Docker swarm service environment variable is not visible within container - docker

I am creating a docker service with an environment variable:
docker service create --env TEST=123 myservice
And I verify the environment variable was set with
$ docker service inspect myservice
...
ContainerSpec:
Env: TEST=123
...
But then the environment variable does not show up within the docker container. In particular, the code running inside the docker container prints os.Environ() and in the logs I see only the standard environment variable:
$ docker service logs myservice
[HOSTNAME=48bcddab9204 SHLVL=1 HOME=/root PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/app]
So the environment variable "TEST" is not set. How can I set up a service that defines this environment variable?
The output of docker version is
Client:
Version: 20.10.12
API version: 1.41
Go version: go1.17.5
Git commit: e91ed5707e
Built: Mon Dec 13 22:31:40 2021
OS/Arch: linux/amd64
Context: synology
Experimental: true
Server:
Engine:
Version: 20.10.3
API version: 1.41 (minimum version 1.12)
Go version: go1.15.13
Git commit: a3bc36f
Built: Thu Aug 19 07:11:25 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.3
GitCommit: ea3508454ff2268c32720eb4d2fc9816d6f75f88
runc:
Version: v1.0.0-rc93
GitCommit: 31cc25f16f5eba4d0f53e35374532873744f4b31
docker-init:
Version: 0.19.0
GitCommit: ed96d00

Variables should be defined in the environment when you use --env. If that's not happening, we'd need a complete example to reproduce. Here's an example showing that it works:
$ docker service create --name env-test --env TESTVAR=123 busybox tail -f /dev/null
nj9l6z57d9pviztyp9pglmv4r
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
$ docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
697c1bf221b1 busybox:latest "tail -f /dev/null" 20 seconds ago Up 19 seconds env-test.1.vlrepc8mqqvx7gysh2qsymja8
$ docker exec -it env-test.1.vlrepc8mqqvx7gysh2qsymja8 env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=697c1bf221b1
TERM=xterm
TESTVAR=123
HOME=/root

Related

Create ECS Context with Docker without Docker Desktop

I'm trying to create an ECS context using Docker so that I can deploy to AWS using the Docker Compose CLI
docker context create ecs <my context name>
But am receiving the following error:
"docker context create" requires exactly 1 argument.
See 'docker context create --help'.
Usage: docker context create [OPTIONS] CONTEXT
Create a context
I've edited my /etc/docker/daemon.json to include
{
"experimental": true
}
My Docker Compose CLI is version 2.14.2 and both the Client and Server show experimental as true
Client:
Version: 20.10.22
API version: 1.41
Go version: go1.19.4
Git commit: 3a2c30b63a
Built: Tue Dec 20 20:43:40 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.22
API version: 1.41 (minimum version 1.12)
Go version: go1.19.4
Git commit: 42c8b31499
Built: Tue Dec 20 20:42:46 2022
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: v1.6.14
GitCommit: 9ba4b250366a5ddde94bb7c9d1def331423aa323.m
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d1
docker-init:
Version: 0.19.0
GitCommit: de40ad0
This should be available in Docker since 19.03
https://docs.docker.com/cloud/ecs-integration/#install-the-docker-compose-cli-on-linux
So far I've only been able to create an ECS context by installing Docker with the experimental Arch package for Docker Desktop instead of Docker Compose Standalone. The weird thing is, Docker Desktop's Docker Compose version is only 2.13.
This also might be related to this question:
docker context create ecs myecs - requires exactly one argument

