The problem
I'm trying to deploy a Dockerized app from my CI server (Circle) to Heroku.
When I run heroku docker:release --app <app_name>, CI logs show the following:
Error response from daemon: permission denied
! Error in heroku-docker:
! Command failed: docker cp 93a67016632af5cffacab9817b741c4dc69b41f0f6d324c8bae53fe98f4e621d:/tmp/slug.tgz /tmp
However, I can run this command from my local machine just fine. The API key I have provided to Circle is the same as that from my local user. Also, I can run other Heroku commands, such as heroku logs --app <app_name>, from the CI server just fine.
Why are there permission errors?
Extra background info
It appears the only way Heroku supports Docker is using the Docker Toolbelt, with the Docker plugin (heroku docker:release --app <app_name>). At the same time, the recommended way to deploy to Heroku in CircleCI is using a special entry in the proprietary circle.yml file. However, this doesn't support Docker, which is why I'm choosing the heroku docker:release method.
We have seen dockerd report permission denied when the actual error is disk fault or security service preventing access.
Look at /var/log/messages or other system log while doing the docker command that fails.
e.g. look at /var/log/messages while doing docker cp command.
$ docker cp b54433de86ec:/thing ./
Error response from daemon: permission denied
E.g. you might see errors related to vmount
Nov 17 10:57:45 machine dockerd: time="2021-11-17T10:57:45.063942786Z" level=warning msg="b54433de86ecd8426c27e8c8fa7e6a785fa8e513a5133d3a41b163308f0d59a5 unmountVolumes: Failed to do lazy umount fo volume '/logs/docker/overlay/dd77d1edef54cdd4040b8f4c32afca86f7c3870f3b3b353063b406d2c3409220/merged/x/xx/xxx/xxxx': no such file or directory"
Nov 17 10:57:45 machine dockerd: time="2021-11-17T10:57:45.099051149Z" level=error msg="Handler for GET /v1.39/containers/b54433de86ec/archive returned error: permission denied"
possibly disk was corrupt or had a problem
or another example:
Nov 17 10:57:48 machine dbus[719]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 17 10:57:48 machine dbus[719]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 17 10:57:49 machine setroubleshoot: SELinux is preventing /usr/bin/dockerd-ce from mounton access on the directory /logs/docker/overlay/dd77d1edef54cdd4040b8f4c32afca86f7c3870f3b3b353063b406d2c3409220/merged/host/net. For complete SELinux messages run: sealert -l efaad8a5-f04f-4783-9235-7048c915daa3
Nov 17 10:57:49 machine python: SELinux is preventing /usr/bin/dockerd-ce from mounton access on the directory /logs/docker/overlay/dd77d1edef54cdd4040b8f4c32afca86f7c3870f3b3b353063b406d2c3409220/merged/host/net.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that dockerd-ce should be allowed mounton access on the net directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dockerd' --raw | audit2allow -M my-dockerd#012# semodule -i my-dockerd.pp#012
Selinux is preventing disk access for dockerd process.
So follow the suggested action:
root# ausearch -c 'dockerd' --raw | audit2allow -M my-dockerd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-dockerd.pp
root# semodule -i my-dockerd.pp
Now the docker cp command worked on this system.
Related
I'm trying to run rootless Podman containers with
podman container create --name postgres --expose 5432 --memory 512M --hostname postgres --volume /home/user/some/path/postgres:/var/lib/postgresql/data:Z,U --userns keep-id --env POSTGRES_USER=admin --env POSTGRES_PASSWORD=secret docker.io/postgres:14
but I'm getting the error message
Error: error stat'ing file `/home/user/some/path/postgres`: Permission denied: OCI permission denied
The destination path /home/user/some/path is within a gocryptfs mount. Mapping the volume outside the path works flawlessly.
So far I thought that --userns keep-id should avoid permission issues for rootless containers but if I'm removing the option I'm getting the error message
chown: changing ownership of '/var/lib/postgresql/data': Operation not permitted
As far as I understood, providing the options --uidmap and --gidmap could help as well but I'm not sure how I can provide the proper values for it.
Under the hood I'm using Ansible to configure the containers.
EDIT: Now I also created a Podman issue.
The reason for this error was that the mount wasn't done with the fuse parameter allow_other.
Make sure that you had done with /etc/subuid and /etc/subgid configuration, as it described here:
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
Rootless Podman requires the user running it to have a range of UIDs listed in the files /etc/subuid and /etc/subgid.
