Because I'm too stupid to run sysbox like this excellent article suggests, I'm trying to mount /var/run/docker.sock directly into the container from the host via hostPath to build Docker images in a Jenkins container.
Simple as this:
volumeMounts:
- name: docker-sock
mountPath: /var/run/docker.sock
This works, but when trying to run the Docker CLI inside the container I get:
$ docker version
Client:
Version: 20.10.16
// ...
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version": dial unix /var/run/docker.sock: connect: permission denied
The user inside the container is:
$ id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
But the file has these permissions:
$ ls -la /var/run/docker.sock
srw-rw---- 1 root 998 0 Jun 6 15:23 /var/run/docker.sock
I do have root on the host node and security is not much of a concern since the Jenkins can only be accessed via VPN.
Thanks for any suggestion!
Related
Content of my docker-compose file is
version: '2'
services:
myserver:
image : alpine:latest
volumes:
- mount-folders:/mnt/mount1
volumes:
mount-folders:
driver_opts:
type: nfs
o: nfsvers=3,addr=host.docker.internal,nolock,rw
device: ":/Users/mnt"
I created a folder
/Users/mnt
on my M1 Monterey and enabled nfs and tested mount from another laptop successfully
but fails when running the container
Attaching to myserver-myserver-1
Error response from daemon: error while mounting volume '/var/lib/docker/volumes/myserver_mount-folders/_data': failed to mount local volume: mount :/Users/mnt:/var/lib/docker/volumes/myserver_mount-folders/_data, data: nfsvers=3,addr=192.168.65.2,nolock: permission denied
I tried also with the hostname of the host and the real ip but nothing has changed. I checked the tcp dumps of the nfs server and I guess the mount request is even can not get out of the container.
What may be the reason ?
I want to deploy a MariaDB Galera instance onto a local Minikube cluster with 3 nodes via Helm.
I used the following command for that:
helm install my-release bitnami/mariadb-galera --set rootUser.password=test --set db.name=test
The problem is, if I do that I get the following error in the log:
mariadb 10:27:41.60
mariadb 10:27:41.60 Welcome to the Bitnami mariadb-galera container
mariadb 10:27:41.60 Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-mariadb-galera
mariadb 10:27:41.60 Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-mariadb-galera/issues
mariadb 10:27:41.61
mariadb 10:27:41.61 INFO ==> ** Starting MariaDB setup **
mariadb 10:27:41.64 INFO ==> Validating settings in MYSQL_*/MARIADB_* env vars
mariadb 10:27:41.67 INFO ==> Initializing mariadb database
mkdir: cannot create directory '/bitnami/mariadb/data': Permission denied
The site of the image lists the possibility to use an extra init container to fix that (Link).
So I came up with the following configuration:
mariadb-galera-init-config.yaml
extraInitContainers:
- name: initcontainer
image: bitnami/minideb
command: ["chown -R 1001:1001 /bitnami/mariadb/"]
The problem is that when I run the command with this configuration:
helm install my-release bitnami/mariadb-galera --set rootUser.password=test --set db.name=test -f mariadb-galera-init-config.yaml
I get the following error on the Minikube dashboard:
Error: failed to start container "initcontainer": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "chown -R 1001:1001 /bitnami/mariadb/": stat chown -R 1001:1001 /bitnami/mariadb/: no such file or directory: unknown
I don't know how to fix this configuration file, or if there is some other better way to get this working...
In any case someone has issues with this, may I suggest running a initContainer before.
initContainers:
- name: mariadb-create-directory-structure
image: busybox
command:
[
"sh",
"-c",
"mkdir -p /bitnami/mariadb/data && chown -R 1001:1001 /bitnami",
]
volumeMounts:
- name: data
mountPath: /bitnami
i agree with #ventsislav_rs creating initContainer will do the trick..
