So I have this Dockerfile:
FROM nginx:alpine
COPY default.conf /etc/nginx/conf.d/
COPY index.html /usr/share/nginx/html/
I build it using:
docker build .
I get the ID: 0154623d6179
And then I run:
docker run 0154623d6179 -d -p 80:80
and I get the error:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"-d\": executable file not found in $PATH": unknown.
What am I doing wrong?
Order in the params matters:
docker -d -p 80:80 run 0154623d6179
Whatever comes after image will be considered part of the command to start the container process.
Solved it by putting the image ID at the end of the command
Related
For example, I have a dockerfile which has a ENTRYPOINT command:
From alpine:latest
WORKDIR /app/
RUN apk add --no-cache bash && echo 'echo foo:$FOO' > echo.sh && cat echo.sh && chmod a+x echo.sh
ENTRYPOINT ["sh", "-c", "_FOO=$FOO ./echo.sh && unset FOO && sleep 30"]
Then I run this docker and pass env FOO with value bar:
$ docker run --rm -e FOO=bar --name=demo docker-image-demo
How to unset the environment variable FOO in container which is provided by docker run -e FOO=bar command ?
$ docker exec -it demo bash
$ bash-5.0$ echo $FOO
bar
I try to use exec to replace container process with bash, but I get some error:
ENTRYPOINT ["exec", "sh", "-c", "_FOO=$FOO ./echo.sh && unset FOO && sleep 30"]
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: "exec": executable file not found in $PATH": unknown.
I'd use docker secret for this purpose. Injecting secrets to the container via env variables is perfectly acceptable - even security-hardened Openshift permits it in their Templates.
If the adversary is already inside of the server container, then they must have hacked the very password you are trying to hide here. Or they gained access to your machine and can execute docker commands (docker group password is usually at the same level as sudo, so it means you have been hacked down to root level) or have your CLI password in case of Openshift, so they can connect to remote shells in all other containers in your namespace and do whatever they please. So hiding env vars seems now a bit too late.
You do it with the unset shell built-in, exactly as you're doing it.
However: docker exec shells do not run as children of your entrypoint, so any changes the entrypoint makes to the environment won't be visible to those shells. This usually isn't a practical problem, since you should usually reserve docker exec for occasional debugging tasks.
One way to see this is to edit your Dockerfile to run the echo.sh script again after the unset command.
You can also restructure this to use an entrypoint wrapper script, and honor the Docker CMD. For example, we could take the long command in your current ENTRYPOINT line and rewrite it into a script:
#!/bin/sh
# Do any first-time setup that's required
echo "FOO was '$FOO'"
unset FOO
echo "FOO is now '$FOO'"
# Then run the main container command, replacing this script
exec "$#"
You can then invoke this in the Dockerfile:
FROM alpine:latest
# RUN apk add --no-cache bash
WORKDIR /app
COPY echo.sh entrypoint.sh . # will preserve executable bit
# Must use JSON-array syntax; must not use `sh -c` wrapper
ENTRYPOINT ["/app/entrypoint.sh"]
# Can be anything
CMD sleep 30
Now if you build this image, you can docker run it with an alternate command. For example, if you just want to see the environment the main container process will run with, you can
docker run --rm docker-image-demo env
Google's distroless images by default do not have any shell (even sh), so they are ideal for hiding environment variables and protecting scripted apps code (if you are lucky to use the supported languages such as Go, Java, or Rust, sadly not python yet).
More info
As for debugging during development time, these images have also special dev versions with busybox installed (and thus sh) - it's enough to switch to the debug tag:
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:debug
/ # id
uid=0(root) gid=0(root)
... versus my vain hacking attempts of the shell-less production version of the same container:
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest
docker: Error response from daemon: No command specified.
See 'docker run --help'.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat /etc/shells
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest echo $SHELL
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "echo": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest echo $PATH
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "echo": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat $PATH
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest cat $SHELL
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cat": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest sh
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "sh": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest bash
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "bash": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest busybox
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "busybox": executable file not found in $PATH: unknown.
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest id
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "id": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
$ docker run -it --rm --name base -u 0 gcr.io/distroless/base:latest env
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "env": executable file not found in $PATH: unknown.
