a. Run the below export command in terminal:
export DOCKER_CONTENT_TRUST=1
b. Run :
docker-compose up --build -d
FAILURE:
ERRO[0000] Can't close tar writer: io: read/write on closed pipe
error during connect: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.41/build?buildargs=%7B%22EIS_VERSION%22%3A%222.4%22%2C%22GO_VERSION%22%3A%221.12%22%2C%22HOST_TIME_ZONE%22%3A%22Asia%2FKolkata%22%2C%22HTTPS_PROXY%22%3A%22http%3A%2F%2Fproxy-xyz.com%3A911%22%2C%22HTTP_PROXY%22%3A%22http%3A%2F%2Fproxy-xyz.com%3A911%22%2C%22NO_PROXY%22%3A%22127.0.0.1%2Clocalhost%22%2C%22UBUNTU_IMAGE_VERSION%22%3A%2218.04%22%2C%22http_proxy%22%3A%22http%3A%2F%2Fproxy-xyz.com%3A911%22%2C%22https_proxy%22%3A%22http%3A%2F%2Fproxy-xyz.com%3A911%22%2C%22no_proxy%22%3A%22127.0.0.1%2Clocalhost%22%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=dockerfiles%2FDockerfile.eisbase&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=ia_eisbase%3A2.4&target=&ulimits=null&version=1: invalid reference format
Sending build context to Docker daemon 12.55kB
I think DOCKER_CONTENT_TRUST locks some file wrt docker which causes this error.
docker-compose does not have any support for image signing or image signature verification.
— https://github.com/sse-secure-systems/trusted-compose
You need to implement a wrapper for docker-compose or use an existing one in order to work with content trust and docker-compose.
I don't use personnaly trusted-compose but it looks like as a good solution: https://github.com/sse-secure-systems/trusted-compose.
Additional resources:
Bringing Content Trust into the World of docker-compose (medium.com)
Docker Compose not using trusted content during pull (https://github.com/docker/compose)
Related
I have a Docker container that handles an application. I am attempting to write tests for my system using npx and nightwatchJS.
I use CI and to run the tests for my entire suite I docker-compose build then run commands from outside of the container like so:
Example of backend python test being called (this works and is run as expected):
docker-compose run --rm web sh -c "pytest apps/login/tests -s"
Now I am trying to run an npx command to do some front-end testing but I am getting errors with something I cannot seem to diagnose:
Error while running .navigateTo() protocol action: An unknown server-side error occurred while processing the command. – unknown error: net::ERR_CONNECTION_REFUSED
Here is that command:
docker-compose run --rm web sh -c "npx nightwatch apps/login/tests/nightwatch/login_test.js"
The odd part of this is that if I go into bash:
docker-compose exec web bash
And then run:
npx nightwatch apps/login/tests/nightwatch/login_test.js
I don't get that error as I'm in bash.
This leads me to believe that I have an error in something with the command. Can somebody please help with this?
Think as containers as a separate computers.
When you run on your computer pytest apps/login/tests -s and then I run on my computer npx nightwatch apps/login/tests/nightwatch/login_test.js surely my computer will not connect to yours. I will get "connection refused" kind of error.
With docker run you run a separate new "computer" that runs that command - it has it's own pid space, it's own network address, etc. Than inside "that computer" you can execute another command with docker exec. To have you command to connect with localhost, you have to run them on the same "computer".
So when you run docker run with the client, it does not connect to a separate docker run. Either specify correct ip address or run both commands inside the same container.
I suggest to research how docker works. The above is a very crude oversimplification.
I'm trying to run pishrink on MacOS using a Docker host, as explained here. The pishrink script shrinks the size of an .img so it's quicker to burn onto an SD card.
I have Docker Desktop running, and I've add the repo to the top-level in my file system (/pishrink) and and running the following command:
docker-compose run pishrink /pishrink/pishrink.sh /pishrink/big-image.img /pishrink/small-image.img
When I do, I get the following error:
Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: \"/pishrink/pishrink.sh\": permission denied": unknown
Can someone help me debug this issue? I'm relatively new to using Docker so I might be making some simple + fundamental mistakes.
I was able to fix this with the following command, using sudo as suggested:
sudo docker-compose run pishrink /pishrink/pishrink.sh /pishrink/big-image.img /pishrink/small-image.img
I try to run docker in bash ubuntu on windows. But every time I get this message
"Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?". If i run it in powershell - it work. Can somebody help?
