Linux tests using Docker on Mac

[micknudsen]

Hi,

I am trying to test recipes locally using simulate-travis.py on my Mac. I have Docker installed and running, but I always get the following error:

Error checking TLS connection: machine does not exist
Cannot connect to docker. Linux test will not be run.

The Bioconda documentation just states that Docker should be installed. Does it require additional setup?

[daler]

@micknudsen not sure I've seen this error before. Are you able to run docker run outside the context of simulate-travis.py? That is, are you able to do this without errors:

docker pull condaforge/linux-anvil
docker run -it --net host condaforge/linux-anvil

[micknudsen]

Yup. Everything works as expected:

[micknudsen@work:~]$ docker pull condaforge/linux-anvil
Using default tag: latest
latest: Pulling from condaforge/linux-anvil
Digest: sha256:f2d447398170272f19bcdea36f3fdd55333b56d27e9657eddc4ba57486df4dc9
Status: Image is up to date for condaforge/linux-anvil:latest
[micknudsen@work:~]$ docker run -it --net host condaforge/linux-anvil
(root) [root@moby /]#

[daler]

Sorry, without being able to reproduce locally it's tough to troubleshoot. Have you tried things suggested here: docker-archive/toolbox#453? Is docker fully up-to-date?

@bioconda/osx, any advice?

[epruesse]

@micknudsen Sorry about your troubles. The support for docker on OSX is new. I guess I'm to blame for your troubles...

Could you try docker-machine status, and if that says anything but Running, try docker-machine start or docker-machine restart? After that, docker-machine env should show some export statements, rather than the TLS error you are seeing.

@daler I'll write a patch that uses docker-machine status to check that the VM is running and issue a more helpful error if it fails. Since you can (in theory) have different VMs hosting docker (I doubt many people do) and the running VM reserves a significant chunk of RAM for itself, I didn't put anything in to auto-start the docker machine.

[daler]

@epruesse thanks, that would be great.

[micknudsen]

@epruesse Thanks for your suggestions. Unfortunately, they don't fix my problem:

[micknudsen@work:~]$ docker-machine status
Running
[micknudsen@work:~]$ docker-machine env
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": dial tcp 192.168.99.100:2376: getsockopt: network is unreachable
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.

Regenerating certificates does not help either. The solution may be in the thread linked to by @daler, but I am a little short on time right now. I will be able to do more troubleshooting in a few days. Maybe the discussion should continue in that thread?

[epruesse]

@micknudsen Yes, that does look like it's a docker, rather than a Bioconda issue. You could try connecting to the host/port listed using openssl s_client -connect host:port. I'm not sure from the error whether the network is unreachable or whether validating certificates failed first. You could just try "pinging" the docker VM and checking netstat -nr for something wrong with the routes if that doesn't work.

Also check $HOME/.docker/machine/machines/default/config.json -- that's where the config for the default VM running your docker is located. Make sure that's all sensible for your environment. I.e. no other networks using 192.168.99.0/24

@daler Let's keep this open for now so I have a reminder to make simulate-travis.py a little more helpful when encountering errors.

[bgruening]

ping @epruesse

[peterjc]

I agree the documentation is too terse right now.

Having realised I needed Docker to run the mulled test framework locally - and we don't have Docker on our cluster - I am trying this on macOS:

$ python3 ./simulate-travis.py --bootstrap /tmp/bioconda-simulate-travis-miniconda --overwrite
...
$ python3 ./simulate-travis.py --skip-linting --packages XXX
...
13:44:54 BIOCONDA INFO BUILD SUMMARY: successfully built 1 of 1 recipes
+ set +x
Error: No machine name(s) specified and no "default" machine exists
Cannot connect to docker. Linux test will not be run.

