docker-snap / docker Goto Github PK
View Code? Open in Web Editor NEWSource for the "docker" snap in Ubuntu Snappy 16+
License: MIT License
docker's Issues
"oci runtime error" when run hello-world container
The command I used to test is
$docker run --rm hello-world
It can download the image but it failed when it tried to start the container.
Hardware and software: all-snap image on x86-64 computer.
$ snap list
Name Version Rev Developer Notes
core 16.04.1 394 canonical -
docker 1.11.2-9 53 canonical -
pc 16.04-0.8 9 canonical -
pc-kernel 4.4.0-45-4 37 canonical -
Error messages are like below:
Nov 9 16:47:36 localhost kernel: [82650.637069] audit: type=1400 audit(1478710056.851:11530): apparmor="DENIED" operation="mkdir" profile="snap.docker.dockerd" name="/var/lib/snapd/hostfs/sys/fs/cgroup/cpuset/docker/" pid=10731 comm="docker-runc" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Nov 9 16:47:36 localhost snap[9923]: time="2016-11-09T16:47:36Z" level=error msg="containerd: start container" error="oci runtime error: mkdir /var/lib/snapd/hostfs/sys/fs/cgroup/cpuset/docker: permission denied" id=f7433fe81e60051eafb26c888732135414a747ef1d7bcf58fe93a4f7dde45c29
the snap is using a custom shell plugin
Instead of that, this snap should use the new snapcraft scriptlets:
https://insights.ubuntu.com/2017/02/02/run-scripts-during-snapcraft-builds-with-scriptlets/
Docker version bump
Hello there,
What are your plans for Docker 1.12? I'm anxious to use swarm mode on ubuntu core 16.
Thanks,
Daemon options config hook
It would be desirable to let end-users configure extra options / override default options for the docker daemon. Ideally, this would be implemented with a config hook.
docker permanently restarts on rpi2
hiho.
my docker has many restarts after installing with snap install docker. dmesg output is full of:
[ 2386.934067] audit: type=1400 audit(1478425942.891:15996): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/var/lib/snapd/hostfs/sys/kernel/security/apparmor/" pid=24541 comm="apparmor_parser" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2386.940143] audit: type=1400 audit(1478425942.895:15997): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24542 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.147858] audit: type=1400 audit(1478425943.103:15998): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24543 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.153727] audit: type=1400 audit(1478425943.111:15999): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24544 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.158996] audit: type=1400 audit(1478425943.115:16000): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/bin/kmod" pid=24545 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.181619] audit: type=1400 audit(1478425943.135:16001): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/sbin/xtables-multi" pid=24546 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.186725] audit: type=1400 audit(1478425943.143:16002): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/sbin/xtables-multi" pid=24547 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2387.192455] audit: type=1400 audit(1478425943.147:16003): apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/sbin/xtables-multi" pid=24548 comm="docker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
how can this be debuged?
cannot open mount namespace file for namespace group docker. errmsg: Permission denied
I am trying to use docker via another snap (cumulocity). This is essentially a java management app that can make a system call.
After a fresh install or rebooting my hardware I can issue /snap/bin/docker ps -a successfully via this management app ONCE. But when I re-issue the very same command the second time, I get this error:
cannot open mount namespace file for namespace group docker. errmsg: Permission denied
Then I can repeat the docker command any times via the mgm app, I get the error consistently.
If I use the sudo docker ps -a command from the console, it always works.
