docker-snap / docker Goto Github PK
View Code? Open in Web Editor NEWSource for the "docker" snap in Ubuntu Snappy 16+
License: MIT License
Source for the "docker" snap in Ubuntu Snappy 16+
License: MIT License
The command I used to test is
$docker run --rm hello-world
It can download the image but it failed when it tried to start the container.
Hardware and software: all-snap image on x86-64 computer.
$ snap list
Name Version Rev Developer Notes
core 16.04.1 394 canonical -
docker 1.11.2-9 53 canonical -
pc 16.04-0.8 9 canonical -
pc-kernel 4.4.0-45-4 37 canonical -
Error messages are like below:
Nov 9 16:47:36 localhost kernel: [82650.637069] audit: type=1400 audit(1478710056.851:11530): apparmor="DENIED" operation="mkdir" profile="snap.docker.dockerd" name="/var/lib/snapd/hostfs/sys/fs/cgroup/cpuset/docker/" pid=10731 comm="docker-runc" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Nov 9 16:47:36 localhost snap[9923]: time="2016-11-09T16:47:36Z" level=error msg="containerd: start container" error="oci runtime error: mkdir /var/lib/snapd/hostfs/sys/fs/cgroup/cpuset/docker: permission denied" id=f7433fe81e60051eafb26c888732135414a747ef1d7bcf58fe93a4f7dde45c29
Instead of that, this snap should use the new snapcraft scriptlets:
https://insights.ubuntu.com/2017/02/02/run-scripts-during-snapcraft-builds-with-scriptlets/
Hello there,
What are your plans for Docker 1.12? I'm anxious to use swarm mode on ubuntu core 16.
Thanks,
It would be desirable to let end-users configure extra options / override default options for the docker daemon. Ideally, this would be implemented with a config hook.
hiho.
my docker has many restarts after installing with snap install docker. dmesg output is full of:
[ 2386.934067] audit: type=1400 audit(1478425942.891:15996): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/var/lib/snapd/hostfs/sys/kernel/security/apparmor/" pid=24541 comm="apparmor_parser" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2386.940143] audit: type=1400 audit(1478425942.895:15997): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24542 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.147858] audit: type=1400 audit(1478425943.103:15998): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24543 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.153727] audit: type=1400 audit(1478425943.111:15999): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24544 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.158996] audit: type=1400 audit(1478425943.115:16000): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24545 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.181619] audit: type=1400 audit(1478425943.135:16001): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/sbin/xtables-multi" pid=24546 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.186725] audit: type=1400 audit(1478425943.143:16002): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/sbin/xtables-multi" pid=24547 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.192455] audit: type=1400 audit(1478425943.147:16003): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/sbin/xtables-multi" pid=24548 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
how can this be debuged?
I am trying to use docker via another snap (cumulocity). This is essentially a java management app that can make a system call.
After a fresh install or rebooting my hardware I can issue /snap/bin/docker ps -a successfully via this management app ONCE. But when I re-issue the very same command the second time, I get this error:
cannot open mount namespace file for namespace group docker. errmsg: Permission denied
Then I can repeat the docker command any times via the mgm app, I get the error consistently.
If I use the sudo docker ps -a command from the console, it always works.
Here is my config:
triesz@localhost:~$ snap list
Name Version Rev Developer Notes
core 16.04.1 378 canonical -
cumulocity 7.37.0 x2 devmode
docker 1.11.2-9 49 canonical -
pc 16.04-0.8 9 canonical -
pc-kernel 4.4.0-45-4 37 canonical -
triesz@localhost:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
triesz@localhost:~$ snap interfaces
Slot Plug
:bluetooth-control -
:camera -
:dcdbas-control -
:docker-support docker:privileged,docker:support
:firewall-control cumulocity,docker
:fuse-support -
:hardware-observe -
:home cumulocity,docker
:kernel-module-control -
:locale-control -
:log-observe -
:lxd-support -
:mount-observe -
:network cumulocity,docker
:network-bind cumulocity,docker
:network-control -
:network-observe -
:network-setup-observe -
:opengl -
:ppp -
:process-control cumulocity
:removable-media -
:shutdown -
:snapd-control -
:system-observe -
:system-trace -
:time-control -
:timeserver-control -
:timezone-control -
:tpm -
docker:docker-daemon cumulocity:docker,docker:docker-cli
triesz@localhost:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
triesz@localhost:~$
syslog extract after the first, successful command execution (via the cumulocity mgm app)
Nov 1 18:04:17 localhost kernel: [ 93.334736] audit_printk_skb: 72 callbacks suppressed
Nov 1 18:04:17 localhost kernel: [ 93.334740] audit: type=1400 audit(1478023457.825:46): apparmor="ALLOWED" operation="exec" profile="snap.cumulocity.cumulocity" name="/usr/bin/snap" pid=1413 comm="java" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.cumulocity.cumulocity//null-/usr/bin/snap"
Nov 1 18:04:17 localhost kernel: [ 93.335707] audit: type=1400 audit(1478023457.829:47): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/etc/ld.so.cache" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.335777] audit: type=1400 audit(1478023457.829:48): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.335864] audit: type=1400 audit(1478023457.829:49): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.336020] audit: type=1400 audit(1478023457.829:50): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/bin/snap" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.336076] audit: type=1400 audit(1478023457.829:51): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337182] audit: type=1400 audit(1478023457.829:52): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337262] audit: type=1400 audit(1478023457.829:53): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337329] audit: type=1400 audit(1478023457.829:54): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_MEASUREMENT" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337373] audit: type=1400 audit(1478023457.829:55): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_TELEPHONE" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost snap[1201]: time="2016-11-01T18:04:17.866499276Z" level=debug msg="Calling GET /v1.23/containers/json?all=1"
syslog extract when using the command the second time:
Nov 1 18:06:27 localhost kernel: [ 222.848659] audit_printk_skb: 291 callbacks suppressed
Nov 1 18:06:27 localhost kernel: [ 222.848666] audit: type=1400 audit(1478023587.341:153): apparmor="ALLOWED" operation="exec" profile="snap.cumulocity.cumulocity" name="/usr/bin/snap" pid=1426 comm="java" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.cumulocity.cumulocity//null-/usr/bin/snap"
Nov 1 18:06:27 localhost kernel: [ 222.849682] audit: type=1400 audit(1478023587.341:154): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/etc/ld.so.cache" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.849863] audit: type=1400 audit(1478023587.341:155): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.850125] audit: type=1400 audit(1478023587.341:156): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.850553] audit: type=1400 audit(1478023587.341:157): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/bin/snap" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.850689] audit: type=1400 audit(1478023587.341:158): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855415] audit: type=1400 audit(1478023587.349:159): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855627] audit: type=1400 audit(1478023587.349:160): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855769] audit: type=1400 audit(1478023587.349:161): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_MEASUREMENT" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855925] audit: type=1400 audit(1478023587.349:162): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_TELEPHONE" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I built the cumulocity snapp this way:
name: cumulocity
version: "7.37.0"
summary: cumulocity java agent on openJDK
description: cumulocity java agent on openJDK
confinement: devmode
apps:
cumulocity:
command: launch_cumulo.sh
daemon: simple
plugs: [network, home, docker, process-control, network-bind, firewall-control]
parts:
cumulocity:
source: .
plugin: dump
java:
source: .
plugin: jdk
is this the correct way to expose docker to another snap?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.