Why can't I lookup other container by DNS in container

According to official Docker's doc, Docker will create DNS server when it started which makes it able to query other container directly by container ID or name.
containers that use a custom network use Docker’s embedded DNS server, which forwards external DNS lookups to the DNS servers configured on the host.
But when I trying to use nslookup directly in container it failed to lookup but wget still success! What makes it different?
Reproduce steps:
docker network create my-net
docker run -d --name web --network my-net httpd
docker run -it --rm --network my-net busybox
after inside busybox:
$ wget -q -O - web
<html>...some content...</html>
It works great! but use nslookup will failed:
$ nslookup web
Server: 127.0.0.11
Address: 127.0.0.11:53
Non-authoritative answer:
*** Can't find web: No answer
This is my docker's version:
$ docker version
Client: Docker Engine - Community
Version: 20.10.21
API version: 1.41
Go version: go1.19.2
Git commit: baeda1f82a
Built: Tue Oct 25 17:53:02 2022
OS/Arch: darwin/amd64
Context: colima
Experimental: true
Server:
Engine:
Version: 20.10.18
API version: 1.41 (minimum version 1.12)
Go version: go1.18.6
Git commit: e42327a6d3c55ceda3bd5475be7aae6036d02db3
Built: Sun Sep 11 07:10:00 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.6.8
GitCommit: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
runc:
Version: 1.1.4
GitCommit: 5fd4c4d144137e991c4acebb2146ab1483a97925
docker-init:
Version: 0.19.0
GitCommit:
While reproducing your issue I noticed that nslookup failed for any query (e.g., nslookup google.com also failed. Afterwards, I tried spinning up an ubuntu container on the same network and there both wget and nslookup worked fine. I do not know the exact reason why this is so, but my guess is that wget and nslookup rely on some system functionalities which are different for busybox and for ubuntu.

Run docker compose inside a bitbucket pipeline

I need to run docker-compose with --exit-code-from . My local docker-compose binary accepts this command line and works just fine.
+ docker-compose -f file1.yml -f file2.yml up zookeeper-secure kafka-secure schema-registry-secure app integration-tests --exit-code-from integration-tests
However, I need to run this in a bitbucket pipeline. To achieve that I installed docker-compose using pip installer
pip install docker-compose
Which gives me version 1.29.2
+ docker-compose version
docker-compose version 1.29.2, build unknown
docker-py version: 5.0.3
CPython version: 3.7.12
OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
And this version probably does not honour --exit-code-from and hence errors out
No such service: --exit-code-from
While looking into docker docs, i found compose is now available in docker cli itself (though not very clear from which version onwards), but my bitbucket pipeline does not recognise that too.
+ docker compose help
docker: 'compose' is not a docker command.
See 'docker --help'
Here is the docker version output inside my bitbucket pipeline
+ docker version
Client:
Version: 20.10.15
API version: 1.41
Go version: go1.17.9
Git commit: fd82621
Built: Thu May 5 13:10:20 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.15
API version: 1.41 (minimum version 1.12)
Go version: go1.17.9
Git commit: 4433bf6
Built: Thu May 5 13:10:29 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.6.4
GitCommit: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
runc:
Version: 1.1.1
GitCommit: v1.1.1-0-g52de29d7
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Any help will be much appreciated !
Since the --exit-code-from option was introduced in April 2017, v1.12.0, I think the docker-compose v1 CLI parser is being much more picky than the docker-compose v2 you probably have in your workstation.
Telling by the No such service: --exit-code-from error message, simply move the option after the up subcommand but before the service list begins:
docker-compose \
-f file1.yml \
-f file2.yml \
up \
--exit-code-from integration-tests \
zookeeper-secure kafka-secure schema-registry-secure app integration-tests
Very much related: https://stackoverflow.com/a/59840305/11715259
Otherwise, this question is about "how to use docker-compose v2 in Bitbucket Pipelines", which is a totally different topic: https://stackoverflow.com/a/73069569/11715259

