Could you help me with this interesting case:
my docker creates images and runs containers fine
BUT
when I'm trying to run tests from testcontainers with command
docker run -it --rm -v $PWD:$PWD -w $PWD -v /var/run/docker.sock:/var/run/docker.sock my-image:1.0 mvn test
I receive
Error response from daemon: failed to create shim task: OCI runtime
create failed: runc create failed: unable to start container process:
exec: "mvn": executable file not found in $PATH: unknown.
when trying to run docker with a container name, I get the following error (on macOS)
~$ docker run -it myifort --name cont
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "--name": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
Without the --name flag everything works as expected.
Try docker run -it --name cont myifort
For example, I have a dockerfile which has a ENTRYPOINT command:
From alpine:latest
WORKDIR /app/
RUN apk add --no-cache bash && echo 'echo foo:$FOO' > echo.sh && cat echo.sh && chmod a+x echo.sh
ENTRYPOINT ["sh", "-c", "_FOO=$FOO ./echo.sh && unset FOO && sleep 30"]
Then I run this docker and pass env FOO with value bar:
$ docker run --rm -e FOO=bar --name=demo docker-image-demo
How to unset the environment variable FOO in container which is provided by docker run -e FOO=bar command ?
$ docker exec -it demo bash
$ bash-5.0$ echo $FOO
bar
I try to use exec to replace container process with bash, but I get some error:
ENTRYPOINT ["exec", "sh", "-c", "_FOO=$FOO ./echo.sh && unset FOO && sleep 30"]
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: "exec": executable file not found in $PATH": unknown.
I'd use docker secret for this purpose. Injecting secrets to the container via env variables is perfectly acceptable - even security-hardened Openshift permits it in their Templates.
If the adversary is already inside of the server container, then they must have hacked the very password you are trying to hide here. Or they gained access to your machine and can execute docker commands (docker group password is usually at the same level as sudo, so it means you have been hacked down to root level) or have your CLI password in case of Openshift, so they can connect to remote shells in all other containers in your namespace and do whatever they please. So hiding env vars seems now a bit too late.
You do it with the unset shell built-in, exactly as you're doing it.
However: docker exec shells do not run as children of your entrypoint, so any changes the entrypoint makes to the environment won't be visible to those shells. This usually isn't a practical problem, since you should usually reserve docker exec for occasional debugging tasks.
One way to see this is to edit your Dockerfile to run the echo.sh script again after the unset command.
You can also restructure this to use an entrypoint wrapper script, and honor the Docker CMD. For example, we could take the long command in your current ENTRYPOINT line and rewrite it into a script:
#!/bin/sh
# Do any first-time setup that's required
echo "FOO was '$FOO'"
unset FOO
echo "FOO is now '$FOO'"
# Then run the main container command, replacing this script
exec "$#"
You can then invoke this in the Dockerfile:
FROM alpine:latest
# RUN apk add --no-cache bash
WORKDIR /app
COPY echo.sh entrypoint.sh . # will preserve executable bit
# Must use JSON-array syntax; must not use `sh -c` wrapper
ENTRYPOINT ["/app/entrypoint.sh"]
# Can be anything
CMD sleep 30
Now if you build this image, you can docker run it with an alternate command. For example, if you just want to see the environment the main container process will run with, you can
docker run --rm docker-image-demo env
Google's distroless images by default do not have any shell (even sh), so they are ideal for hiding environment variables and protecting scripted apps code (if you are lucky to use the supported languages such as Go, Java, or Rust, sadly not python yet).
More info
As for debugging during development time, these images have also special dev versions with busybox installed (and thus sh) - it's enough to switch to the debug tag:
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:debug
/ # id
uid=0(root) gid=0(root)
... versus my vain hacking attempts of the shell-less production version of the same container:
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest
docker: Error response from daemon: No command specified.
See 'docker run --help'.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat /etc/shells
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest echo $SHELL
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "echo": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest echo $PATH
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "echo": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat $PATH
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat $SHELL
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest sh
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "sh": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest bash
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "bash": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest busybox
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "busybox": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest id
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "id": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest env
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "env": executable file not found in $PATH: unknown.
I am trying to pull a hydra image using the following shell script. This script is supposed to pull the image from a docker repository and then configure it based on the needs of the server:
echo "Getting Hydra image from hub.docker.com"
docker pull linuxserver/hydra
echo "-----------------"
echo "Importing Hydra database..."
docker run -it --rm --entrypoint hydra linuxserver/hydra migrate sql $DATABASE_URL_HYDRA
echo "-----------------"
However, when I run this script, I get the following error:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "exec: \"hydra\": executable file not found in $PATH": unknown.
ERRO[0000] error waiting for container: context canceled
I build an image with dockerfile and I tried to run it with specific network but I received the following error:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "exec: \"-net=overlay\": executable file not found in $PATH": unknown.
any ideas how to solve this?
Thank you
From your comment, it seems like you docker run command is incorrect, you are passing flag --net=host after the image name which is considered an argument for the container. so --net=host this replaced the "httpd-foreground" command. just try this to understand the scenario
docker run httpd:2.4 echo "hi from the container; will print this message and I will be terminated"
See the last row and this will answer you and you will understand the concept.
docker build -t aaa .
Now run the container and it should work
docker run --net=host aaa