Here is my config:
triesz@localhost:~$ snap list
Name Version Rev Developer Notes
core 16.04.1 378 canonical -
cumulocity 7.37.0 x2 devmode
docker 1.11.2-9 49 canonical -
pc 16.04-0.8 9 canonical -
pc-kernel 4.4.0-45-4 37 canonical -
triesz@localhost:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
triesz@localhost:~$ snap interfaces
Slot Plug
:bluetooth-control -
:camera -
:dcdbas-control -
:docker-support docker:privileged,docker:support
:firewall-control cumulocity,docker
:fuse-support -
:hardware-observe -
:home cumulocity,docker
:kernel-module-control -
:locale-control -
:log-observe -
:lxd-support -
:mount-observe -
:network cumulocity,docker
:network-bind cumulocity,docker
:network-control -
:network-observe -
:network-setup-observe -
:opengl -
:ppp -
:process-control cumulocity
:removable-media -
:shutdown -
:snapd-control -
:system-observe -
:system-trace -
:time-control -
:timeserver-control -
:timezone-control -
:tpm -
docker:docker-daemon cumulocity:docker,docker:docker-cli
triesz@localhost:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
triesz@localhost:~$
syslog extract after the first, successful command execution (via the cumulocity mgm app)
Nov 1 18:04:17 localhost kernel: [ 93.334736] audit_printk_skb: 72 callbacks suppressed
Nov 1 18:04:17 localhost kernel: [ 93.334740] audit: type=1400 audit(1478023457.825:46): apparmor="ALLOWED" operation="exec" profile="snap.cumulocity.cumulocity" name="/usr/bin/snap" pid=1413 comm="java" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.cumulocity.cumulocity//null-/usr/bin/snap"
Nov 1 18:04:17 localhost kernel: [ 93.335707] audit: type=1400 audit(1478023457.829:47): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/etc/ld.so.cache" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.335777] audit: type=1400 audit(1478023457.829:48): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.335864] audit: type=1400 audit(1478023457.829:49): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.336020] audit: type=1400 audit(1478023457.829:50): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/bin/snap" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.336076] audit: type=1400 audit(1478023457.829:51): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337182] audit: type=1400 audit(1478023457.829:52): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337262] audit: type=1400 audit(1478023457.829:53): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337329] audit: type=1400 audit(1478023457.829:54): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_MEASUREMENT" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost kernel: [ 93.337373] audit: type=1400 audit(1478023457.829:55): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_TELEPHONE" pid=1413 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:04:17 localhost snap[1201]: time="2016-11-01T18:04:17.866499276Z" level=debug msg="Calling GET /v1.23/containers/json?all=1"
syslog extract when using the command the second time:
Nov 1 18:06:27 localhost kernel: [ 222.848659] audit_printk_skb: 291 callbacks suppressed
Nov 1 18:06:27 localhost kernel: [ 222.848666] audit: type=1400 audit(1478023587.341:153): apparmor="ALLOWED" operation="exec" profile="snap.cumulocity.cumulocity" name="/usr/bin/snap" pid=1426 comm="java" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.cumulocity.cumulocity//null-/usr/bin/snap"
Nov 1 18:06:27 localhost kernel: [ 222.849682] audit: type=1400 audit(1478023587.341:154): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/etc/ld.so.cache" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.849863] audit: type=1400 audit(1478023587.341:155): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.850125] audit: type=1400 audit(1478023587.341:156): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.850553] audit: type=1400 audit(1478023587.341:157): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/bin/snap" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.850689] audit: type=1400 audit(1478023587.341:158): apparmor="ALLOWED" operation="file_mprotect" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855415] audit: type=1400 audit(1478023587.349:159): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855627] audit: type=1400 audit(1478023587.349:160): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855769] audit: type=1400 audit(1478023587.349:161): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_MEASUREMENT" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 1 18:06:27 localhost kernel: [ 222.855925] audit: type=1400 audit(1478023587.349:162): apparmor="ALLOWED" operation="open" profile="snap.cumulocity.cumulocity//null-/usr/bin/snap" name="/usr/lib/locale/C.UTF-8/LC_TELEPHONE" pid=1426 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I built the cumulocity snapp this way:
name: cumulocity
version: "7.37.0"
summary: cumulocity java agent on openJDK
description: cumulocity java agent on openJDK
confinement: devmode
apps:
cumulocity:
command: launch_cumulo.sh
daemon: simple
plugs: [network, home, docker, process-control, network-bind, firewall-control]
parts:
cumulocity:
source: .
plugin: dump
java:
source: .
plugin: jdk
is this the correct way to expose docker to another snap?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.