Docker is running (little icon in my top right menu bar), diagnostics,

$ docker --version
Docker version 17.12.0-ce, build c97c6d6
$ docker-machine status
Error: No machine name(s) specified and no "default" machine exists
$ docker-machine env
Error: No machine name(s) specified and no "default" machine exists
$ docker-machine start
Error: No machine name(s) specified and no "default" machine exists

Following @daler's suggestion to confirm Docker does work:

$ docker pull condaforge/linux-anvil
...
Status: Downloaded newer image for condaforge/linux-anvil:latest
$ docker run -it --net host condaforge/linux-anvil
(root) [conda@linuxkit-025000000001 ~]$ whoami
conda
(root) [conda@linuxkit-025000000001 ~]$ exit
exit

Then following docker-archive/toolbox#453 (comment)

$ docker-machine create default --driver virtualbox
...
Docker is up and running!
To see how to connect your Docker Client to the Docker Engine running on this virtual machine, run: docker-machine env default
$ docker-machine status
Running

That seemed to be a key step - simulate-travis.py now gets a lot further but the package build fails in a weird way:

...
14:10:40 BIOCONDA ERROR COMMAND FAILED: docker run --net host --rm -v /private/tmp/tmp6tfal_1b/build_script.bash:/opt/build_script.bash -v /tmp/bioconda-simulate-travis-miniconda/conda-bld:/opt/host-conda-bld -v /Users/XXX/repositories/bioconda-recipes/recipes/XXX:/opt/recipe -e MACOSX_DEPLOYMENT_TARGET=10.9 -e CONDA_HTSLIB=1.6 -e CONDA_GMP=5.1 -e CONDA_XZ=5.2 -e CONDA_R=3.4.1 -e CONDA_HDF5=1.8.17 -e CONDA_BZIP2=1.0 -e CONDA_ALLOW_SOFTLINKS=false -e CONDA_GSL=1.16 -e CONDA_PERL=5.22.0 -e CONDA_ZLIB=1.2.8 -e CONDA_BOOST=1.64 -e CONDA_ROOT=/tmp/bioconda-simulate-travis-miniconda -e CONDA_PY=36 -e CONDA_NCURSES=5.9 -e LANG=en_GB.UTF-8 -e CONDA_NPY=112 -e HOST_USER_ID=1778186624 tmp-bioconda-builder /bin/bash /opt/build_script.bash
14:10:40 BIOCONDA ERROR STDOUT+STDERR:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
/opt/build_script.bash: /opt/build_script.bash: is a directory
...

But anyway, the documentation or script seems to need to handle a fresh install with no default Docker image setup.

[daler]

Thanks for the diagnostics @peterjc!

Since setting the default is a one-time operation, would it be sufficient to add details to the setup docs? Or should we do the try/except in simulate-travis.py? If the latter, do you know if --driver virtualbox is standard or should we expose a CLI argument for this?

As for that last error, I wonder if it MacOS docker is unable to map single files over to the container. If so, simulate-travis.py can put the bash script into a temp dir and map that whole dir over.

I don't have a mac available for testing, so I'm flying blind here . . . I'm happy to write some code, but it will be untested and someone would have to see if it works on mac.

[peterjc]

Based on the command line help, it appears --driver virtualbox is the default:

$ docker-machine create default --help
Usage: docker-machine create [OPTIONS] [arg...]

Create a machine

Description:
   Run 'docker-machine create --driver name --help' to include the create flags for that driver in the help text.

Options:
   
   --driver, -d "virtualbox"										Driver to create machine with. [$MACHINE_DRIVER]
   --engine-env [--engine-env option --engine-env option]						Specify environment variables to set in the engine
...

This seems to work - first to remove my old default:

$ docker-machine kill
Killing "default"...
Machine "default" was killed.
$ docker-machine rm default
About to remove default
WARNING: This action will delete both local reference and remote instance.
Are you sure? (y/n): y
Successfully removed default

Then,

$ docker-machine create default
Running pre-create checks...
Creating machine...
(default) Copying /Users/XXX/.docker/machine/cache/boot2docker.iso to /Users/XXX/.docker/machine/machines/default/boot2docker.iso...
(default) Creating VirtualBox VM...
(default) Creating SSH key...
(default) Starting the VM...
(default) Check network to re-create if needed...
(default) Waiting for an IP...
Waiting for machine to be running, this may take a few minutes...
Detecting operating system of created instance...
Waiting for SSH to be available...
Detecting the provisioner...
Provisioning with boot2docker...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
Checking connection to Docker...
Docker is up and running!
To see how to connect your Docker Client to the Docker Engine running on this virtual machine, run: docker-machine env default

I suspect it would be better to document this prominently over trying to automate this.

