Failed to start ddev-ssh-agent container: Permission denied on socket - ddev

When I start a DDEV-Local project, I get "Failed to start ddev-ssh-agent", and when I use docker logs ddev-ssh-agent I see
Running socat UNIX-LISTEN:/tmp/.ssh-agent/proxy-socket,perm=0666,fork UNIX-CONNECT:/tmp/.ssh-agent/socket
unix_listener: cannot bind to path /tmp/.ssh-agent/socket: Permission denied
2020/04/29 14:50:25 socat[16] E bind(5, {AF=1 "/tmp/.ssh-agent/proxy-socket"}, 30): Permission denied
How can I fix this?

Use this sequence to fix this exact problem:
ddev poweroff
docker volume rm ddev-ssh-agent_dot_ssh ddev-ssh-agent_socket_dir
ddev start
That will repair/replace the docker volumes that store the ssh-agent socket, and seems to resolve this problem.
If you know what sequence of events might have caused this, please comment or open an issue to explain. It is mostly likely caused by using root privileges with ddev, but ddev actively tries to prevent that.

Related

Writable directories with rootless Podman

I'm trying to run rootless Podman containers with
podman container create --name postgres --expose 5432 --memory 512M --hostname postgres --volume /home/user/some/path/postgres:/var/lib/postgresql/data:Z,U --userns keep-id --env POSTGRES_USER=admin --env POSTGRES_PASSWORD=secret docker.io/postgres:14
but I'm getting the error message
Error: error stat'ing file `/home/user/some/path/postgres`: Permission denied: OCI permission denied
The destination path /home/user/some/path is within a gocryptfs mount. Mapping the volume outside the path works flawlessly.
So far I thought that --userns keep-id should avoid permission issues for rootless containers but if I'm removing the option I'm getting the error message
chown: changing ownership of '/var/lib/postgresql/data': Operation not permitted
As far as I understood, providing the options --uidmap and --gidmap could help as well but I'm not sure how I can provide the proper values for it.
Under the hood I'm using Ansible to configure the containers.
EDIT: Now I also created a Podman issue.
The reason for this error was that the mount wasn't done with the fuse parameter allow_other.
Make sure that you had done with /etc/subuid and /etc/subgid configuration, as it described here:
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
Rootless Podman requires the user running it to have a range of UIDs listed in the files /etc/subuid and /etc/subgid.
...
The format of this file is USERNAME:UID:RANGE
username as listed in /etc/passwd or in the output of getpwent.
The initial UID allocated for the user.
The size of the range of UIDs allocated for the user.
Example:
# cat /etc/subuid
johndoe:100000:65536
test:165536:65536

ddev permissions issue - cannot stop, rm, or kill project

About 99% of the time when I try to stop or rm a ddev project I get a 'permission denied' error, and then have to try a lot of different means to get ddev back to a healthy state so I can start working again. Then it happens all over again the next time I come to work on the project.
Can anyone suggest a) the quickest means to break out of this when I am unable to stop a docker container or ddev project b) a means to work out why it keeps happening and fix it?
To mitigate this I have tried:
ddev stop
ddev rm -a
ddev rm
ddev stop
Docker stop
Updating ddev
Upgrading docker
Restarting the machine (occasionally works)
Using the docker kill command
I am working on a linux machine Ubuntu 18.04
Ddev version is v1.8.0
Docker is 18.09.6, build 481bc77
Thank you!!
I would expect to be able to stop and start projects easily but seem to have been getting a permissions error about 99% of the time. I have not identified why it sometimes on the rare occasion works fine.
Stopping ddev-lpntheme-dba ... error
Stopping ddev-lpntheme-web ... error
Stopping ddev-lpntheme-db ... error
ERROR: for ddev-lpntheme-web cannot stop container: 761c2f876230df13267d3d2a7c5d92c869d796a41f1b45cf1c9831ee6673740f: Cannot kill container 761c2f876230df13267d3d2a7c5d92c869d796a41f1b45cf1c9831ee6673740f: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown
ERROR: for ddev-lpntheme-dba cannot stop container: e5165f70b0b949aef305af013f4aae762968aa0afa99cf6f397c6960048a76bf: Cannot kill container e5165f70b0b949aef305af013f4aae762968aa0afa99cf6f397c6960048a76bf: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown
Removing container: ddev-lpntheme-dba
Failed to remove project lpntheme:
could not remove container ddev-lpntheme-dba: API error (500): Could not kill running container e5165f70b0b949aef305af013f4aae762968aa0afa99cf6f397c6960048a76bf, cannot remove - Cannot kill container e5165f70b0b949aef305af013f4aae762968aa0afa99cf6f397c6960048a76bf: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown
I've also managed to completely break the Docker daemon in the past trying to resolve this problem. (I was following this and didn't really know what I was doing How to stop running Container, if error response from daemon is: Cannot Kill Container [...] permission denied?)
Any help greatly appreciated!
More info from 7/6/19
crispin#sonic:~/dockerfolder/ToolLibraryProject$ ddev start
Starting ToolLibraryProject...
Recreating ddev-ssh-agent ... done
ssh-agent container is running: If you want to add authentication to the ssh-agent container, run 'ddev auth ssh' to enable your keys.
Running Command Command=ip address show dev docker0
Creating volume "ToolLibraryProject-mariadb" with default driver
Creating ddev-ToolLibraryProject-db ... done
Creating ddev-ToolLibraryProject-web ... done
Creating ddev-ToolLibraryProject-dba ... done
Recreating ddev-router ... done
Ensuring write permissions for ToolLibraryProject
Successfully started ToolLibraryProject
Project can be reached at https://ToolLibraryProject.ddev.local, http://ToolLibraryProject.ddev.local, https://127.0.0.1:32771, http://127.0.0.1:32772
crispin#sonic:~/dockerfolder/ToolLibraryProject$ ls
composer.json config LICENSE phpunit.xml.dist scripts web
composer.lock drush load.environment.php README.md vendor
crispin#sonic:~/dockerfolder/ToolLibraryProject$ ls
composer.json config LICENSE phpunit.xml.dist scripts web
composer.lock drush load.environment.php README.md vendor
crispin#sonic:~/dockerfolder/ToolLibraryProject$
crispin#sonic:~/dockerfolder/ToolLibraryProject$ ddev stop
Stopping ddev-ToolLibraryProject-web ... error
Stopping ddev-ToolLibraryProject-dba ... error
Stopping ddev-ToolLibraryProject-db ... error
ERROR: for ddev-ToolLibraryProject-web cannot stop container: 3485d615d2dfa46884493b91d7339b06834594fcb46f870cfe60a0486b87f1d3: Cannot kill container 3485d615d2dfa46884493b91d7339b06834594fcb46f870cfe60a0486b87f1d3: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown
ERROR: for ddev-ToolLibraryProject-dba cannot stop container: cc2209064e0103fdab638445aeac2206217c83a17a7b97eea2216440bb5bb4e2: Cannot kill container cc2209064e0103fdab638445aeac2206217c83a17a7b97eea2216440bb5bb4e2: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown
Removing container: ddev-ToolLibraryProject-web
Failed to remove project ToolLibraryProject:
could not remove container ddev-ToolLibraryProject-web: API error (500): Could not kill running container 3485d615d2dfa46884493b91d7339b06834594fcb46f870cfe60a0486b87f1d3, cannot remove - Cannot kill container 3485d615d2dfa46884493b91d7339b06834594fcb46f870cfe60a0486b87f1d3: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown
And with docker logs ToolLibraryProject I get Error: No such container: ToolLibraryProject
Regarding file system I hope this makes sense:
/dev/sda2 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

