Docker does not care about user permissions. Why? - docker

I have a docker file userPermissionDenied.df, here is its content:
FROM busybox:1.29
USER 1000:1000
ENTRYPOINT ["nc"]
CMD ["-l", "-p", "80", "0.0.0.0"]
I run the following commands:
> docker image build -t fooimg -f userPermissionDenied.df .
> docker container run fooimg
Now I expect the following output:
> nc: bind: Permission denied
But I am not getting any output at all:
the container just hangs. Why?
I am learning Docker through the Docker in Action by Jeff Nickoloff and that is where I got the use case from.

Given that you are running the nc command as a non-root user (due to the USER 1000:1000 directive in your Dockerfile), you might expect to see a "permission denied" error of some sort when nc tries to bind port 80.
In earlier versions of Docker that is exactly what would have happened, but a few years ago Docker was modified so that containers run with net.ipv4.ip_unprivileged_port_start=0, which means there are no longer any "privileged ports": any UID can bind any port.
You can see this setting by running sysctl inside a container:
$ docker run -it --rm -u 1000:1000 alpine sysctl -a |grep net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 0
the container just hangs. Why?
The container isn't "hanging"; it is successfully running nc -l -p 80, which is waiting for a connection to the container on port 80. If you were to use curl or some other tool to connect to port 80 in that container, it would display any data send over the connection and then the container would exit when the connection is closed.

Related

Docker container cannot start

I have built a docker image to run a jenkins server in and after creating a container for this image, I find that the container remains on exit status, and never starts. Even when I attempt to start the container with the UI.
Here are the steps I have taken, and perhaps I am missing something?
docker pull jenkins/jenkins
sudo mkdir /var/jenkins_home
docker run -p 9080:8080 -d -v /var/jenkins_home:/var/jenkins_home jenkins/jenkins
I already have java running on the port 8080, maybe this is impacting the container status?
java 2968 user 45u IPv6 0xbf254983f0051d87 0t0 TCP *:http-alt (LISTEN)
Not sure why its running on this port, I have attempted to kill the PID but it recreates itself.
Following the comments:
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fc880ccd31ed jenkins/jenkins "/usr/bin/tini -- /u…" 3 seconds ago Exited (1) 2 seconds ago vigorous_lewin
docker logs vigorous_lewin
touch: setting times of '/var/jenkins_home/copy_reference_file.log': No such file or directory
Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?
The docs say
NOTE: Avoid using a bind mount from a folder on the host machine into
/var/jenkins_home, as this might result in file permission issues (the
user used inside the container might not have rights to the folder on
the host machine). If you really need to bind mount jenkins_home,
ensure that the directory on the host is accessible by the jenkins
user inside the container (jenkins user - uid 1000) or use -u
some_other_user parameter with docker run.
So they recommend using a docker volume rather than a bind mount like you do. If you have to use a bind mount, you need to ensure that UID 1000 can read and write the host directory.
The easiest solution is to run the container as root by adding -u root to your docker run command, like this
docker run -p 9080:8080 -d -v /var/jenkins_home:/var/jenkins_home -u root jenkins/jenkins
That's not as secure though, so depending on what environment you're running your container in, that might not be a good idea.

HTTP call to Logic App in a Docker Container

I've followed getting started with Logic Apps in a Container, in Azure Tips & Tricks #311, which worked OK. I also consulted Vinnie James, which is similar
The Logic App runs on receipt of a HTTP request, which - inside VS Code - is localhost, easily used from a browser
But when I go to the next step, to build an image and run it in Docker, I'm not at all clear how to to make a similar HTTP request; Docker is running on the same W10 machine, using WSL-2
Dockerfile (corrected):
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.14492-appservice
ENV AzureWebJobsStorage=DefaultEndpointsProtocol=https;AccountName=XXX;AccountKey=XXX;EndpointSuffix=core.windows.net
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true \
FUNCTIONS_V2_COMPATIBILITY_MODE=true
ENV WEBSITE_HOSTNAME localhost
ENV WEBSITE_SITE_NAME testqueue1
ENV AZURE_FUNCTIONS_ENVIRONMENT Development
COPY . /home/site/wwwroot
Attempted Docker run: docker run -p 80:7071 image1
Response is HTTP request sent, awaiting response... No data received
This despite (very simple) Logic App issuing a 200 response immediately after trigger; looks like App is not initiated ...
First of all and regarding the answer in the comments: please just add the contents of the Dockerfile and the run command to the question, otherwise they're difficult to read.
Taking into account that you have the following Dockerfile:
FROM mcr.microsoft.com/azure-functions/node:3.0
ENV AzureWebJobsStorage DefaultEndpointsProtocol=https;AccountName=XXX;AccountKey=XXX;EndpointSuffix=core.windows.net
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true \
FUNCTIONS_V2_COMPATIBILITY_MODE=true
ENV WEBSITE_HOSTNAME localhost
ENV WEBSITE_SITE_NAME test1
ENV AZURE_FUNCTIONS_ENVIRONMENT Development
COPY . /home/site/wwwroot
and that you're running it with docker run -p 5000 image1
The main thing that I see here is that you're only indicating the containerPort but not the hostPort, so you're exposing a random port in the host.
If you do docker ps, you'll be able to see the port that you're forwarding. For example let's say that I have my image busybox and that I run it with docker run -it --rm -p 5000 busybox.
❯ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
05927642abfc busybox "sh" 6 seconds ago Up 5 seconds 0.0.0.0:51883->5000/tcp elated_gauss
As you can see, I'd have to access to the port 51883 in localhost to access to the port 5000 in the container.
On the other hand, if I run my container with: docker run -it --rm -p 5000:5000 busybox
❯ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c0aab9646d1a busybox "sh" 1 second ago Up 1 second 0.0.0.0:5000->5000/tcp busy_roentgen
Now I can access to the port 5000 of the container referring to the port 5000 on localhost.