As to the last error, I don't know enough about Docker and Docker-on-macos to know where to start investigating mapping the bash script to the container. But I can try test commands for you, or a branch if needed.

[peterjc]

For anyone else following this, as per https://github.com/bioconda/bioconda-utils/blob/master/docs/source/troubleshooting.rst its the /opt/build_script.bash: is a directory bit which seems most important in my current failure:

...
14:10:40 BIOCONDA ERROR COMMAND FAILED: docker run --net host --rm -v /private/tmp/tmp6tfal_1b/build_script.bash:/opt/build_script.bash -v /tmp/bioconda-simulate-travis-miniconda/conda-bld:/opt/host-conda-bld -v /Users/XXX/repositories/bioconda-recipes/recipes/XXX:/opt/recipe -e MACOSX_DEPLOYMENT_TARGET=10.9 -e CONDA_HTSLIB=1.6 -e CONDA_GMP=5.1 -e CONDA_XZ=5.2 -e CONDA_R=3.4.1 -e CONDA_HDF5=1.8.17 -e CONDA_BZIP2=1.0 -e CONDA_ALLOW_SOFTLINKS=false -e CONDA_GSL=1.16 -e CONDA_PERL=5.22.0 -e CONDA_ZLIB=1.2.8 -e CONDA_BOOST=1.64 -e CONDA_ROOT=/tmp/bioconda-simulate-travis-miniconda -e CONDA_PY=36 -e CONDA_NCURSES=5.9 -e LANG=en_GB.UTF-8 -e CONDA_NPY=112 -e HOST_USER_ID=1778186624 tmp-bioconda-builder /bin/bash /opt/build_script.bash
14:10:40 BIOCONDA ERROR STDOUT+STDERR:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
/opt/build_script.bash: /opt/build_script.bash: is a directory
...

And,

$ docker run --help
...
  -v, --volume list                    Bind mount a volume
      --volume-driver string           Optional volume driver for the container
      --volumes-from list              Mount volumes from the specified container(s)
  -w, --workdir string                 Working directory inside the container

Perhaps this really doesn't want individual files via -v?

[peterjc]

Rather than mapping the file /opt/build_script.bash I tried mapping the temp folder to /opt but that failed too - probably because this messed up all the other files expected in /opt?

.16:21:06 BIOCONDA ERROR COMMAND FAILED: docker run --net host --rm -v /private/tmp/tmpu3lpwr2b:/opt -v /tmp/bioconda-simulate-travis-miniconda/conda-bld:/opt/host-conda-bld -v /Users/pc40583/repositories/bioconda-recipes/recipes/kodoja:/opt/recipe -e CONDA_HDF5=1.8.17 -e CONDA_NPY=112 -e CONDA_GSL=1.16 -e CONDA_ALLOW_SOFTLINKS=false -e CONDA_ROOT=/tmp/bioconda-simulate-travis-miniconda -e CONDA_NCURSES=5.9 -e CONDA_PY=35 -e CONDA_ZLIB=1.2.8 -e CONDA_GMP=5.1 -e CONDA_BZIP2=1.0 -e CONDA_XZ=5.2 -e CONDA_BOOST=1.64 -e CONDA_PERL=5.22.0 -e CONDA_HTSLIB=1.6 -e CONDA_R=3.4.1 -e LANG=en_GB.UTF-8 -e MACOSX_DEPLOYMENT_TARGET=10.9 -e HOST_USER_ID=1778186624 tmp-bioconda-builder /bin/bash /opt/build_script.bash
16:21:06 BIOCONDA ERROR STDOUT+STDERR:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:296: starting container process caused "exec: \"/opt/conda/bin/tini\": stat /opt/conda/bin/tini: no such file or directory": unknown.
time="2018-01-23T16:21:06Z" level=error msg="error waiting for container: context canceled"
...

