Why is File Mounted on Container via docker-compose not Accessible? - docker

In my docker-compose file, I try to mount a file from the host into the docker container.
The docker-compose file I have something like this:
version "2"
services:
myservice:
image: images/previmage:1.0.0
volumes:
- /opt/files/aaa.conf:/aaa.conf
After the service is started, I look at the contents at the root of the container using docker from the host:
sudo docker container exec myservice_1 ls /
The result of that ls command for the aaa.conf entry shows that it looks like it is there, but permissions are not what I expect:
drwxr-xr-x. 2 root root 6 Apr 11 2018 opt
-?????????? ? ? ? ? ? aaa.conf
ls: cannot access /aaa.conf: Permission denied
Similarly, if I try other commands like 'cat aaa.conf', I get Permission denied.
I understand that permissions for the file need to be set on the host side.
On the host I made permissions both 755 and then 777, but I still get Permission denied.
Is this the expected behavior?
Edit [running on AWS/EC2]
sudo docker container exec myservice_1 cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
sudo docker container exec myservice_1 id -u
33016

I had same problem, It's for SELinux (Check this post)
Disable SELinux for a specific container
You can disable SELinux for a specific container by adding --security-opt label:disable to your docker run command:
docker container run --security-opt label:disable myservice_1
Adding SELinux Rule (Recommended)
According to this post, You can also use this command to enable access to the files
chcon -Rt svirt_sandbox_file_t /path/to/volume
Completely disable SELinux!
Not recommended, but also works:
su -c "setenforce 0"

Related

How to run crictl command as non root user

How to run crictl as non-root user.
My docker commands work with non-root user because my user is added to docker group.
id
uid=1002(kube) gid=100(users) groups=100(users),10(wheel),1001(dockerroot),1002(docker)
I am running dockerD daemon which uses containerd and runc as runtime.
I installed crictl binary and pointed it to connect to existing dockershim socket with config file as below.
cat /etc/crictl.yaml
runtime-endpoint: unix:///var/run/dockershim.sock
image-endpoint: unix:///var/run/dockershim.sock
timeout: 2
debug: false
pull-image-on-create: false
crictl works fine with sudo but without sudo it fails like this.
[user#hostname~]$ crictl ps
FATA[0002] connect: connect endpoint 'unix:///var/run/dockershim.sock', make sure you are running as root and the endpoint has been started: context deadline exceeded
I also tried to change group of dockershim.sock to 'docker' from 'root' just like docker.sock was to try, still same.
srwxr-xr-x 1 root docker 0 Jan 2 23:36 /var/run/dockershim.sock
srw-rw---- 1 root docker 0 Jan 2 23:33 /var/run/docker.sock
sudo usermod -aG docker $USER
or you can see docker postinstall

Aerospike Connect to kafka: docker: Error response from daemon: invalid mode: /etc/aerospike-kafka-outbound/aerospike-kafka-outbound.yml

