Error checking context on docker build

[anweiss]

Running sudo docker build -t <image> . in the context of /home/$USER, but getting the following error (where $USER is the actual username):

Error checking context: 'can't stat '/home/$USER''.

Running the following Snap version:

Name        Version       Rev   Developer   Notes
docker      17.03.1-ce-1  120   docker-inc  -

Some more system details:

snap    2.24
snapd   2.24
series  16
kernel  4.4.0-1030-raspi2

[adglkh]

I'd say it's an expected behavior.
In strict confinement mode, people only have the read&writte permission to access files owned by himself even after home interface is connected(Apparmor rules applied).
If you put Dockerfile under /home/$USER and run docker build command with sudo, which indicates the "owner" of /home/$USER is root, but actaully it's not. So you encountered the following "issue".

Error checking context: 'can't stat '/home/$USER''.

An Apparmor denial popups in /var/log/syslog as well

Jun 6 18:15:22 localhost kernel: [ 1084.250075] audit: type=1400 audit(1496772922.932:24): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/home/$USER/" pid=1835 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

I would recommend
a) switch to the root user, create a directory under $HOME.
b) create a directory under $HOME with sudo,
then put a Dockerfile or docker-compose.yml in that folder.
Either a) or b), please make sure the owner of all files under the newly created directory is root.
Then docker build|compose work for you.

Here are the steps to reproduce the above "issue" and run docker build in a proper way under the confinement mode.

gary-wzl77@localhost:~$ mkdir test1 
gary-wzl77@localhost:~$ cd test1/
gary-wzl77@localhost:~/test1$ cat > Dockerfile
FROM alpine
CMD echo "hello-world"
gary-wzl77@localhost:~/test1$ sudo docker build -t hello-world .
Error checking context: 'can't stat '/home/gary-wzl77/test1''.
gary-wzl77@localhost:~/test1$ ls -al
total 12
drwxrwxr-x  2 gary-wzl77 gary-wzl77 4096 Jun  6 18:14 .
drwxr-xr-x 15 gary-wzl77 gary-wzl77 4096 Jun  6 18:14 ..
-rw-rw-r--  1 gary-wzl77 gary-wzl77   35 Jun  6 18:14 Dockerfile
gary-wzl77@localhost:~/test1$ sudo chown root.root -R ../test1
gary-wzl77@localhost:~/test1$ ls -al
total 12
drwxrwxr-x  2 root       root       4096 Jun  6 18:14 .
drwxr-xr-x 15 gary-wzl77 gary-wzl77 4096 Jun  6 18:14 ..
-rw-rw-r--  1 root       root         35 Jun  6 18:14 Dockerfile
gary-wzl77@localhost:~/test1$ sudo docker build -t hello-world .
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM alpine
 ---> a41a7446062d
Step 2/2 : CMD echo "hello-world"
 ---> Using cache
 ---> e78b8e69cbc0
Successfully built e78b8e69cbc0
gary-wzl77@localhost:~/test1$ sudo docker run -t hello-world
hello-world

gary-wzl77@localhost:~$ #or switch to root user
gary-wzl77@localhost:~$ sudo -s
root@localhost:~# mkdir test2
root@localhost:~# cd test2
root@localhost:~/test2# cat > Dockerfile
FROM alpine
CMD echo "hello-world"
root@localhost:~/test2# docker build -t hello-world-2 .
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM alpine
 ---> a41a7446062d
Step 2/2 : CMD echo "hello-world"
 ---> Using cache
 ---> e78b8e69cbc0
Successfully built e78b8e69cbc0
root@localhost:~/test2# docker run -it hello-world-2
hello-world
root@localhost:~/test2# 

I hope this's helpful for you.

P.S
1). If you run docker build or compose on Ubuntu Classic, you could add the login user into docker group so that you won't need sudo for every docker command. https://github.com/docker/docker-snap/blob/master/bin/help#L9
2). If you run docker build or compose on Ubuntu Core 16, you have to follow above suggestion to do that. The reason here is that you're not able to add the login user into a system group even though docker group is pre-shipped in core image since /etc/passwd, /etc/group is read-only for now.