I had tried editing bioconda_utils/docker_utils.py from:

'-v', '{0}:/opt/build_script.bash'.format(build_script),

to:

'-v', '{0}:/opt'.format(os.path.dirname(build_script)),

But perhaps this progress - does this confirm mapping a single file is a problem?

[daler]

Yep, I'd call that progres! The tini container init is expected to be in /opt, so I guess that error would be expected.

What if you put it into a subdir of /opt, like:

'-v', '{0}:/opt/build'.format(os.path.dirname(build_script)),

You'd also need to change this line to reflect the new path.

[peterjc]

Good, I was starting to explore along those lines last night - nice to have your confirmation:

--- a/bioconda_utils/docker_utils.py
+++ b/bioconda_utils/docker_utils.py
@@ -435,7 +435,8 @@ class RecipeBuilder(object):
             raise ValueError('build_args must be str')
         self.conda_build_args = build_args
 
-        # Write build script to tempfile
+        # Write build script to temp dir
+        # (in its own directory so we can mount it with -v on macOS docker)
         build_dir = os.path.realpath(tempfile.mkdtemp())
         with open(os.path.join(build_dir, 'build_script.bash'), 'w') as fout:
             fout.write(self.build_script_template.format(
@@ -457,12 +458,12 @@ class RecipeBuilder(object):
             'docker', 'run',
             '--net', 'host',
             '--rm',
-            '-v', '{0}:/opt/build_script.bash'.format(build_script),
+            '-v', '{0}:/opt/build'.format(build_dir),
             '-v', '{0}:{1}'.format(self.pkg_dir, self.container_staging),
             '-v', '{0}:{1}'.format(recipe_dir, self.container_recipe),
         ] + env_list + [
             self.tag,
-            '/bin/bash', '/opt/build_script.bash',
+            '/bin/bash', '/opt/build/build_script.bash',
         ]
 
         logger.debug('DOCKER: cmd: %s', cmd)

Sadly this still fails,

/bin/bash: /opt/build/build_script.bash: No such file or directory

Might this be a permissions problem with what Docker can see outside of the user's home folder?

[peterjc]

Putting the local copy of build_script.bash in a temp folder under $HOME seems to solve the No such file or directory, but now gives a permission failure:

--- a/bioconda_utils/docker_utils.py
+++ b/bioconda_utils/docker_utils.py
@@ -435,8 +435,8 @@ class RecipeBuilder(object):
             raise ValueError('build_args must be str')
         self.conda_build_args = build_args
 
-        # Write build script to tempfile
-        build_dir = os.path.realpath(tempfile.mkdtemp())
+        # Write build script, under $HOME for permissions on macOS
+        build_dir = os.path.realpath(tempfile.mkdtemp(dir=os.environ["HOME"]))
         with open(os.path.join(build_dir, 'build_script.bash'), 'w') as fout:
             fout.write(self.build_script_template.format(
                 self=self, pkg=pkg, arch='noarch' if noarch else 'linux-64'))
@@ -457,12 +457,12 @@ class RecipeBuilder(object):
             'docker', 'run',
             '--net', 'host',
             '--rm',
-            '-v', '{0}:/opt/build_script.bash'.format(build_script),
+            '-v', '{0}:/opt/build'.format(build_dir),
             '-v', '{0}:{1}'.format(self.pkg_dir, self.container_staging),
             '-v', '{0}:{1}'.format(recipe_dir, self.container_recipe),
         ] + env_list + [
             self.tag,
-            '/bin/bash', '/opt/build_script.bash',
+            '/bin/bash', '/opt/build/build_script.bash',
         ]
 
         logger.debug('DOCKER: cmd: %s', cmd)

And:

$ python3 ./simulate-travis.py --skip-linting --packages XXX
...
12:04:37 BIOCONDA ERROR COMMAND FAILED: docker run --net host --rm -v /Users/XXX/tmpllynbemz:/opt/build -v /tmp/bioconda-simulate-travis-miniconda/conda-bld:/opt/host-conda-bld -v /Users/XXX/repositories/bioconda-recipes/recipes/XXX:/opt/recipe -e CONDA_ALLOW_SOFTLINKS=false -e CONDA_BOOST=1.64 -e CONDA_ROOT=/tmp/bioconda-simulate-travis-miniconda -e LANG=en_GB.UTF-8 -e CONDA_R=3.4.1 -e CONDA_NCURSES=5.9 -e MACOSX_DEPLOYMENT_TARGET=10.9 -e CONDA_ZLIB=1.2.8 -e CONDA_PY=35 -e CONDA_XZ=5.2 -e CONDA_HTSLIB=1.6 -e CONDA_NPY=112 -e CONDA_BZIP2=1.0 -e CONDA_GSL=1.16 -e CONDA_PERL=5.22.0 -e CONDA_HDF5=1.8.17 -e CONDA_GMP=5.1 -e HOST_USER_ID=1778186624 tmp-bioconda-builder /bin/bash /opt/build/build_script.bash
12:04:37 BIOCONDA ERROR STDOUT+STDERR:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
/bin/bash: /opt/build/build_script.bash: Permission denied

[peterjc]

OK, I'm pretty sure the failure to run build_script.bash within the Docker image was due to different (stricter) permissions for accessing the host's file system under macOS vs Linux. The following is a bit of a hack by putting build_script.bash under the container recipe folder, but lets us actually run the script:

--- a/bioconda_utils/docker_utils.py
+++ b/bioconda_utils/docker_utils.py
@@ -435,8 +435,9 @@ class RecipeBuilder(object):
             raise ValueError('build_args must be str')
         self.conda_build_args = build_args
 
-        # Write build script to tempfile
-        build_dir = os.path.realpath(tempfile.mkdtemp())
+        # Write build script, under recipe_dir for permissions on macOS
+        build_dir = os.path.join(recipe_dir, 'tmp')
+        os.mkdir(build_dir)
         with open(os.path.join(build_dir, 'build_script.bash'), 'w') as fout:
             fout.write(self.build_script_template.format(
                 self=self, pkg=pkg, arch='noarch' if noarch else 'linux-64'))
@@ -457,12 +458,11 @@ class RecipeBuilder(object):
             'docker', 'run',
             '--net', 'host',
             '--rm',
-            '-v', '{0}:/opt/build_script.bash'.format(build_script),
             '-v', '{0}:{1}'.format(self.pkg_dir, self.container_staging),
             '-v', '{0}:{1}'.format(recipe_dir, self.container_recipe),
         ] + env_list + [
             self.tag,
-            '/bin/bash', '/opt/build_script.bash',
+            '/bin/bash', os.path.join(self.container_recipe, 'tmp', 'build_script.bash'),
         ]
 
         logger.debug('DOCKER: cmd: %s', cmd)

However, it brings us to another permissions failure:

14:09:30 BIOCONDA ERROR COMMAND FAILED: docker run --net host --rm -v /tmp/bioconda-simulate-travis-miniconda/conda-bld:/opt/host-conda-bld -v /Users/pc40583/repositories/bioconda-recipes/recipes/kodoja:/opt/recipe -e LANG=en_GB.UTF-8 -e CONDA_PY=35 -e CONDA_R=3.4.1 -e MACOSX_DEPLOYMENT_TARGET=10.9 -e CONDA_ROOT=/tmp/bioconda-simulate-travis-miniconda -e CONDA_BOOST=1.64 -e CONDA_BZIP2=1.0 -e CONDA_XZ=5.2 -e CONDA_HDF5=1.8.17 -e CONDA_GMP=5.1 -e CONDA_NCURSES=5.9 -e CONDA_PERL=5.22.0 -e CONDA_HTSLIB=1.6 -e CONDA_GSL=1.16 -e CONDA_ALLOW_SOFTLINKS=false -e CONDA_NPY=112 -e CONDA_ZLIB=1.2.8 -e HOST_USER_ID=1778186624 tmp-bioconda-builder /bin/bash /opt/recipe/tmp/build_script.bash
14:09:30 BIOCONDA ERROR STDOUT+STDERR:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
mkdir: cannot create directory `/opt/host-conda-bld/linux-64': Permission denied

Any ideas?