I have a Dockerfile that looks like this:
FROM image
WORKDIR /App
ADD ./App/ /App
ENTRYPOINT [ "./App" ]
In the App direction I am mounting a golang binary and its config.yml.
The image builds and runs correctly. When I am not running the container detached I can see the app is running as well.
But when I run it detached:
docker run -d image
I cannot exec into container after:
docker exec -it container bin/bash
With an error message:
OCI runtime exec failed: exec failed: container_linux.go:345: starting
container process caused "exec: \"bin/bash\": stat bin/bash: no such
file or directory": unknown
I can understand it has to do with the entrypoint I set, but i am not sure what alternative i could use.
Any ideas?
You should to specify full path to the binary file(/bin/bash in your case) or just name of the binary file located somewhere in your container's PATH variable(bash)
Hey I'm very new at this so bear with me please.
I'm trying to run a docker container I exported. The container was running with command:
I've tried using this:
sudo docker run -p 8080:8080 --name=test testcontainer --entrypoint=/sbin/tini -- /usr/local/bin/jenkins.sh
However I get errors:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "exec: \"--entrypoint=/sbin/tini\": stat --entrypoint--/sbin/tini: no such file or directory": unknown.
I've also tried a combination of them with a space between them like such:
sudo docker run -p 8080:8080 --name=test testcontainer --entrypoint=/sbin/tini /usr/local/bin/jenkins.sh
How would i go about to running that command?
--entrypoint would go before the image name
sudo docker run -p 8080:8080 --name=test --entrypoint=/sbin/tini testcontainer /usr/local/bin/jenkins.sh
The extra arguments would follow that to become the command (and dashes aren't needed.
Or if bash is the default entrypoint, you can give the whole thing as a command.
sudo docker run -p 8080:8080 --name=test testcontainer bash -c "/sbin/tini -- /usr/local/bin/jenkins.sh"
I am following 'kubernetes-for-java-developers' Arun gupta's tutorial for learning docker/kubernetes.
https://github.com/arun-gupta/kubernetes-for-java-developers
I am failing in this particular step
docker image build --file Dockerfile.jre -t arungupta/greeting:jre-slim .
while I am using docker desktop, windows container, getting below messege.
F:\Work\Workspace\IntellejIdea\kubernetes-for-java-developers\app>docker
image build --file Dockerfile.jre -t arungupta/greeting:jre-slim .
Sending build context to Docker daemon 219.5MB
Step 1/7 : FROM debian:9-slim
operating system is not supported
while I am using docker desktop, linux container, getting below messege on running below command
docker container run -d -p 8090:8080 arungupta/greeting:jre-slim
F:\Work\Workspace\IntellejIdea\kubernetes-for-java-developers\app>docker container run -d -p 8090:8080 arungupta/greeting:jre-slim
db92a3cc25635d1d2a7f02cd7c94dd11af6b17ea5b258dcaf740de93a05221f7
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: \"./myjre/bin/java\": stat ./myjre/bin/java: no such file
or directory": unknown.
My operating system is windows 10 pro.
Dockerfile.jre
FROM debian:9-slim
COPY target/app.war /root
COPY myjre /root/myjre
EXPOSE 8080 5005
WORKDIR /root
ENV _JAVA_OPTIONS '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005'
CMD ["./myjre/bin/java", "-jar", "app.war"]
As I am new on this docker/kubernetes technology, not sure where to start debugging, or the issues.
help appreciated!!
I am trying to use docker file for a flask app. I have this docker file(end of file):
CMD ["/usr/bin/python3 manage.py"]
it's been build successfully with the command sudo docker build -t server . then I run it with sudo docker run -dit -p 5000:5000 -t server:latest but I get :
6acfe48c74d96c12eeda2c2cc98e27d2e5478edaa44f2061336102f04cdf54c4
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"/usr/bin/python3 manage.py\": stat /usr/bin/python3 manage.py: no such file or directory": unknown.
Let me know if you need more information. ( I used which python3 and pasted the PATH and used ls and saw manage.py exists there)
When you say:
CMD ["/usr/bin/python3 manage.py"]
You are directing the system to run exactly that file; but there is no file named python3 manage.py in the /usr/bin directory. If you have a separate command and arguments then they need to be two separate things in the CMD listing:
CMD ["/usr/bin/python3", "manage.py"]