How to access docker container on the web?

I have google cloud VM instance running Ubuntu 18 and I have installed ngnix and pulled this docker image https://github.com/lensesio/fast-data-dev. But the problem is I cannot access container when i run following command
docker run -d -p 2181:2181 -p 3030:3030 -p 8081-8083:8081-8083 \
-p 9581-9585:9581-9585 -p 9092:9092 -e ADV_HOST=[VM_EXTERNAL_IP] \
-e RUNNING_SAMPLEDATA=1 lensesio/fast-data-dev
It is supposed to work on myexternalip:3030 but it doesn't open. I assume because I have to expose docker ports to external web because
curl 0.0.0.0:3030
returns response. I opened mentioned ports in the command above in the firewall.
You need to make sure those ports you expose in docker are opened both in the Instance and in the VPC firewall.
In Google Cloud you can deploy a container inside a Compute Engine instance when you create it (see Deploying a container on a new vm instace).
It is easier (and faster) than doing it on your own, and you all your container port mappings defined in the same place you open the firewall ports.
BTW - Don't use the IP address 0.0.0.0: it's the unspecified newtwork address.
It might be filtered silently by firewalls or routers. Use the loopback address - 127.0.0.1
In order to expose the port 3030 on the public IP (VM_EXTERNAL_IP) at the Instance , at VPC level there must be a rule on the firewall for the specific protocol/port to allow it.[1]
A generic broad scope allow firewall rule definition would be [2]:
gcloud compute --project=[PROJECT] firewall-rules create allow-lenses-io-3030 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:3030 --source-ranges=0.0.0.0/0
You can limit the scope of the rule as needed/wanted/required.[3]
[1] https://cloud.google.com/vpc/docs/firewalls
[2] https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
[3] https://cloud.google.com/vpc/docs/using-firewalls
Ran this on my VM, and I got this error:
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
If you are getting the same error above, you would need to check the file permission by running this command
~$ ls -la /var/run/docker.sock
After changing the file permission to 666 by running this command below:
sudo chmod 666 /var/run/docker.sock
This should be the file permission
srw-rw-rw- 1 root docker 0 Dec 17 14:40 /var/run/docker.sock
Then, I was able to successfully run your command
docker run -d -p 2181:2181 -p 3030:3030 -p 8081-8083:8081-8083 -p 9581-9585:9581-9585 -p 9092:9092 -e ADV_HOST=[VM_EXTERNAL_IP] -e RUNNING_SAMPLEDATA=1 lensesio/fast-data-dev
Unable to find image 'lensesio/fast-data-dev:latest' locally
latest: Pulling from lensesio/fast-data-dev
05e7bc50f07f: Pull complete
476521bd3084: Pull complete
c4c2aa517a1c: Pull complete
7f1b06a24ab4: Pull complete
bae2eaa88cbb: Pull complete
2d9ee69ece21: Pull complete
4da70d410da1: Pull complete
59abe7119ed3: Pull complete
ed6eaf2a0a19: Pull complete
25aa81bc4e49: Pull complete
8ccac59252e2: Pull complete
225a5ca8c99d: Pull complete
6d7f2dab62f4: Pull complete
Digest: sha256:a40302e35e1e11839bcfe12f6e63e0d665f098249e0ce9c111a2e212215f8841
Status: Downloaded newer image for lensesio/fast-data-dev:latest
051711522df0198d2f94825dee8d2556e137c7b31501b68cd73541ae8d4286d7