unable to invoke DOCKER using JENKINS user

I am trying to run a docker command as part of a jenkins job using shell. I get a standard error stating
"Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied"
I will require some help on
1. how to find the path where docker is installed which can be added to JENKINS global configuration
2. workaround to fix this permission issue(running as a sudo user/any other specific user)
I have already experimented by adding the JENKINS users to admin group, staff group, made administrator. But, nothing has actually helped. I still get the standard error
Tried the below code on terminal too
sudo -u jenkins docker images
OUTPUT:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied
I am expecting to run this code without the error. Only then my jenkins pipeline will be complete.
To find the path where docker is installed, simply run a which docker. Usually, it'll be installed somewhere in the standard PATH already, so probably Jenkins will already have access. As you get the permission denied error message, it looks like Jenkins is already using the correct docker executable.
Depending on the distribution or operating system you are using, you will most likely need to add the jenkins user to a docker group, e.g. sudo usermod -aG docker jenkins. To find out which group you need, run:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Apr 30 16:20 /var/run/docker.sock
In the second line, you see the group that docker.sock is owned by. Add the jenkins user to that group.

"OCI runtime create failed " issue running script on MacOS using Docker host

I'm trying to run pishrink on MacOS using a Docker host, as explained here. The pishrink script shrinks the size of an .img so it's quicker to burn onto an SD card.
I have Docker Desktop running, and I've add the repo to the top-level in my file system (/pishrink) and and running the following command:
docker-compose run pishrink /pishrink/pishrink.sh /pishrink/big-image.img /pishrink/small-image.img
When I do, I get the following error:
Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: \"/pishrink/pishrink.sh\": permission denied": unknown
Can someone help me debug this issue? I'm relatively new to using Docker so I might be making some simple + fundamental mistakes.
I was able to fix this with the following command, using sudo as suggested:
sudo docker-compose run pishrink /pishrink/pishrink.sh /pishrink/big-image.img /pishrink/small-image.img

failing to start docker engine open //./pipe/docker_engine

I'm receiving the following error in docker on windows 10 laptop.
I've try to reinstall and restart but nothing helps.
The docker service is running OK but what i understand that i have a problem with the docker daemon (from what i read)
The whole issue started when i run the 2 commands:
net stop com.docker.service
net start com.docker.service
from there on i keep getting the error below and cannot solve it.
C:\Users\xxxx>docker images error during connect: Get
http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.30/images/json: open
//./pipe/docker_engine: The system cannot find the file specified. In
the default daemon configuration on Windows, the docker client must be
run elevated to connect. This error may also indicate that the docker
daemon is not running.
anyone succeed to solve it?
docker client must be run elevated to connect
This indicates that you do not have enough permissions. Try starting the terminal as administrator.
I run Docker remotely as a non admin user.
For this the user running docker should have full permission to location where Docker is installed.
User should be part of docker_users group
docker daemon runs on port 2375 by default. Try to whitelist this port. Allow incoming connections to 2375 in Windows Firewall settings
Restart your docker daemon and Docker service.
Restart the running Docker instance[Docker for Windows] if required. You do not have to reinstall.

Resources