I created a docker image for my build pipeline and I am trying to run docker build -t someTag .
However, I am getting this error.
DEBU[0000] Listener created for HTTP on unix (/var/run/docker.sock)
INFO[0000] libcontainerd: new containerd process, pid: 1026
DEBU[0000] Permission denied writing "-500" to /proc/1026/oom_score_adj
DEBU[0000] containerd: grpc api on /var/run/docker/libcontainerd/docker-containerd.sock
DEBU[0000] containerd: read past events count=0
DEBU[0000] containerd: supervisor running cpus=2 memory=976 runtime=docker-runc runtimeArgs=[] stateDir="/var/run/docker/libcontainerd/containerd"
DEBU[0000] libcontainerd: containerd health check returned error: rpc error: code = 14 desc = grpc: the connection is unavailable
DEBU[0001] Permission denied writing "-500" to /proc/self/oom_score_adj
DEBU[0001] Using default logging driver json-file
DEBU[0001] Golang's threads limit set to 6840
DEBU[0001] [zfs] zfs command is not available: exec: "zfs": executable file not found in $PATH
ERRO[0001] 'overlay' is not supported over overlayfs
DEBU[0001] Using graph driver vfs
DEBU[0001] Max Concurrent Downloads: 3
DEBU[0001] Max Concurrent Uploads: 5
INFO[0001] Graph migration to content-addressability took 0.00 seconds
INFO[0001] Loading containers: start.
DEBU[0001] Option Experimental: false
DEBU[0001] Option DefaultDriver: bridge
DEBU[0001] Option DefaultNetwork: bridge
WARN[0001] Running modprobe bridge br_netfilter failed with message: , error: exec: "modprobe": executable file not found in $PATH
WARN[0001] Running modprobe nf_nat failed with message: ``, error: exec: "modprobe": executable file not found in $PATH
WARN[0001] Running modprobe xt_conntrack failed with message: ``, error: exec: "modprobe": executable file not found in $PATH
DEBU[0001] Fail to initialize firewalld: Failed to connect to D-Bus system bus: dial unix /var/run/dbus/system_bus_socket: connect: no such file or directory, using raw iptables instead
DEBU[0001] /usr/sbin/iptables, [-t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t nat -D PREROUTING]
DEBU[0001] /usr/sbin/iptables, [-t nat -D OUTPUT]
DEBU[0001] /usr/sbin/iptables, [-t nat -F DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t nat -X DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t filter -F DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t filter -X DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t filter -F DOCKER-ISOLATION]
DEBU[0001] /usr/sbin/iptables, [-t filter -X DOCKER-ISOLATION]
DEBU[0001] /usr/sbin/iptables, [-t nat -n -L DOCKER]
DEBU[0001] /usr/sbin/iptables, [-t nat -N DOCKER]
DEBU[0001] start clean shutdown of all containers with a 15 seconds timeout...
DEBU[0001] Cleaning up old mountid : start.
DEBU[0001] Cleaning up old mountid : done.
Here is the info of my Dockerfile that is installing docker. I found these steps here.
FROM debian:latest
ENV DEBIAN_FRONTEND noninteractive
ENV JENKINS_HOME /var/jenkins_home
USER root
WORKDIR $JENKINS_HOME
RUN apt-get update
RUN apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common -y
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN apt-get install -y iptables
RUN wget https://download.docker.com/linux/debian/dists/jessie/pool/stable/amd64/docker-ce_17.06.0~ce-0~debian_amd64.deb
RUN dpkg -i docker-ce_17.06.0~ce-0~debian_amd64.deb
What I have tried:
I have tried starting dockerd.
From my best guess, it looks like I need dockerd to start.
root#90302deb48a0:/var/jenkins_home# ps -ef | grep docker
root 6 1 0 14:47 ? 00:00:00 grep docker
I have looked into updating
I have tried updating my iptables
root#e898473347a2:/var/jenkins_home# apt-get install -y iptables
Reading package lists... Done
Building dependency tree
Reading state information... Done
iptables is already the newest version (1.6.0+snapshot20161117-6).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
I have verified that I am root and the directories are owned by root.
root#e898473347a2:/var/jenkins_home# whoami
root
I have tried to research where to post this. Please tell me if this needs to be moved somewhere else. I will kindly move this if this doesn't classify as "programming".