...
The format of this file is USERNAME:UID:RANGE
username as listed in /etc/passwd or in the output of getpwent.
The initial UID allocated for the user.
The size of the range of UIDs allocated for the user.
Example:
# cat /etc/subuid
johndoe:100000:65536
test:165536:65536
Switched to m1 mac a week ago and I cannot get my application up and running with docker because of the jboss/keycloak image not working as expected. Getting the following message from the container when trying to access localhost:8080
12:08:12,456 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.network.interface.private: org.jboss.msc.service.StartException in service org.wildfly.network.interface.private: WFLYSRV0082: failed to resolve interface private
12:08:12,526 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("interface" => "private")]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.network.interface.private" => "WFLYSRV0082: failed to resolve interface private"}}
12:08:13,463 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 12.0.4 (WildFly Core 13.0.3.Final) started (with errors) in 20826ms - Started 483 of 925 services (54 services failed or missing dependencies, 684 services are lazy, passive or on-demand)
Tried with all image versions and all behave the same. Has anyone managed to run this image without issues? Thanks
Also you can build the keycloak docker image locally, I was able to start keycloak after doing that. Here are the steps I follow;
Clone Keycloak containers repository: git clone git#github.com:keycloak/keycloak-containers.git
Open server directory (cd keycloak-containers/server)
Checkout at desired version, eg. git checkout 12.0.4
Build docker image docker build -t jboss/keycloak:12.0.4 .
Run Keycloak docker run --rm -p 9080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:12.0.4
Using this image, I am now able to startup keycloak. https://hub.docker.com/r/wizzn/keycloak
For Keycloak 16, docker 20.10 and docker-compose 1.29, this image works flawlessly: https://hub.docker.com/r/sleighzy/keycloak - as suggested by #zakjan.
A service like:
keycloak:
image: sleighzy/keycloak
environment:
... your Keycloak config
Should be enough to get up and running.
I'm on an m1 and I ran this and it worked.
docker run --platform=linux/amd64 -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:17.0.0 start-dev
I merely add --platform=linux/amd64 to their docker command I found in https://www.keycloak.org/getting-started/getting-started-docker
The location for building a quarkus version of keycloak has changed, so this method will not work anymore for any major releases greater than 16. But the following script will. Just save it as an sh. file and execute it in your terminal. By enabling the last line, this will also directly start an instance of Keycloak.
The version number can be changed, but this is only tested for M1 chips and version 17.0.0.
VERSION=17.0.0 # set version here
cd /tmp
git clone git#github.com:keycloak/keycloak.git
cd keycloak/quarkus/container
git checkout $VERSION
docker build -t "quarkus-keycloak:$VERSION" .
#docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin "quarkus-keycloak:$VERSION" start-dev --http-relative-path /auth
There is an update to this issue - images for AMD64 and ARM64 architectures are now available and can be found here: https://quay.io/repository/keycloak/keycloak?tab=tags.
Ref the discussions in Github (https://github.com/keycloak/keycloak-containers/issues/341 and https://github.com/keycloak/keycloak/issues/8825).
jboss/keycloak not supported arm64 for now.
But you can use that image on docker hub: mihaibob/keycloak
https://hub.docker.com/r/mihaibob/keycloak
I'm using this and haven't difference.
I don't have a mac but I just started working with jboss/keycloak lately and have been able to get it to start.
Essentially what I did (assuming docker is installed):
docker pull jboss/keycloak:16.1.0
docker run --env-file targetDB.txt -p 8080:8080 jboss/keycloak:16.1.0
Might have to do those commands with sudo
This pulls the jboss/keycloak image from docker hub and then it runs it exposing the port 8080 within the container to the host machine. It also uses the environment variables in the .txt file (which contains info on the database endpoint you wish to connect keycloak to to persist data).
If you don't specify --env-file <text file> I believe keycloak uses its default h2 Database which isn't the best.
I have my local jboss/keycloak pointing to an postgres db I have in an AWS RDS environment, so the contents of the targetDB.txt for me is:
DB_VENDOR=postgres
DB_ADDR=<my postgres aws rds endpoint>:5432
DB_DATABASE=<name of the database>
DB_USER=<db username to connect to postgres instance>
DB_PASSWORD=<password associated with db username to connect>
If I'm not mistaken the name of the Database in DB_DATABASE field must already exist. So you'll need to create that before running the docker run command.