I'm trying to create PostgreSQL DB inside docker container and connect to it from my local machine. Running docker-compose up -d with that inside docker-compose.yml:
version: '3.5'
services:
db:
image: postgres:12.2
restart: always
ports:
- "5432:5432"
environment:
POSTGRES_DB: db
POSTGRES_USER: root
POSTGRES_PASSWORD: root
ended successfully. No crashes, errors of something. But, when I'm trying to connect to it with pgAdmin4 with these credentials:
Host name/address: localhost
Port: 5432
Maintenance database: db
Username: root
Password: root
it says to me:
Unable to connect to server:
FATAL: password authentication failed for user "root"
My OS: Windows 10 build(1809)
PostgreSQL version (installed on local machine): 12
Docker version: 19.03.13, build 4484c46d9d
UPD 1:
After re-creating container with different ports (now it is 5433:5433), pgAdmin4 error changed:
Unable to connect to server:
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
Host name/address: localhost
Port: 5432
You are trying to connect to 5432 port on localhost. Are you sure your container is taking the host IP?
To make the container run with the host IP run the container with --network host option.
docker run --network host <rest of the command>
Note that if you use '--network host' option, then portmapping '-p' option is not needed.
Read https://docs.docker.com/network/host/ for more information.
Have you checked you've cleaned away any old instances running locally and that you're not trying to access an old instance?
You can wipe out all local docker containers with: docker rm -f $(docker ps -aq)
Once you've got a clean environment you can try spin up the containers again locally and see if you can access the service. I copy/pasted what you have into a clean docker-compose.yaml and ran docker-compose up against the file - it worked and I logged in and was able to view the pg_user table.
If it still fails you can try to find the IP using: netstat -in | grep en0 which will show something like
en0 1500 192.168.1 **192.168.1.163** 15301832 - 9001208 - - -
this shows the external/accessible IP of the container. Try using the address shown (something similar to 192.168.1.163) instead of localhost
I tried to install Gitlab with docker compose. I set docker-compose.
gitlab:
image: 'gitlab/gitlab-ce:latest'
volumes:
- '/srv/docker/gitlab/data:/var/opt/gitlab'
- '/srv/docker/gitlab/config:/etc/gitlab'
- '/srv/docker/gitlab/logs:/var/log/gitlab'
ports:
- "10080:10080"
- "10443:443"
- "10022:22"
restart: always
hostname: '1.1.1.1'
dns:
- xx.xx.xx.xx
environment:
GITLAB_OMNIBUS_CONFIG: |
gitlab_rails['gravatar_enabled'] = false
gitlab_rails['time_zone'] = 'Asia/Tokyo'
When I run docker-compose up it failed said
gitlab_1 | If this container fails to start due to permission problems try to fix it by executing:
gitlab_1 |
gitlab_1 | docker exec -it gitlab update-permissions
gitlab_1 | docker restart gitlab
gitlab_1 |
gitlab_1 | Installing gitlab.rb config...
gitlab_1 | cp: cannot create regular file '/etc/gitlab/gitlab.rb': Permission denied
gitlab_gitlab_1 exited with code 1
as written I tried to run
docker exec -it gitlab update-permissions
But error said
Error response from daemon: No such container: gitlab
Anyone can help?
Just info docker ps
Result:
CONTAINER ID IMAGE COMMAND CREATED
xxxxxxx gitlab/gitlab-ce:latest "/assets/wrapper" 24 hours ago
And permission file
ls -la /etc/gitlab/gitlab.rb
-rw-------. 1 root root 0 Dec 12 17:00 /etc/gitlab/gitlab.rb
It seems that the container doesn't have the permission to create files beneath your mounted volumes:
/srv/docker/gitlab/data
/srv/docker/gitlab/config
/srv/docker/gitlab/logs
The file permissions show that gitlab.rb is only read and writeable by root. I just checked them - my container uses the same permissions.
So it might be a problem with your Docker host. Somehow it prevents you from creating/writing these files. Maybe the filesystem is mount readonly, or the permissions of the host volume folders don't allow it.
SELinux or App Armour also could be a problem!
I'd recommend to remove all files in the volumes and set the permissions of the 3 folders to 777. After it started you'll see which user/group ids are needed and you can tighten it down.
Do you use AppArmour, SELinux? What kind of Host OS do you use?