Connecting to the docker deamon requires some privilidges that you don't have when starting the bash terminal.
You can however use the docker command terminal which will allow you to interact with the docker deamon.
Found the solution on this post: https://blog.jayway.com/2017/04/19/running-docker-on-bash-on-windows/
Connect Docker on WSL to Docker on Windows
Running docker against an engine on a different machine is actually quite easy, as Docker can expose a TCP endpoint which the CLI can attach to.
This TCP endpoint is turned off by default; to activate it, right-click the Docker icon in your taskbar and choose Settings, and tick the box next to “Expose daemon on tcp://localhost:2375 without TLS”.
With that done, all we need to do is instruct the CLI under Bash to connect to the engine running under Windows instead of to the non-existing engine running under Bash, like this:
$ docker -H tcp://0.0.0.0:2375 images
REPOSITORY TAG IMAGE ID CREATED SIZE
There are two ways to make this permanent – either add an alias for the above command, or better yet, export an environment variable which instructs Docker where to find the host engine:
$ echo "export DOCKER_HOST='tcp://0.0.0.0:2375'" >> ~/.bashrc
$ source ~/.bashrc
Now, running docker commands from Bash works just like they’re supposed to.
$ docker run hello-world
Hello from Docker!This message shows that your installation appears to be working correctly.
My goal is to be able to remote debug from Atom.io. into a docker container running go in dlv debugger. This is the first problem:
Update:1. I am running Docker container on a mac, but that should not influence the code signing thing as I am running in a container, right?
Update:2. Codesignig the host, did not help.
Error:
1. root#...:/go/src/app# go get github.com/derekparker/delve/cmd/dlv
2. root#...:/go/src/app# dlv debug hello.go
could not launch process: fork/exec ./debug: operation not permitted
Then tried to
1. root#...:/go/src/app# sudo
2. bash: sudo: command not found
According Delve Issue #515
Docker has security settings preventing ptrace(2) operations by
default with in the container. Pass --security-opt seccomp:unconfined
to docker run when starting.
*confirmation of this in official docker bug tracker https://github.com/docker/docker/issues/21051
It seems to work if you start the container with --privileged. I've tried to figure out if there is a more fine-grained capability but failed.
Also I just found https://github.com/steeve/homebrew-delve which should make things easier on OSX.
Docker has security settings preventing ptrace(2)
See how i fixed it.
if using a docker-compose file to run the container then append seccomp:unconfined in the services section like below
api:
security_opt:
- seccomp:unconfined
if using docker run ...passing seccomp:unconfined works as well
Run Docker container as a command:
docker run -itd -p 2028:22 -p 2345:2345 --dns=10.236.8.8 --privileged=true --name=golang centos7-golang /usr/bin/supervisord
it works for me~
I am trying to push some image to my registry, but when i tried to do:
sudo docker push myreg:5000\image
i got some error that told me that i need to start docker daemon with
docker -d --insecure-registry myreg:5000
So i stopped the docker service, and started it using the command above, once i do that the current shell window(ssh) is stuck with docker output, and if i close it the docker service is stopped.
I know this is an easy one, and i searched for hours and couldn't find anything.
Thank you
The problem is that when i run the command, i get all the docker output to the shell, and if i close it, the docker service stopped, usually the -d should take care of it, but it wont work
I think there's a confusion here; the top-level -d (docker -d) flag starts docker in daemon mode, in the foreground. This is different from the docker run -d <image> flag, which means "start a container from <image>, in detached mode". What you're seeing on your screen, is the daemon output / logs, waiting for connections from a docker client.
Back to your original issue;
The instructions to run docker -d --insecure-registry myreg:5000 could be clearer, but they illustrate that you should change the daemon options of your docker service to include the --insecure-registry myreg:5000 option.
Depending on the process manager your system users (e.g., upstart or systemd), this means you'll have to edit the /etc/default/docker file (see the documentation), or adding a "drop-in" file to override the default systemd service options; see SystemD custom daemon options
Some notes;
The top-level -d option is deprecated in docker 1.8 in favor of the new docker daemon command
Using --insecure-registry is discouraged for security reasons as it allows both unencrypted and untrustworthy communication with the registry. It's preferable to add your CA to the trusted list of your system.