Unable to connect with container at address /0.0.0.0:9000

My container of play/scala application starts at [info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9000. But I am unable to connect to it from the browser. I am running the container on my windows machine after having build the image using Docker for Windows
The Dockerfile is
FROM openjdk:8
WORKDIR deploy
COPY target/universal/myapp-1.0.zip .
COPY conf/logback_dev.xml ./logback.xml
COPY conf/application_dev.conf ./application.conf
RUN unzip myapp-1.0.zip
RUN chmod +x myapp-1.0/bin/myapp
EXPOSE 9000
ENTRYPOINT myapp-1.0/bin/myapp -Dplay.http.secret.key=changemeplease -Dlogger.file=/deploy/logback.xml -Dconfig.file=/deploy/application.conf
I am starting the container as docker run myApp -p 9000:9000 -network="host" and also tried docker run myApp -p 9000:9000 -network="host"
UPDATE
this is interesting.
If I specify image name before port then the application isn't reachable
docker run myApp -p 9000:9000
In docker container ps -a, I see (no mapping of localhost:9000 to 9000)
C:\Users\manuc>docker container ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4d16547cd96d myApp "/bin/sh -c 'myApp…" 10 seconds ago Up 9 seconds 9000/tcp, 9042/tcp ecstatic_bell
but if I specify port before image name, then the application is reachable
docker run -p 9000:9000 myApp
In docker container ps -a, I see mapping of localhost:9000 -> 9000
C:\Users\manuc>docker container ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
24b571cc0057 myApp "/bin/sh -c 'MyApp…" 39 seconds ago Up 38 seconds 0.0.0.0:9000->9000/tcp, 9042/tcp silly_yalow
Things to do when your container is not behaving like you want:
Check if your application is running in your computer.
After you run your container, check if it is healthy with docker ps. If it is not healthy, the problem is usually in your application.
Ensure it is running without errors, check logs with docker logs <container-id>. If logs are ok, problem is usually in the container network configuration.
Ensure you can access your application with docker exec -it <container-id> bash. And try to access port with curl or wget. If it is not reachable problem can be in iptables, firewall, or your application.
If you can ensure all the steps above working as expected. The problem is in docker network configuration.
Docker network host only works in linux, not mac and windows. You can run container with docker run -p 9000:9000 myapp. Checkout documentation: https://docs.docker.com/network/host/#:~:text=The%20host%20networking%20driver%20only,the%20docker%20service%20create%20command.
General form of the docker run command is docker run [OPTIONS] IMAGE[:TAG|#DIGEST] [COMMAND] [ARG...] as you can see in documentation. You need to specify port options before image name.

Docker - Unable to Access Service from Localhost

I've created a Dockerfile which looks like this:
FROM openjdk:8-jdk
COPY . .
ENTRYPOINT ["/bin/graphdb"]
EXPOSE 7200
On doing docker run 34a1650b461d -p 127.0.0.1:7200:7200 I see my service running as shown in the terminal output - however when I go to localhost:7200 I keep seeing This site can’t be reached 127.0.0.1 refused to connect.
Could anyone explain what I'm missing?
Also fyi - when I do docker ps, under PORTS I see 7200/tcp.
I read this page and followed what was described but to no luck.
Any help appreciated.
Thanks.
For docker run the order of the parameters matter, so this:
docker run 34a1650b461d -p 7200:7200
Is not the same as:
docker run -p 7200:7200 34a1650b461d
In the first case you are passing the parameters -p 7200:7200 to your ENTRYPOINT command /bin/graphdb; whereas in the second case, you are passing -p 7200:7200 to docker run, which is what you wanted.
How to validate when ports are correctly forwarded?
You can validate this by running docker ps and checking the PORTS column:
$ docker run -d 34a1650b461d -p 7200:7200
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
03abc0b390ef mytest "/bin/graphdb -p 720…" 6 seconds ago Up 5 seconds 7200/tcp elegant_wescoff
Do you see how the COMMAND includes your -p? That's not what you wanted. So docker run was not interpreting that parameter at all. Also, you can see the PORTS column, which shows the port is exposed but not forwarded.
Whereas doing it like this:
$ docker run -d -p 7200:7200 34a1650b461d
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
03abc0b390ef mytest "/bin/graphdb" 6 seconds ago Up 5 seconds 0.0.0.0:7200->7200/tcp elegant_wescoff
You can see now that -p is not being passed to COMMAND and that the port is forwarded: 0.0.0.0:7200->7200/tcp.

Resources