Finally I tried to change content inside docker-compose.yml
I didn't know the exact reason why not worked. Maybe different setting in gitlab_omnibus
For docker compose I refer to this
docker-compose.yml
I deleted existed docker image and container, then run docker-compose. And it works fine
i've the same problem and running this has solved my problem; because i was on SELinux:
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 443:443 --publish 80:80 --publish 22:22 \
--name gitlab \
--restart always \
--volume $GITLAB_HOME/config:/etc/gitlab:Z \
--volume $GITLAB_HOME/logs:/var/log/gitlab:Z \
--volume $GITLAB_HOME/data:/var/opt/gitlab:Z \
--shm-size 256m \
gitlab/gitlab-ee:latest
This will ensure that the Docker process has enough permissions to create the configuration files in the mounted volumes.
I am using Docker Compose to run several containers, including one with a Postgres image. I am attempting to add a volume to that container to persist my data across container builds. However, I am receiving an error when it tries to create a directory for this volume within the container.
I run:
docker-compose build
then
docker-compose up
And I receive the following error:
ERROR: for cxbenchmark_db_1 Cannot start service db: oci runtime error: container_linux.go:265: starting container process caused "process_linux.go:368: container init caused \"rootfs_linux.go:57: mounting \\"/var/lib/docker/volumes/69845a017b4465e9122852a75ca194db473df95fa218658b8a60fb56eba9be9e/_data\\" to rootfs \\"/var/lib/docker/overlay2/627956d63fb0480448079577a83b0b54f83866fdf31136b7c669541c3f672355/merged\\" at \\"/var/lib/docker/overlay2/627956d63fb0480448079577a83b0b54f83866fdf31136b7c669541c3f672355/merged/var/lib/postgresql/data\\" caused \\"mkdir /var/lib/docker/overlay2/627956d63fb0480448079577a83b0b54f83866fdf31136b7c669541c3f672355/merged/var/lib/postgresql/data: permission denied\\"\""
My full docker-compose.yml looks like this (note the service called db where the volume is defined):
version: '3'
services:
nginx:
image: nginx:latest
ports:
- 80:8000
volumes:
- ./src:/src
- ./config/nginx:/etc/nginx/conf.d
- ./src/static:/static
depends_on:
- web
web:
build: .
command: bash -c "python manage.py makemigrations && python manage.py migrate && gunicorn cx_benchmark.wsgi -b 0.0.0.0:8000"
depends_on:
- db
volumes:
- ./src:/src
- ./src/static:/static
expose:
- 8000
db:
image: postgres:latest
volumes:
- /private/var/lib/postgresql:/var/lib/postgresql
ports:
- 5432:5432
Any ideas for how to solve?
The error you are seeing is not a problem (necessarily) with the explicit volume bind mount in your compose file, but rather with the VOLUME declaration in the main postgres official Docker image Dockerfile:
VOLUME /var/lib/postgresql/data
Since you haven't provided a mount-point for this directory (but rather the parent), the docker engine is creating a local volume and then trying to mount that volume into your already bind-mounted location and getting a permissions error.
For clarity, here is the volume the docker engine created for you:
/var/lib/docker/volumes/69845a017b4465e9122852a75ca194db473df95fa218658b8a60fb56eba9be9e/_data
And here is the directory location at which it is trying to bind mount that dir; on top of your bind mount from /private/var/lib/postgresql:
mkdir /var/lib/docker/overlay2/627956d63fb0480448079577a83b0b54f83866fdf31136b7c669541c3f672355/merged/var/lib/postgresql/data: permission denied
Now, I think the reason this is failing is that you may have turned on user namespaces in your Docker engine ("userns-remap" flag/setting) such that the container doesn't have permissions to create a directory in that root-owned location on your host. Barring that, the only other option is that the postgres container is starting as a non-root user, but I don't see anything in your compose file or the official Dockerfile for the latest release that uses the USER directive.
As an aside, since you are ending up with double-volumes because your bind mount doesn't match the VOLUME specifier in the postgres Dockerfile, you could change your compose file to mount to /var/lib/postgresql/data and get around that extra volume being created. Especially if you expect your DB data to end up in /private/var/lib/postgresql, as it may be surprising to find it isn't there, but rather in the /var/lib/docker/volumes/.. location.