Docker works but deamon is not responding - docker

Could you help me with this interesting case:
my docker creates images and runs containers fine
BUT
when I'm trying to run tests from testcontainers with command
docker run -it --rm -v $PWD:$PWD -w $PWD -v /var/run/docker.sock:/var/run/docker.sock my-image:1.0 mvn test
I receive
Error response from daemon: failed to create shim task: OCI runtime
create failed: runc create failed: unable to start container process:
exec: "mvn": executable file not found in $PATH: unknown.

Related

Error when running a container using --name flag

when trying to run docker with a container name, I get the following error (on macOS)
~$ docker run -it myifort --name cont
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "--name": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
Without the --name flag everything works as expected.
Try docker run -it --name cont myifort

docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545

When I tried to execute below command with Readonly it throws app an error(2nd code snip). When it's ran without the :ro container is starting without any issues. Please take a moment to look into this. Thanks
docker run -d -p 3000:80 --rm --name feedrun -v feedback:/app/feedback -v "/Users/balasubramanian/Learnings/docker/data-volumes-05-temporary-anonymous-volume:/app:ro" -v /app/node_modules -v /app/temp feedappi
Error:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/volumes/39fb60b05636650476f670987768b5b34f9e4c7189cd04033659889377c5613b/_data" to rootfs at "/app/node_modules" caused: mkdir /var/lib/docker/overlay2/5ff4115be7c353f6427b24543471b9ff1562d76c279b2e3c464f4593441b888b/merged/app/node_modules: read-only file system: unknown
Working command without readonly instruction.
docker run -d -p 3000:80 --rm --name feedrun -v feedback:/app/feedback -v "/Users/balasubramanian/Learnings/docker/data-volumes-05-temporary-anonymous-volume:/app" -v /app/node_modules -v /app/temp feedappi

`$PATH: unknown` error when mounting the current directory in Docker

I want to use Docker to manage multiple Python versions (I recently got a Mac with Apple Silicon and I use old Python environment).
Since I need to read Python scripts on Docker and save the output files (for later use outside the Docker environment), I tried to mount a folder (on my Mac) following this post.
However, it shows this error:
$ docker run --name dpython -it python-docker -v $(pwd):/tmp /bin/bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "-v": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
It works without -v $(pwd):/tmp. I tried to specify different folders such as ~/ and /Users/ but they didn't work.
You must specify the volume before the image name:
$ docker run --name dpython -it -v $(pwd):/tmp python-docker /bin/bash

Running a container with a Docker bind-mount causes container to return Node version and exit

I am trying to attach a directory of static assets to my docker instance after it has been built. When I do something like this
docker run -it app /bin/bash
The container runs perfectly fine. However, if I do something like this:
docker run -it app -v "${PWD}/assets:/path/to/empty/directory" /bin/bash
This also reproduces it:
docker run -it node:12.18-alpine3.12 -v "${PWD}/assets:/path/to/empty/directory" /bin/bash
It spits out the version of Node v12.18.4 I am using and immediately dies. Where am I going wrong? I am using docker with wsl2 on windows 10. Is it due to filesystem incompatibility?
edit: whoops it's spitting out the node version and not the alpine version
To debug my issue I tried running a bare-bones alpine container:
docker run -it alpine:3.12 -v "${PWD}/assets:/usr/app" /bin/sh
Which gave a slightly more useful error message:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"-v\": executable file not found in $PATH": unknown.
From this I realized that docker was trying to run -v as a starting command. I decided to change the order around, things started working.
TL;DR The -v argument and its corresponding parameter must be placed before the container name when performing a docker run command. i.e. the following works
docker run -it -v "${PWD}/assets:/usr/app" alpine:3.12 /bin/sh
but this doesn't:
docker run -it alpine:3.12 -v "${PWD}/assets:/usr/app" /bin/sh

Docker: how to unset the environment variable in container which is provided by `docker run -e FOO=bar` command?

For example, I have a dockerfile which has a ENTRYPOINT command:
From alpine:latest
WORKDIR /app/
RUN apk add --no-cache bash && echo 'echo foo:$FOO' > echo.sh && cat echo.sh && chmod a+x echo.sh
ENTRYPOINT ["sh", "-c", "_FOO=$FOO ./echo.sh && unset FOO && sleep 30"]
Then I run this docker and pass env FOO with value bar:
$ docker run --rm -e FOO=bar --name=demo docker-image-demo
How to unset the environment variable FOO in container which is provided by docker run -e FOO=bar command ?
$ docker exec -it demo bash
$ bash-5.0$ echo $FOO
bar
I try to use exec to replace container process with bash, but I get some error:
ENTRYPOINT ["exec", "sh", "-c", "_FOO=$FOO ./echo.sh && unset FOO && sleep 30"]
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: "exec": executable file not found in $PATH": unknown.
I'd use docker secret for this purpose. Injecting secrets to the container via env variables is perfectly acceptable - even security-hardened Openshift permits it in their Templates.
If the adversary is already inside of the server container, then they must have hacked the very password you are trying to hide here. Or they gained access to your machine and can execute docker commands (docker group password is usually at the same level as sudo, so it means you have been hacked down to root level) or have your CLI password in case of Openshift, so they can connect to remote shells in all other containers in your namespace and do whatever they please. So hiding env vars seems now a bit too late.
You do it with the unset shell built-in, exactly as you're doing it.
However: docker exec shells do not run as children of your entrypoint, so any changes the entrypoint makes to the environment won't be visible to those shells. This usually isn't a practical problem, since you should usually reserve docker exec for occasional debugging tasks.
One way to see this is to edit your Dockerfile to run the echo.sh script again after the unset command.
You can also restructure this to use an entrypoint wrapper script, and honor the Docker CMD. For example, we could take the long command in your current ENTRYPOINT line and rewrite it into a script:
#!/bin/sh
# Do any first-time setup that's required
echo "FOO was '$FOO'"
unset FOO
echo "FOO is now '$FOO'"
# Then run the main container command, replacing this script
exec "$#"
You can then invoke this in the Dockerfile:
FROM alpine:latest
# RUN apk add --no-cache bash
WORKDIR /app
COPY echo.sh entrypoint.sh . # will preserve executable bit
# Must use JSON-array syntax; must not use `sh -c` wrapper
ENTRYPOINT ["/app/entrypoint.sh"]
# Can be anything
CMD sleep 30
Now if you build this image, you can docker run it with an alternate command. For example, if you just want to see the environment the main container process will run with, you can
docker run --rm docker-image-demo env
Google's distroless images by default do not have any shell (even sh), so they are ideal for hiding environment variables and protecting scripted apps code (if you are lucky to use the supported languages such as Go, Java, or Rust, sadly not python yet).
More info
As for debugging during development time, these images have also special dev versions with busybox installed (and thus sh) - it's enough to switch to the debug tag:
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:debug
/ # id
uid=0(root) gid=0(root)
... versus my vain hacking attempts of the shell-less production version of the same container:
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest
docker: Error response from daemon: No command specified.
See 'docker run --help'.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat /etc/shells
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest echo $SHELL
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "echo": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest echo $PATH
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "echo": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat $PATH
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat $SHELL
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest sh
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "sh": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest bash
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "bash": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest busybox
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "busybox": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest id
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "id": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest env
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "env": executable file not found in $PATH: unknown.

Resources