I am trying Aerospike Connect to Kafka.
OS: Windows
I referred https://enterprise.aerospike.com/docs/connect/streaming-from-asdb/installing/from-asdb-to-kafka-installing.html.
I referred: '# With Aerospike 5.0 and later' for deploying on docker
I have these running in docker:
My Windows path for the file: C:/aerospike-kafka-outbound/aerospike-kafka-outbound.yml
C:\Users\Nupur>docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1114b8a97406 aerospike/aerospike-kafka-outbound:4.0.0 "/bin/sh -c '/opt/${…" 37 seconds ago Up 29 seconds compassionate_hofstadter
93343be1d481 aerospike/aerospike-tools "wrapper aql -h 172.…" 4 hours ago Up 4 hours dreamy_mendeleev
5f00ee532c4e aerospike/amc "/opt/amc/amc ' -con…" 8 days ago Up 4 hours 0.0.0.0:8081->8081/tcp aerospike-consoles
a81ff04dbd74 aerospike/aerospike-server-enterprise "/usr/bin/tini -r SI…" 8 days ago Up 4 hours 0.0.0.0:3000-3002->3000-3002/tcp aerospike
Error:
C:\Users\Nupur>docker run -p 8080:8080 -v /C:/aerospike-kafka-outbound/aerospike-kafka-outbound.yml:/etc/aerospike-kafka-outbound/aerospike-kafka-outbound.yml aerospike/aerospike-kafka-outbound:4.0.0
docker: Error response from daemon: invalid mode: /etc/aerospike-kafka-outbound/aerospike-kafka-outbound.yml.
See 'docker run --help'.
As for the front slash used in Windows path, on using backslash:
C:\Users\Nupur>docker run -p 8080:8080 -v C:\\aerospike-kafka-outbound\\aerospike-kafka-outbound.yml:/etc/aerospike-kafka-outbound/aerospike-kafka-outbound.yml aerospike/aerospike-kafka-outbound:4.0.0
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/run/desktop/mnt/host/c/aerospike-kafka-outbound/aerospike-kafka-outbound.yml" to rootfs at "/etc/aerospike-kafka-outbound/aerospike-kafka-outbound.yml" caused: mount through procfd: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.
This is my docker directory:
C:\Users\Nupur>docker exec -it 1114b8a97406 bash
root#1114b8a97406:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
root#1114b8a97406:/# cd /etc
root#1114b8a97406:/etc# ls
adduser.conf ca-certificates.conf environment host.conf ld.so.cache machine-id pam.conf rc1.d resolv.conf shells timezone
aerospike-kafka-outbound cron.daily fstab hostname ld.so.conf mke2fs.conf pam.d rc2.d rmt skel update-motd.d
alternatives debconf.conf gai.conf hosts ld.so.conf.d motd passwd rc3.d securetty ssl xattr.conf
apt debian_version group init.d libaudit.conf mtab passwd- rc4.d security subgid
bash.bashrc default group- issue localtime nsswitch.conf profile rc5.d selinux subuid
bindresvport.blacklist deluser.conf gshadow issue.net login.defs opt profile.d rc6.d shadow systemd
ca-certificates dpkg gshadow- kernel logrotate.d os-release rc0.d rcS.d shadow- terminfo
root#1114b8a97406:/etc# cd aerospike-kafka-outbound
root#1114b8a97406:/etc/aerospike-kafka-outbound# ls
aerospike-kafka-outbound.yml
root#1114b8a97406:/etc/aerospike-kafka-outbound#

Docker device-cgroups-rule, mknod and mount

I'm attempting to implement what is described here:
https://docs.docker.com/engine/reference/commandline/create/#dealing-with-dynamically-created-devices---device-cgroup-rule
Similar to the page I am creating (and then starting) a container as follows:
docker create --device-cgroup-rule='b 8:* rmw' -name my-container my-image
Quoting from the above page
Then, a user could ask udev to execute a script that would docker exec
my-container mknod newDevX c 42 the required device when it is
added.
Within the container (docker exec -it my-container sh) I then mknod a device:
mknod /dev/sdc1 b 8 33
The device was reported as above by lsblk:
sdc 8:32 1 500M 0 disk
└─sdc1 8:33 1 500M 0 part
mknod succeeds but mounting /dev/sdc1 gives an error:
$ mount /dev/sdc1 /mnt
mount: /mnt: permission denied.
I also tried various other things like
mknod with -m
docker start with --cap-add=CAP_MKNOD
EDIT:
I also tried starting with --privileged but without the /dev/sdc1 precreated and it worked. It must have something to do with Capabilities or other differences between privileged and non-privileged mode. I tried with --cap-add=CAP_MKNOD and CAP_SYS_ADMIN but it now reports a difference message:
$ mount /dev/sdc1 /mnt
mount: /mnt: cannot mount /dev/sdc1 read-only.

Mounts denied: \r\nThe path /a/b \r\n is not shared from OS X and is not known to Docker