It sounds like you are trying to do Docker in Docker (DinD). It requires some hacks and changing the storage driver (you can't do overlay on overlay). See the Dockerfile and entrypoint script at https://github.com/docker-library/docker/tree/a73d96e731e2dd5d6822c99a9af4dcbfbbedb2be/19.03/dind for more information. It has information on where it gets the dind script and the necessary entrypoint changes to run dockerd.
However, there are official dind tagged images on Docker Hub that you may be better off building from. See https://hub.docker.com/_/docker/. You could just use image docker:17.05.0-dind or base your image off of it if you need customizations.
Related
When I try to create a docker network, I'm getting below errors.
iptables --wait -l FORWARD -o br-31422214d633 -j DOCKER: iptables v1.8.7(nf_tables): RULE_INSERT failed
iptables --wait -l FORWARD -o br-31422214d633 -j DOCKER: iptables v1.8.7(nf_tables): RULE_INSERT failed
DOCKER: iptables v1.8.7(nf_tables): RULE_INSERT failed(invalid argument): rule in chain FORWARD
Can anybody provide some guidance on how to fix this?
OS: RHEL 7
Docker version: 20.10.9
I have a fairly plain Debian Buster install. Debian Buster uses nftables rather than iptables. If I try and run a container with a published port:
sudo docker run -it --rm --name=port-test -p 1234:1234/tcp debian:jessie-slim
then I get this error:
docker: Error response from daemon: driver failed programming external connectivity on endpoint port-test (941052b9f420df39ac3d191dcbe12e97276703903911e7b5172663e7736d59e0): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1234 -j DNAT --to-destination 172.17.0.2:1234 ! -i docker0: iptables v1.8.2 (nf_tables): Chain 'DOCKER' does not exist
How do I get port publishing working?
Please see this issue and comment:
https://github.com/moby/moby/issues/26824#issuecomment-517046804
You can run sudo update-alternatives --config iptables and sudo update-alternatives --config ip6tables (if you use IPv6), and set it to iptables-legacy which is a compatibility mode that Docker can work with.
Sharing a solution to this issue in case it's helpful to somebody, as the exact issue / fix doesn't seem to be covered by other threads with similar titles.
The symptom was that on attempting to create a new vm with docker-machine create --driver hyperv testvm, the process hung at:
Running pre-create checks...
Creating machine...
(testvm) Copying F:\Virtual\Docker\cache\boot2docker.iso to
F:\Virtual\Docker\machines\testvm\boot2docker.iso...
(testvm) Creating SSH key...
(testvm) Creating VM...
(testvm) Using switch "Docker External Switch"
(testvm) Creating VHD
(testvm) Starting VM...
(testvm) Waiting for host to start...
Waiting for machine to be running, this may take a few minutes...
Detecting operating system of created instance...
Waiting for SSH to be available...
This was with Windows 10 Pro, Hyper-V, and a fresh install of Docker Desktop Community 2.0.0.3 (although I suspect that Hyper-V is irrelevant to this issue).
When I ctrl-c'd out of the create command I could docker-machine ls and see that the VM was up, but was showing an error:
NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS
testvm - hyperv Running tcp://192.168.5.61:2376 Unknown Unable to query docker version: Get https://192.168.5.60:2376/v1.15/version: x509: certificate signed by unknown authority
All attempts to docker-machine ssh to it failed similarly:
PS C:\> docker-machine ssh testvm
exit status 255
I tried using git bash as suggested in various threads elsewhere, but was seeing, eg:
$ docker-machine ssh testvm
Error: Cannot run SSH command: Host "testvm" is not running
(Likely some kind of configuration issue with my git bash install, but was unable to figure out what it was!)
