Permission denied as root in docker containers - docker

In the last couple of days I'm having some issues at building or running docker containers.
It seems that root doesn't have permission of having access to the filesystem.
Eg. I've created this very simple Dockerfile
FROM centos
RUN id && ls -l /usr/bin/yum /usr/bin/dnf-3 && yum install mlocate
and when I try to build the image I get the error
Step 1/2 : FROM centos
---> 470671670cac
Step 2/2 : RUN id && ls -l /usr/bin/yum /usr/bin/dnf-3 && yum install mlocate
---> Running in f7b32a009a74
uid=0(root) gid=0(root) groups=0(root)
-rwxr-xr-x 1 root root 1954 Dec 19 15:43 /usr/bin/dnf-3
lrwxrwxrwx 1 root root 5 Dec 19 15:43 /usr/bin/yum -> dnf-3
/usr/libexec/platform-python: can't open file '/usr/bin/yum': [Errno 13] Permission denied
The command '/bin/sh -c id && ls -l /usr/bin/yum /usr/bin/dnf-3 && yum install mlocate' returned a non-zero code: 2
The issue seems to be more generic as even with ubuntu or alpine I get similar errors, so I suspect is related to Ubuntu.
Consider that before I could perform any task without problems.
I've tried adding capabilities and stopping apparmor but it doesn't have any effect.
Docker info
Client:
Debug Mode: false
Server:
Containers: 18
Running: 0
Paused: 0
Stopped: 18
Images: 20
Server Version: 19.03.8
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version:
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.4.0-31-generic
Operating System: Ubuntu Core 16
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.475GiB
Name: gurdulu-xps
ID: E5JA:3WKI:JWFQ:M5J2:CAZ7:VVKI:2ADB:3W7W:F3F4:VYXZ:7JLP:R7C4
Docker Root Dir: /var/snap/docker/common/var-lib-docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support

It was apparmor in combination with snap. The profile coming with the snap installation had in some way become invalid in the last couple of days.
To be honest I didn't investigate and tried removing the snap and installing with apt.
Now it works fine.

Related

Running docker I got error : Bind address needs a port: 127.0.0.1

After reinstalling my Kubuntu 18 I try to install docker-ce
and running app I got error :
$ docker-compose up
ERROR: Couldn't connect to Docker daemon at http+docker://localunixsocket - is it running?
If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.
serge#AtHome:/mnt/_work_sdb8/wwwroot/lar/PerlerWealth/master$ export DOCKER_HOST=127.0.0.1
serge#AtHome:/mnt/_work_sdb8/wwwroot/lar/PerlerWealth/master$ docker-compose up -d --build
Traceback (most recent call last):
File "/usr/bin/docker-compose", line 11, in <module>
load_entry_point('docker-compose==1.17.1', 'console_scripts', 'docker-compose')()
File "/usr/lib/python2.7/dist-packages/compose/cli/main.py", line 68, in main
command()
...
File "/usr/lib/python2.7/dist-packages/docker/utils/utils.py", line 373, in parse_host
"Bind address needs a port: {0}".format(addr))
docker.errors.DockerException: Bind address needs a port: 127.0.0.1
Why errors and how to fix this error ?
Related app versions and config info :
root#AtHome:~/Downloads# docker --version
Docker version 19.03.13, build 4484c46d9d
root#AtHome:~/Downloads# docker-compose --version
docker-compose version 1.17.1, build unknown
root#AtHome:~/Downloads# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root#AtHome:~/Downloads# docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.13
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-20-generic
Operating System: Ubuntu 18.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.711GiB
Name: AtHome
ID: FGEV:TTKB:COS7:VUEW:7C2T:UJWK:2L66:Y6UE:APLU:M5HG:R5DG:3RN7
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
MODIFIED :
root#AtHome:~/Downloads# docker --version
Docker version 19.03.13, build 4484c46d9d
root#AtHome:~/Downloads# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root#AtHome:~/Downloads# sudo usermod -aG docker $USER
root#AtHome:~/Downloads# sudo newgrp - docker
root#AtHome:/root# sudo systemctl enable docker
Synchronizing state of docker.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable docker
root#AtHome:/root# sudo systemctl start docker
root#AtHome:/root# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
I have all /etc files from prior working installation, but which config
files have I to look at or some missing options or permissions lacking ?
Thanks in advance!

