.io/library/alpine...
Getting image source signatures
Copying blob sha256:188c0c94c7c576fff0792aca7ec73d67a2f7f4cb3a6e53a84559337260b36964
Copying config sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0
Writing manifest to image destination
Storing signatures
bin
dev
etc
home
lib
$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw quay.io/podman/stable podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest d6e46aa2470d 4 days ago 5.85 MB
If you would leave out -v ./mycontainers:/var/lib/containers:rw you might see the slightly confusing error message
Error: executable file `ls` not found in $PATH: No such file or directory: OCI runtime command not found error
References:
How to use Podman inside of a container Red Hat blog post from July 2021.
discussion.fedoraproject.org (discussion about not found in $PATH)
github comment (that gives advice about the correct way to run Podman in Podman)

Jenkins inside a container do not find docker command [duplicate]

I have a Jenkins running as a docker container, now I want to build a Docker image using pipeline, but Jenkins container always tells Docker not found.
[simple-tdd-pipeline] Running shell script
+ docker build -t simple-tdd .
/var/jenkins_home/workspace/simple-tdd-pipeline#tmp/durable-
ebc35179/script.sh: 2: /var/jenkins_home/workspace/simple-tdd-
pipeline#tmp/durable-ebc35179/script.sh: docker: not found
Here is how I run my Jenkins image:
docker run --name myjenkins -p 8080:8080 -p 50000:50000 -v
/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock
jenkins
And the DockerFile of Jenkins image is:
https://github.com/jenkinsci/docker/blob/9f29488b77c2005bbbc5c936d47e697689f8ef6e/Dockerfile
You're missing the docker client. Install it as this in Dockerfile:
RUN curl -fsSLO https://get.docker.com/builds/Linux/x86_64/docker-17.04.0-ce.tgz \
&& tar xzvf docker-17.04.0-ce.tgz \
&& mv docker/docker /usr/local/bin \
&& rm -r docker docker-17.04.0-ce.tgz
Source
In your Jenkins interface go to "Manage Jenkins/Global Tool Configuration"
Then scroll down to Docker Installations and click "Add Docker". Give it a name like "myDocker"
Make sure to check the box which says "Install automatically". Click "Add Installer" and select "Download from docker.com". Leave "latest" in the Docker version. Make sure you click Save.
In your Jenkinsfile add the following stage before you run any docker commands:
stage('Initialize'){
def dockerHome = tool 'myDocker'
env.PATH = "${dockerHome}/bin:${env.PATH}"
}
Edit: May 2018
As pointed by Guillaume Husta, this jpetazzo's blog article discourages this technique:
Former versions of this post advised to bind-mount the docker binary from the host to the container. This is not reliable anymore, because the Docker Engine is no longer distributed as (almost) static libraries.
Docker client should be installed inside a container as described here. Also, jenkins user should be in docker group, so execute following:
$ docker exec -it -u root my-jenkins /bin/bash
# usermod -aG docker jenkins
and finally restart my-jenkins container.
Original answer:
You could use host's docker engine like in this #Adrian Mouat blog article.
docker run -d \
--name my-jenkins \
-v /var/jenkins_home:~/.jenkins \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8080:8080 jenkins
This avoids having multiple docker engine version on host and jenkins container.
The problem is in your Jenkins, it isn't capable to use the docker engine, even if you do install the docker from the plugin manager. From what I got researching there are some alternatives to workaround this issue:
1: Build a image using some docker image with pre-installed docker in it like provided by getintodevops/jenkins-withdocker:lts
2: Build the images from jenkins/jenkins mounting the volumes to your host then install the docker all by yourself by creating another container with same volumes and executing the bash cmd to install the docker or using Robert suggestion
docker run -p 8080:8080 -p 50000:50000 -v $HOME/.jenkins/:/var/jenkins_home
-v /var/run/docker.sock:/var/run/docker.sock jenkins/jenkins:latest
or 3: The most simple, just add the installed docker path from your host machine to be used by your jenkins container with: -v $(which docker):/usr/bin/docker
Your docker command should look like this:
docker run \
--name jenkins --rm \
-u root -p 8080:8080 -p 50000:50000 \
-v $(which docker):/usr/bin/docker\
-v $HOME/.jenkins/:/var/jenkins_home
-v /var/run/docker.sock:/var/run/docker.sock \
jenkins/jenkins:latest
[Source]https://forums.docker.com/t/docker-not-found-in-jenkins-pipeline/31683
Extra option: Makes no sense if you just want to make use of a single Jenkis server but it's always possible to install a OS like Ubuntu using an image and install the jenkins .war file from there
docker run -d \
--group-add docker \
-v $(pwd)/jenkins_home:/var/jenkins_home \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(which docker):/usr/bin/docker \
-p 8080:8080 -p 50000:50000 \
jenkins/jenkins:lts
Just add option --group-add docker when docker run.
Add docker path i.e -v $(which docker):/usr/bin/docker to container in volumes like
docker run -d \
--name my-jenkins \
-v $(which docker):/usr/bin/docker \
-v /var/jenkins_home:~/.jenkins \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8080:8080 jenkins
This section helped me install docker inside the jenkins container: https://www.jenkins.io/doc/book/installing/docker/#downloading-and-running-jenkins-in-docker
Also, I had to replace FROM jenkins/jenkins:2.303.1-lts-jdk11 in the Dockerfile in step 4(a) with jenkins/jenkins.