[daler]

Thanks @peterjc for trying these and reporting back. @epruesse, you were working with docker on mac, can you offer any insight? Seems to be differences in allowed permissions between mac and linux versions of docker.

@peterjc only other thing I can think of at the moment is modifying the Dockerfile to ensure permissions on /opt.

[peterjc]

@daler a top level permissions change for /opt sounds sensible - but I'm out of my depth for how to do that. I'm happy to test a concrete suggestion though.

[daler]

In the DOCKERFILE_TEMPLATE string, maybe you could try adding

chmod ugo+rw {self.container_staging}

In general, that would be the place to add top-level changes for troubleshooting. The template is filled in with .format(self=self) here, so you can use any attributes on the RecipeBuilder object.

[peterjc]

My initial guess,

--- a/bioconda_utils/docker_utils.py
+++ b/bioconda_utils/docker_utils.py
@@ -134,6 +134,7 @@ DOCKERFILE_TEMPLATE = \
 """
 FROM bioconda/bioconda-utils-build-env
 {self.proxies}
+chmod ugo+rw {self.container_staging}
 """

gave:

Sending build context to Docker daemon  3.072kB
Error response from daemon: Dockerfile parse error line 4: unknown instruction: CHMOD

Tried:

--- a/bioconda_utils/docker_utils.py
+++ b/bioconda_utils/docker_utils.py
@@ -134,6 +134,7 @@ DOCKERFILE_TEMPLATE = \
 """
 FROM bioconda/bioconda-utils-build-env
 {self.proxies}
+RUN chmod ugo+rw {self.container_staging}
 """

gave:

Sending build context to Docker daemon  3.072kB
Step 1/2 : FROM bioconda/bioconda-utils-build-env
 ---> 2a664958c1f7
Step 2/2 : RUN chmod ugo+rw /opt/host-conda-bld
 ---> Running in ab7724cfa961
chmod: cannot access `/opt/host-conda-bld': No such file or directory
The command '/bin/sh -c chmod ugo+rw /opt/host-conda-bld' returned a non-zero code: 1

This gets further (will update with output shortly):

--- a/bioconda_utils/docker_utils.py
+++ b/bioconda_utils/docker_utils.py
@@ -134,6 +134,7 @@ DOCKERFILE_TEMPLATE = \
 """
 FROM bioconda/bioconda-utils-build-env
 {self.proxies}
+RUN chmod ugo+rw /opt
 """

Update - that broke with:

mkdir: cannot create directory `/opt/host-conda-bld/linux-64': Permission denied

[epruesse]

Some background on what's going on here:

Docker needs OS support which macOS doesn't have, so on macOS we use docker-machine, which offers a set of drivers. The default configuration on macOS installs VirtualBox as a driver, which runs a Linux, in which the containers are then run. So we have two layers involved. And that means two layers for file system mappings as well.

The mappings given with -v to Docker actually only happen inside the Linux VM. The mapping from macOS native to the Linux guest is static and configured in the docker-machine driver. By default that's /Users:/Users. It can be changed by editing the VirtualBox configuration, either with the GUI or on file level, but it's not very robust as it may conflict with other uses the user has for docker.

By default, the build.sh is placed in a temporary folder created through the Python API, which honors system settings so the folder ends up in /var/private somewhere. Mapping this file into the docker will fail, because /var/private doesn't exist in the Linux guest. What we get is a mount point in the Docker pointing to a non-existant inode in the Linux guest, accessing which returns -EPERM, aka permission denied.

I thought I had this fixed at some point somewhere by simply setting the TMP environment variable to $HOME/.temp. I don't recall exactly where and how though. It seems to me that the current issue is related.

There is one more caveat surrounding UIDs and permissions of files. Docker in the Linux guest runs AFAIK as UID 1000. I'm not sure how that whole mess is handled, but it seems prone to problems as well.

[peterjc]

Thanks @epruesse - this is more complicated than I appreciated.