The problem turned out to be some kind of compatibility issue with my installation of OpenSSH here:
PS C:\> get-command ssh
CommandType Name Version Source
----------- ---- ------- ------
Application ssh.exe 7.7.2.1 C:\Windows\System32\OpenSSH\ssh.exe
This was producing debug output (when docker-machine was run with the -debug switch) along these lines:
(testvm) Calling .GetSSHPort
(testvm) Calling .GetSSHKeyPath
(testvm) Calling .GetSSHKeyPath
(testvm) Calling .GetSSHUsername
Using SSH client type: external
&{[-F /dev/null -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=no -o ControlPath=none -o LogLevel=quiet -o PasswordAuthentication=no -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null docker#192.168.5.61 -o IdentitiesOnly=yes -i F:\Virtual\Docker\machines\testvm\id_rsa -p 22] C:\Windows\System32\OpenSSH\ssh.exe <nil>}
About to run SSH command:
exit 0
SSH cmd err, output: exit status 255:
Error getting ssh command 'exit 0' : ssh command error:
command : exit 0
err : exit status 255
output :
Everything started to work when I used the --native-ssh switch which is documented here. I was then able to:
docker-machine --native-ssh regenerate-certs testvm
..to resolve the certificate issue, and:
PS C:\> docker-machine --native-ssh ssh testvm ps
PID TTY TIME CMD
3301 pts/0 00:00:00 ps
..etc.
Probably better though to:
docker-machine rm -y testvm
docker-machine --native-ssh create --driver hyperv testvm
Everything was working for me without the switch at one point - my guess is that I didn't have OpenSSH installed at that time, and docker-machine was using its native version by default.
When I try to start docker consul by this command
docker run --restart=unless-stopped -d -p 8500:8500 -h consul progrium/consul -server -bootstrap
it gives the following error.
docker: Error response from daemon: driver failed programming external
connectivity on endpoint tiny_bhaskara
(b53c9aa988d96750bfff7c19c6717b18756c7b92287f0f7a4d9e9fa81f42c43d):
iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0
--dport 8500 -j DNAT --to-destination 172.17.0.2:8500 ! -i docker0: iptables: No chain/target/match by that name.
No idea what's going on!!
From this answer:
Something on your system has removed the docker iptables entries that it needs to work. Two fixes have been suggested here:
For CentOS:
sudo service docker restart
sudo service iptables save
And for Ubuntu:
sudo apt-get install iptables-persistent
sudo service docker restart
iptables-save > /etc/iptables/rules.v4 # you may need to "sudo -s" to get a root shell first
After the restart of docker, you should see the docker chain under the nat table:
iptables -t nat -vL
I cannot launch docker on my AWS instance:
root#system:~# docker -H tcp://127.0.0.1:2375 -H
unix:///var/run/docker.sock -d
root#system:~# INFO[0000] +job serveapi(tcp://127.0.0.1:2375, unix:///var/run/docker.sock)
INFO[0000] +job init_networkdriver()
INFO[0000] Listening for HTTP on tcp (127.0.0.1:2375)
INFO[0000] Listening for HTTP on unix (/var/run/docker.sock)
Unable to allow incoming packets: iptables failed: iptables --wait -I
FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT:
iptables: No chain/target/match by that name.
(exit status 1)
INFO[0000] -job init_networkdriver() = ERR (1)
FATA[0000] (exit status 1)
How would you troubleshoot that error sequence message?
Double-check the docker installation procedure on AWS:
[ec2-user ~]$ sudo yum update -y
[ec2-user ~]$ sudo yum install -y docker
[ec2-user ~]$ sudo service docker start
Starting cgconfig service: [ OK ]
Starting docker: [ OK ]
[ec2-user ~]$ sudo usermod -a -G docker ec2-user
# Log out and log back in again to pick up the new docker group permissions.
# Verify that the ec2-user can run Docker commands without sudo.
[ec2-user ~]$ docker info