docker run command fails

I am trying to run a container as daemon as follows :
$docker run --privileged --net=host -d d34f188005c4
34045723709f3553533a1c823800697e55d43a7e676499310751f7116d3a1068
$docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
As seen from above, docker run cmd returns a long string, but it fails to run as seen from the docker ps output. Further, I get following from the syslog while the docker run cmd as above executes:
kernel: [281942.173389] aufs au_opts_verify:1597:dockerd[21361]: dirperm1 breaks the protection by the permission bits on the lower branch
Kernel/docker version and other required info is as follows:
# docker info
Containers: 3
Running: 0
Paused: 0
Stopped: 3
Images: 1
Server Version: 17.03.0-ce
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 8
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 977c511eda0925a723debdc94d09459af49d082a
runc version: a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-116-generic
Operating System: Ubuntu 16.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.67 GiB
Name: ubuntu1604
ID: B35S:GX2J:VTYF:HKJ2:KMIP:SU35:YCSV:YHM2:R6L5:K7CW:4ZUV:EYGX
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Can anyone please let me know how to fix this? Can we get any clue from the syslog above? If any other info is required, please let me know.
Adding additional info based on comments below :
$docker logs 34045723709f3553533a1c823800697e55d43a7e676499310751f7116d3a1068
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Access to docker on host failed!!`
$ps -aux | grep dockerd
root 21836 0.4 0.2 436168 42920 ? Ssl 10:39 0:00 /usr/bin/dockerd -H fd://

Cannot exec to a running container

After running docker container,docker run -d --name nginx nginx, I cannot use "docker exec", docker exec nginx echo 123, on this container.
I'm receiving an error:
ERRO[2018-08-19T11:09:10.909894729+03:00] stream copy error: reading from a closed fifo
ERRO[2018-08-19T11:09:10.909988081+03:00] stream copy error: reading from a closed fifo
ERRO[2018-08-19T11:09:10.931102317+03:00] Error running exec 19c6ae3c5d796180e02577f037f6a1bd1453b70393098643719dea3537933ae2 in container: OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "process_linux.go:86: executing setns process caused \"exit status 22\"": unknown`
OS: ubuntu 14.04
Kernel: 3.13.0-153-generic
Docker: Docker version 18.06.0-ce, build 0ffa825
Docker Info:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 1
Server Version: 18.06.0-ce
Storage Driver: aufs
Root Dir: /var/lib/docker/165536.165536/aufs
Backing Filesystem: extfs
Dirs: 5
Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
userns
Kernel Version: 3.13.0-153-generic
Operating System: Ubuntu 14.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.86GiB
Name: **************
ID: OL25:ISXX:RWR7:EY76:OQ6O:XLWG:ETWJ:FV2A:MC6A:ROP7:6DWD:DJX4
Docker Root Dir: /var/lib/docker/165536.165536
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Thanks!
That can happen when them use ENTRYPOINT instead of CMD. Check your image/container with "docker inspect". Your commandline argument becomes a CMD of ENTRYPOINT.
https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact
I could reproduce this issue whenever I executed docker run -it opensuse/leap followed by exit command. The container is actually stopped after exit command, but still showed running in docker ps.
Solution: Restart your docker daemon. And then try running your containers once again. If they stop, they won't show running status.
command: service docker restart
This worked in my case.
Please update your Kernel. Although Docker should work with most Kernel 3.10+ versions, there are often low level issues with older Kernels. See also https://github.com/moby/moby/issues/36084#issuecomment-364886573 for a seemingly same issue with a working solution:
updated to HWE ( 4.13.0-32-generic) and exec works again, however keep in mind that stock 16.04 uses 4.4.0 kernels - there should some kind of warning (at least) that specific versions combination will not work