On mac, /a/b is with below permissions:
$ ls -l /a/b
total 0
drwxrwxrwx 2 root wheel 64 13 Jan 08:50 b
$ whoami
user1
$
Below is the docker-compose file to mount /a/b from docker container:
version: '2'
services:
someapp:
build:
context: .
args:
DOCKER_GID: ${DOCKER_GID}
DOCKER_VERSION: ${DOCKER_VERSION}
DOCKER_COMPOSE: ${DOCKER_COMPOSE}
volumes:
- /a/b:/var/some_mount
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "8080:8080"
On running docker-compose up -d someapp, I see below error:
ERROR: for docker-folder_someapp_1 Cannot start service someapp: b'Mounts denied: \r\nThe path /a/b\r\n is not shared from OS X and is not known to Docker.\r\nYou can configure shared paths from Docker -> Preferences... -> File Sharing.\r\nSee https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.\r\n.'
ERROR: for someapp Cannot start service someapp: b'Mounts denied: \r\nThe path /a/b\r\nis not shared from OS X and is not known to Docker.\r\nYou can configure shared paths from Docker -> Preferences... -> File Sharing.\r\nSee https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.\r\n.'
ERROR: Encountered errors while bringing up the project.
Following the instructions when I add /a/b using File sharing option to existing list:
I get another error popup: The export path /Users/user1/Documents/:a/:a:b overlaps with the export /Users
Another observation is, installing docker on MacOS, using VMWare to run docker, unlike ubuntu :
$ ps -eaf | grep docker
0 11100 1 0 9:02am ?? 0:00.07 /Library/PrivilegedHelperTools/com.docker.vmnetd
1873530912 11108 11038 0 9:02am ?? 0:01.45 /Applications/Docker.app/Contents/MacOS/com.docker.supervisor -watchdog fd:0
I do not see such mount deny issues, running docker daemon in Ubuntu.
1)
How to mount path(/a/b) of docker host to docker container's(/var/some_mount) ? in macos
2)
Is the explicit file sharing needed from docker host, because, docker installation on MacOS makes docker host run on VMWare and docker client run on MacOS?

Set volume to docker container from wsl from windows 10

In my windows i installed docker and ubuntu 18.4 wsl.So after expose daemon on localhost, i can use windows daemon on ubuntu wsl.
I created a directory's on drive d and i made a file into data directory like below:
PS D:\wsl\data> dir
Directory: D:\wsl\data
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/31/2019 2:27 PM 0 New Text Document.txt
PS D:\wsl\data>
after that, i run a postgres container like below on wsl teminal:
$ docker run --name=pg-docker3 -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=s123 -v /mnt/d/wsl/data:/var/lib/postgresql/data mdillon/postgis:11-alpine
After creating container i open container by bash :
$ docker exec -it pg-docker3 bash
This is data postgres directory:
bash-4.4# ls /var/lib/postgresql/data
PG_VERSION pg_commit_ts pg_logical pg_serial pg_subtrans pg_xact postmaster.pid
base pg_dynshmem pg_multixact pg_snapshots pg_tblspc postgresql.auto.conf
data pg_hba.conf pg_notify pg_stat pg_twophase postgresql.conf
global pg_ident.conf pg_replslot pg_stat_tmp pg_wal postmaster.opts
bash-4.4#
as you can see data directory construct in location but when i listed thing's inside data directory i can see my text file that created in host machine !!!
I created a directory inside data directory calld kk.
bash-4.4# ls /var/lib/postgresql/data
PG_VERSION pg_commit_ts pg_logical pg_serial pg_subtrans pg_xact postmaster.pid
base pg_dynshmem pg_multixact pg_snapshots pg_tblspc postgresql.auto.conf
data pg_hba.conf pg_notify pg_stat pg_twophase postgresql.conf
global pg_ident.conf pg_replslot pg_stat_tmp pg_wal postmaster.opts
bash-4.4# ls /var/lib/postgresql/data/data/
kk
bash-4.4#
But not create this directory inside host as you can see:
PS D:\wsl\data> dir
Directory: D:\wsl\data
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/31/2019 2:27 PM 0 New Text Document.txt
Where is the /var/lib/postgresql/data/data/ ? and why it not appeared in /mnt/d/wsl/data ?
You must move your mounting path from /mnt to /. In this answer there is the following explanation : Can you run Docker natively on the new Windows 10 (Ubuntu) bash userspace?
Volumes
Take care when adding volumes. The path C:\dir will be visible as /mnt/c/dir on WSL and as /c/dir/ by docker engine. You can overcome it permanently:
sudo bash -c "echo -e '[automount] \nroot = /'>/etc/wsl.conf"
You must exit and reload WSL after making the change to wsl.conf so that WSL reads in your changes on launch.
Regards

Resources