How to communicate between Docker container and Linux host over SCTP

I tried to listen to SCTP on the docker container and connect to there from the Linux host machine. But it seems the connection timed out.
Is there any way to communicate between host and container over SCTP?
FYI: It looks container-to-container SCTP communication works fine.
Detailed information is the following:
Dockerfile for test-container
FROM ubuntu:focal
RUN apt update -y && apt install -y ncat
docker run
$ sudo docker run --rm --name sctp-server -p 9999:9999/sctp test-container:latest ncat --sctp -lv 9999
SCTP request (timeout)
$ ncat --sctp 127.0.0.1 9999
Ncat: TIMEOUT.
docker version
Client: Docker Engine - Community
Version: 19.03.13
API version: 1.40
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:02:52 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.13
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:01:20 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.3.7
GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
FYI: Container-to-Container SCTP communication (works fine)
$ sudo docker network create -d bridge sctp
$ sudo docker run --rm --name sctp-server --net=sctp sctp-test:latest ncat --sctp -lv 9999
$ sudo docker run --rm --name sctp-client --net=sctp sctp-test:latest ncat --sctp 172.18.0.2 9999
Finally, I found the cause of this problem.
The reason for the timeout is it used the same SCTP port between host and container.
When I launched a container with
different ports like sudo docker run --rm --name sctp-server -p 19999:9999/sctp test-container:latest ncat --sctp -lv 9999 and run ncat --sctp 127.0.0.1 19999 on the host machine, it worked fine.
I'm not confident but I suspect the behavior of iptables.

Docker secrets not working when password has special characters

I am trying to run jenkins swarm agent using the docker-compose provided here.
Issue is I am using a service account provided by my admin team to authenticate against jenkins master and the password for the service account contains special characters \ (backslash) and / (forward slash). Example:
abcdefghifjd12\ab/
The docker secret I created using this password doesn't work. I tried with my personal account which doesn't have any special characters and this works as expected. So I believe issue is with how docker is interpreting these special characters when creating secrets. I tried escaping the back slash and using single quotes for the password but doesn't work. I tried below
#use password as it is in double quotes
echo "abcdefghifjd12\ab/" | docker secret create jenkins-user -
#use backslash to escape backslash
echo "abcdefghifjd12\\ab/" | docker secret create jenkins-user -
#use single quotes
echo 'abcdefghifjd12\ab/' | docker secret create jenkins-user -
None worked. How do I resolve this issue?
Server:
Version: 17.06.2-ee-6
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: e75fdb8
Built: Mon Nov 27 22:44:25 2017
OS/Arch: linux/amd64
Experimental: false
With docker upgraded version I was able to do the same thing.
On SWARM I create a secret on manager-1:
[manager1] (local) root#192.168.0.41 ~
$ echo "abcdefghifjd12\ab/" | docker secret create jenkins-user -
jxykdlqklpo5ml81c4bfa9a4o
[manager1] (local) root#192.168.0.41 ~
$ docker service create --secret jenkins-user alpine sleep 1d
sgmrof1cwwubmhz1qqibu4aof
overall progress: 1 out of 1 tasks
1/1: running
verify: Service converged
[manager1] (local) root#192.168.0.41 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
sgmrof1cwwub wizardly_boyd replicated 1/1 alpine:latest
[manager1] (local) root#192.168.0.41 ~
[manager2] (local) root#192.168.0.43 ~
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f4552c4718c5 alpine:latest "sleep 1d" 2 minutes ago Up 2 minutes wizardly_boyd.1.4gb4nwgiqagfyn10vuvt9pb4v
[manager2] (local) root#192.168.0.43 ~
$ docker exec -it f45 sh
/ # cd /run
/run # cd secrets/
/run/secrets # ls
jenkins-user
/run/secrets # cat jenkins-user
abcdefghifjd12\ab/
Docker Version information:
$ docker version
Client:
Version: 18.03.1-ce
API version: 1.37
Go version: go1.9.2
Git commit: 9ee9f40
Built: Thu Apr 26 07:12:25 2018
OS/Arch: linux/amd64
Experimental: false
Orchestrator: swarm
Server:
Engine:
Version: 18.03.1-ce
API version: 1.37 (minimum version 1.12)
Go version: go1.9.5
Git commit: 9ee9f40
Built: Thu Apr 26 07:23:03 2018
OS/Arch: linux/amd64
Experimental: true
[manager1] (local) root#192.168.0.41 ~

Resources