Db2 with Docker: How to resolve error from bash script?

I have a syntax problem - Mac Mojave- starting a docker bash script:
docker run -h db2server \
--name db2server_fp4 \
--restart=always p 50000:50000 \
--env-file ${HOME}/db2devc.env_list \
${HOME}/db2devc:/database \
store/ibmcorp/db2_developer_c:11.1.4.4-x86_64
gives this error:
JMB:~ Juergen$ ./db2docker2.sh
Unable to find image 'p:latest' locally
docker: Error response from daemon: pull access denied for p, repository does not exist or may require 'docker login'.
See 'docker run --help'.
./db2docker2.sh: line 6: /Users/Juergen/db2devc:/database: No such file or directory
There seems to be a mistake in your docker run command. There is missing hyphen before the p and docker recognizes it as the image name.
There also seems to be a missing -v before what looks like a volume mount.
Try with the following command:
docker run -h db2server \
--name db2server_fp4 \
--restart=always -p 50000:50000 \
--env-file ${HOME}/db2devc.env_list \
-v ${HOME}/db2devc:/database \
store/ibmcorp/db2_developer_c:11.1.4.4-x86_64

Docker user permission while mounting a directory

I am using the following Dockerfile to build Solr using Docker.
FROM solr:5.5
ENV SOLR_HOME=/opt/solr/server/solr/cores
RUN mkdir ${SOLR_HOME}
RUN chown -R solr:solr ${SOLR_HOME}
VOLUME ["${SOLR_HOME}"]
EXPOSE 8983
I try to run the following Docker command to mount a host directory to the container:
docker run --restart=always -d --name solr-demo \
--privileged=true -p 8983:8983 \
-v /data/solr_demo:/opt/solr/server/solr/cores \
solr-test:latest
I am also copying the required solr.xml file into the data/solr_demo. When I run the docker run command I get the following error:
stat: cannot stat ‘/opt/solr/server/solr/cores’: No such file or directory 42146d74b446ba4784fd197688e3210f294aad8755ae730cc559132720bcc35a
Error response from daemon: Container 42146d74b446ba4784fd197688e3210f294aad8755ae730cc559132720bcc35a is restarting, wait until the container is running
From your comment, it appears you're mounting a nonexistent directory for your volume. Try this command that mounts /data/solr_demo1 instead of /data/solr_demo as your volume.
docker run --restart=always -d --name solr-demo \
--privileged=true -p 8983:8983 \
-v /data/solr_demo1:/opt/solr/server/solr/cores \
solr-test:latest
If it is really an user problem (it remind me of some issue I add with apache in container), you should consider using Gosu. https://github.com/tianon/gosu
It will let you run and swap user correctly and have a nice mapping from your local users and users inside the container.
Hope it will be useful.

Resources