After you do the docker run command above and the logs show it starting up you should be able to access the keycloak admin console on your local browser:
http://localhost:8080/auth
If this is the first time you're running keycloak you have to create a master/admin user before you can log in.
To add a master user, run these commands (while your keycloak is already running):
docker exec <container id or container name> /opt/jboss/keycloak/bin/add-user-keycloak.sh -u <USERNAME> -p <PASSWORD>
then you need to restart your keycloak container:
docker restart <container id or container name>
Again you might have to do those commands with sudo.
After thats done, go back to your local web browser http://localhost:8080/auth and you can now access the login page and actually login with the username and password you created above.
I'm trying to install CouchDB on docker desktop for OSX. I follow the following steps:
docker pull couchdb (which works)
I then start the docker image:
docker run -d --name test-couchdb couchdb:latest
The log reports this:
[notice] 2019-08-30T10:27:03.039090Z nonode#nohost <0.325.0> --------
chttpd_auth_cache changes listener died database_does_not_exist at
mem3_shards:load_shards_from_db/6(line:395) <=
mem3_shards:load_shards_from_disk/1(line:370) <=
mem3_shards:load_shards_from_disk/2(line:399) <=
mem3_shards:for_docid/3(line:86) <= fabric_doc_open:go/3(line:39) <=
chttpd_auth_cache:ensure_auth_ddoc_exists/2(line:195) <=
chttpd_auth_cache:listen_for_changes/1(line:142) [error]
2019-08-30T10:27:03.039976Z nonode#nohost emulator -------- Error in
process <0.461.0> with exit value:
{database_does_not_exist,[{mem3_shards,load_shards_from_db,"_users",[{file,"src/mem3_shards.erl"},{line,395}]},{mem3_shards,load_shards_from_disk,1,[{file,"src/mem3_shards.erl"},{line,370}]},{mem3_shards,load_shards_from_disk,2,[{file,"src/mem3_shards.erl"},{line,399}]},{mem3_shards,for_docid,3,[{file,"src/mem3_shards.erl"},{line,86}]},{fabric_doc_open,go,3,[{file,"src/fabric_doc_open.erl"},{line,39}]},{chttpd_auth_cache,ensure_auth_ddoc_exists,2,[{file,"src/chttpd_auth_cache.erl"},{line,195}]},{chttpd_auth_cache,listen_for_changes,1,[{file,"src/chttpd_auth_cache.erl"},{line,142}]}]}
[notice] 2019-08-30T10:27:03.065708Z nonode#nohost <0.347.0> --------
couch_replicator_clustering : cluster stable [notice]
2019-08-30T10:27:03.073623Z nonode#nohost <0.360.0> -------- Started
replicator db changes listener <0.462.0>
Seems like an Erlang error.
When I do curl http://127.0.0.1:5984 or curl localhost:5984 I get a connection refused message both times, probably because the listener is not up and running....
I'm thinking this is an incompatibility issue, but not sure
This is a simple attempt to get another container started:
Vans-MacBook-Pro:~ vw$
docker pull couchdb
Using default tag: latest
latest: Pulling from library/couchdb
Digest: sha256:7537a9047fea8960ed9e88123a2cb9cbd96db51767f9a9b3ccfcb174b11408c1
Status: Image is up to date for couchdb:latest
docker.io/library/couchdb:latest
vw$ docker run -d --name my2-couchdb couchdb
2e2e37c8fb6b63ebbdc874396ce64a22727706237cb05bdbf256e4048f3346ef
vw$ docker run -p 5984:5984 -d my2-couchdb
Unable to find image 'my2-couchdb:latest' locally
docker: Error response from daemon: pull access denied for my2-couchdb, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
I had the same problem, got it to work by including admin username/password and port, like this:
docker run -d --name couchdb -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password -p 5984:5984 couchdb:latest
I am trying to run a docker command as part of a jenkins job using shell. I get a standard error stating
"Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied"
I will require some help on
1. how to find the path where docker is installed which can be added to JENKINS global configuration
2. workaround to fix this permission issue(running as a sudo user/any other specific user)
I have already experimented by adding the JENKINS users to admin group, staff group, made administrator. But, nothing has actually helped. I still get the standard error
Tried the below code on terminal too
sudo -u jenkins docker images
OUTPUT:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied
I am expecting to run this code without the error. Only then my jenkins pipeline will be complete.