[anweiss]

Worked great, thanks!

[weigoldh]

I'm using a different approach.
I'm running docker build from within a docker container mapping the docker socket into the container.
You have to keep your source files in a subfolder under root. Map them into the container filesystem.

sudo docker run -ti --rm --name docker -v $(pwd)/source:/source -v /var/run/docker.sock:/var/run/docker.sock rpi-docker /bin/sh

Im running Ubuntu Core 16.

[egeexyz]

This issue can be solved entirely by simply installing docker in devmode, like so: sudo snap install docker --devmode. I'm aware that this is an anti-pattern, however I do not find the workarounds suggested to be acceptable at all.

Also, it is worth pointing out that the instructions listed at the snapcraft site are wrong. Particularly, the section:

you need to place your dockerfile within $HOME.

Had absolutely no effect for me.

[LordOfRhun]

got it working using @egee-irl answer ! thank you

[rickrain]

Is this issue a result of installing docker using snap? I have a fresh ubuntu 18.04 LTS install and installed Docker using sudo snap install docker. In the past, I followed the installation instructions here and I didn't have these kinds of problems.

[wendreof]

Here worked great, thanks!!!

[benyanke]

Can confirm that placing the dockerfile within the homedir tree did not work. It seems the docker snap is broken.

[julien-montmartin]

Same kind of issues here with docker snap. Running the very simple

sudo docker run hello-world

Fails with error

docker: failed to register layer: ApplyLayer exit status 1 stdout: stderr: mkdir /temp-docker-extract662270098: permission denied.

Relevant line in /var/log/syslog

/var/log/syslog:Jun 19 12:38:35 ZBook-Julien kernel: [ 3262.106348] audit: type=1400 audit(1529404715.486:56): apparmor="DENIED" operation="mkdir" profile="snap.docker.dockerd" name="/temp-docker-extract662270098/" pid=2690 comm="exe" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Apparmor denied ?

@egee-irl --devmode workaround did work for me.

Ubuntu Bionic packages at https://download.docker.com/linux/ubuntu/dists/bionic/stable/ are zero byte long, so using snap with --devmode is really the least bad option I could find.

[andreiSenseutchiWork]

Creating a UNIX GROUP "docker" and adding the $USER has worked for me.
here are the steps to follow:
https://docs.docker.com/install/linux/linux-postinstall/

[iamarkadyt]

@adglkh, worked great, thanks!

[shubhampateliitm]

@rickrain If you are using docker on ubuntu from snap follow.
To install the latest stable release of Docker CE using snap:

$ sudo snap install docker
If you are using Ubuntu Core 16,

Connect the docker:home plug as it's not auto-connected by default:

$ sudo snap connect docker:home
If you are using an alternative snap-compatible Linux distribution ("classic" in snap lingo), and would like to run docker as a normal user:

Create and join the docker group.

$ sudo addgroup --system docker
$ sudo adduser $USER docker
$ newgrp docker
You will also need to disable and re-enable the docker snap if you added the group while it was running.

$ sudo snap disable docker
$ sudo snap enable docker

[anonymouse64]

Hi folks, I've released a new version of the docker snap to edge and beta channels that uses a new feature with the home plug that allows root to read non-root files. You can try this out by refreshing the snap to the edge channel for testing:

sudo snap refresh docker --edge

And then attempt to build a Dockerfile owned by your user somewhere:

echo "FROM ubuntu:16.04" > Dockerfile
sudo docker build -t my-dockerfile-test .

And it should work.

Update:

Unfortunately use of this feature needs snap store approval. I've disabled it for now until we get it approved here: https://forum.snapcraft.io/t/auto-connection-for-home-interface-for-docker-snap/7502

Update 2:

This feature has been approved for use by the docker snap and is available in the edge and beta channels. You can try it out with the above. It should land into stable shortly.

[psftw]

Closing all issues and pull requests since this repo is getting archived (see notice at the top of README).