Docker not reachable on Arch Linux

I have researched this issue extensively to no avail, and also asked on unix.stackexchange.com also to no avail, so I'm asking here in hopes someone else has some insight into why this is occurring, as asking on both the unix board as well as github has shed no insight whatsoever.
I cannot get Docker to play nice on Antergos, or be reachable without sudo. Running container builds with sudo causes a number of issues, such as ssh keys not being detected and nginx not being recognized. This problem arose about 3 days ago, and rolling back has not made any difference. Uninstalling docker completely and reinstalling also did not make any difference. Neither has updating my configuration, permissions, or any other available setting.
System version: 4.17.8-1-ARCH #1 SMP PREEMPT Wed Jul 18 09:56:24 UTC 2018 x86_64 GNU/Linux
Current docker version: 18.04.0-ce (also tried on all versions up to current 18.05 to no avail, have rolled back one version at a time with no effect).
Existing research led to the typical issue being that the user needs to be in the docker group to circumvent sudo, however I am, and it is still not working. I have also checked here, here, and here, and all of them offer the same (not working) answer.
Please do not suggest checking my user group or adding my user to the docker group, as this is not the issue, as outlined below.
Everything worked fine until a couple of days ago. I am inclined to believe an automatic update broke it.
Below is some context:
Output of groups
root http docker users wheel
When calling any docker command without sudo (eg docker info, docker ps, docker run ... docker-compose up, etc), I get the following:
Cannot connect to the Docker daemon at tcp://localhost:2375. Is the docker daemon running?
It is definitely running. systemctl status docker yeilds the following:
● docker.service - Docker Application Container Engine
Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-07-20 14:52:54 EDT; 21min ago
Docs: https://docs.docker.com
Main PID: 472 (dockerd)
Tasks: 50 (limit: 4915)
Memory: 139.0M
CGroup: /system.slice/docker.service
├─ 472 /usr/bin/dockerd -H fd://
├─ 620 docker-containerd --config /var/run/docker/containerd/containerd.toml
├─ 802 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/e0942c95c35608cecbbe761d27a2c5386d9faec072cf8031>
├─ 818 bash -c echo "RESTARTING GUlP COMMAND" && npm rebuild node-sass && npm upgrade && npm update && npm install && gulp && tail -f /dev/null
└─1572 tail -f /dev/null
It is likewise displayed when running htop and ps aux | grep docker.
perms for ls -la $(which docker):
-rwxr-xr-x 1 root docker 36823912 Apr 17 18:48 /usr/bin/docker
According to this, it should absolutely be accessible without sudo, but still chokes on all commands without sudo. I cannot just run it with sudo due to a number of production build scripts that require user space locality failing, which break when sudo is applied.
output of sudo docker info
Containers: 15
Running: 1
Paused: 0
Stopped: 14
Images: 30
Server Version: 18.04.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk
syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 773c489c9c1b21a6d78b5c538cd395416ec50f88
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 4.17.8-1-ARCH
Operating System: Antergos Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.02GiB
Name: Indibog
ID: OCC4:P3QN:B5EU:J2Y4:LZN4:WAIC:2F5V:ZQZD:NLXY:DWVE:X2LB:TLEQ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 27
Goroutines: 39
System Time: 2018-07-20T15:04:01.745176194-04:00
EventsListeners: 0
Username: mopsyd
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
192.168.40.60:5000
sandbox.cdp.local:5000
127.0.0.0/8
Live Restore Enabled: false

Building docker for the ARM-64 architecture

I have been trying to compile docker for the ARM-64 architecture. Docker doesn’t officially support ARM 64-bits (at least not through the package management tools); hence I have to build it from source. Building docker binary set needs docker itself as a dependency. I’ve already managed to compile both the docker daemon and the client via the following (hack) command:
./hack/make.sh dynbinary
However, I haven’t managed to run it successfully. Both binaries are compiled and work, but when I want to start up the daemon it complains about other dependencies:
Failed to connect to containerd. Please make sure containerd is installed in your PATH or you have specified the correct address. Got error: exec: "docker-containerd": executable file not found in $PATH
As I mentioned earlier, I cannot build all the binaries as they need docker itself running.
Looking forward to your help.
Two weeks ago, I was able to install Docker on a Pine64 running Armbian (Debian based). It was as easy as following the official documentation for armhf with one exception, change [arch=armhf] by [arch=arm64] when you add the new apt source.
After the install you have a real Arm64 docker running :
root#pine64:~# docker system info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 60
Server Version: 17.12.0-ce
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 28
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 3.10.107-pine64
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 979.6MiB
Name: pine64
ID: xxx
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: xxx
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

Resources