To find the path where docker is installed, simply run a which docker. Usually, it'll be installed somewhere in the standard PATH already, so probably Jenkins will already have access. As you get the permission denied error message, it looks like Jenkins is already using the correct docker executable.
Depending on the distribution or operating system you are using, you will most likely need to add the jenkins user to a docker group, e.g. sudo usermod -aG docker jenkins. To find out which group you need, run:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Apr 30 16:20 /var/run/docker.sock
In the second line, you see the group that docker.sock is owned by. Add the jenkins user to that group.
I have installed Python (with Pip and easysetup), Cloud Foundry and ICE in my host machine, OS X 10.10.3.
I've booted boot2docker and attempted to ice login.
After a successful login attempt:
mbp-idan:~ idanadar$ boot2docker up
Waiting for VM and Docker daemon to start...
.o
Started.
Writing /Users/idanadar/.boot2docker/certs/boot2docker-vm/ca.pem
Writing /Users/idanadar/.boot2docker/certs/boot2docker-vm/cert.pem
Writing /Users/idanadar/.boot2docker/certs/boot2docker-vm/key.pem
Your environment variables are already set correctly.
mbp-idan:~ idanadar$ ice login
API endpoint: https://api.ng.bluemix.net
Email> my-email-address
Password> my-password
Authenticating...
OK
Targeted org my-email-address
Targeted space dev
API endpoint: https://api.ng.bluemix.net (API version: 2.23.0)
User: my-email-address
Org: my-email-address
Space: dev
Authentication with container cloud service at https://api-ice.ng.bluemix.net/v2/containers completed successfully
You can issue commands now to the container service
I immediately encounter the following errors:
Authentication issue:
Proceeding to authenticate with the container cloud registry at registry-ice.ng.bluemix.net
FATA[0005] Error response from daemon: Login: You must set a namespace before you login to the registry. See 'ice help namespace' (Code: 404; Headers: map[Connection:[Keep-Alive] Date:[Wed, 27 May 2015 18:57:41 GMT] Content-Type:[text/plain] X-Client-Ip:[79.176.226.146] X-Backside-Transport:[FAIL FAIL] Server:[nginx/1.7.9] X-Global-Transaction-Id:[380677271] Set-Cookie:[DPJSESSIONID=PBC5YS:481842763; Path=/; Domain=.registry-ice.ng.bluemix.net]])
Docker issue:
docker is not available on your system or is not properly configured
Could not authenticate with cloud registry at registry-ice.ng.bluemix.net
You can still use IBM Containers but will not be able to run local docker containers, push, or pull images
The only configuration I did previously was adding the following to ~/.bash_profile, which is what provided by Docker when using boot2docker up:
export DOCKER_HOST=tcp://192.168.59.103:2376
export DOCKER_CERT_PATH=/Users/idanadar/.boot2docker/certs/boot2docker-vm
export DOCKER_TLS_VERIFY=1
Once I did this change, I get the above two errors. If I will comment out the above three lines from .bash_profile, and not run boot2docker shellinit after boot2docker up, I will get this error:
FATA[0000] Post http:///var/run/docker.sock/v1.18/auth: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?
docker is not available on your system or is not properly configured
Could not authenticate with cloud registry at registry-ice.ng.bluemix.net
You can still use IBM Containers but will not be able to run local docker containers, push, or pull images
If I will replace the three lines with this single line:
export DOCKER_HOST=tcp://$(boot2docker ip 2>/dev/null):2375
I will get the following error, which is a bit different. Note the -d and lack of error regarding namespace.
Proceeding to authenticate with the container cloud registry at registry-ice.ng.bluemix.net
FATA[0000] Cannot connect to the Docker daemon. Is 'docker -d' running on this host?
docker is not available on your system or is not properly configured
Could not authenticate with cloud registry at registry-ice.ng.bluemix.net
You can still use IBM Containers but will not be able to run local docker containers, push, or pull images
[docker] Any idea which is the right way to get Docker recognized?
This is being tested in OS X 10.10.3.
[bluemix] Any idea about the namespace?
For some reason they seem inter-linked?
The error that is outputted by ICE is really unhelpful.
To solve it:
Added back to ~/.bash_profile the original 3 lines
Created the namespace in Bluemix.net
After that, everything has fallen to place and everything is working.