Skip to content
This repository has been archived by the owner on Jan 21, 2020. It is now read-only.

Error checking context on docker build #8

Closed
anweiss opened this issue Jun 6, 2017 · 14 comments
Closed

Error checking context on docker build #8

anweiss opened this issue Jun 6, 2017 · 14 comments

Comments

@anweiss
Copy link

anweiss commented Jun 6, 2017

Running sudo docker build -t <image> . in the context of /home/$USER, but getting the following error (where $USER is the actual username):

Error checking context: 'can't stat '/home/$USER''.

Running the following Snap version:

Name        Version       Rev   Developer   Notes
docker      17.03.1-ce-1  120   docker-inc  -

Some more system details:

snap    2.24
snapd   2.24
series  16
kernel  4.4.0-1030-raspi2
@adglkh
Copy link
Contributor

adglkh commented Jun 7, 2017

I'd say it's an expected behavior.
In strict confinement mode, people only have the read&writte permission to access files owned by himself even after home interface is connected(Apparmor rules applied).
If you put Dockerfile under /home/$USER and run docker build command with sudo, which indicates the "owner" of /home/$USER is root, but actaully it's not. So you encountered the following "issue".

Error checking context: 'can't stat '/home/$USER''.

An Apparmor denial popups in /var/log/syslog as well

Jun 6 18:15:22 localhost kernel: [ 1084.250075] audit: type=1400 audit(1496772922.932:24): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/home/$USER/" pid=1835 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

I would recommend
a) switch to the root user, create a directory under $HOME.
b) create a directory under $HOME with sudo,
then put a Dockerfile or docker-compose.yml in that folder.
Either a) or b), please make sure the owner of all files under the newly created directory is root.
Then docker build|compose work for you.

Here are the steps to reproduce the above "issue" and run docker build in a proper way under the confinement mode.

gary-wzl77@localhost:~$ mkdir test1 
gary-wzl77@localhost:~$ cd test1/
gary-wzl77@localhost:~/test1$ cat > Dockerfile
FROM alpine
CMD echo "hello-world"
gary-wzl77@localhost:~/test1$ sudo docker build -t hello-world .
Error checking context: 'can't stat '/home/gary-wzl77/test1''.
gary-wzl77@localhost:~/test1$ ls -al
total 12
drwxrwxr-x  2 gary-wzl77 gary-wzl77 4096 Jun  6 18:14 .
drwxr-xr-x 15 gary-wzl77 gary-wzl77 4096 Jun  6 18:14 ..
-rw-rw-r--  1 gary-wzl77 gary-wzl77   35 Jun  6 18:14 Dockerfile
gary-wzl77@localhost:~/test1$ sudo chown root.root -R ../test1
gary-wzl77@localhost:~/test1$ ls -al
total 12
drwxrwxr-x  2 root       root       4096 Jun  6 18:14 .
drwxr-xr-x 15 gary-wzl77 gary-wzl77 4096 Jun  6 18:14 ..
-rw-rw-r--  1 root       root         35 Jun  6 18:14 Dockerfile
gary-wzl77@localhost:~/test1$ sudo docker build -t hello-world .
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM alpine
 ---> a41a7446062d
Step 2/2 : CMD echo "hello-world"
 ---> Using cache
 ---> e78b8e69cbc0
Successfully built e78b8e69cbc0
gary-wzl77@localhost:~/test1$ sudo docker run -t hello-world
hello-world

gary-wzl77@localhost:~$ #or switch to root user
gary-wzl77@localhost:~$ sudo -s
root@localhost:~# mkdir test2
root@localhost:~# cd test2
root@localhost:~/test2# cat > Dockerfile
FROM alpine
CMD echo "hello-world"
root@localhost:~/test2# docker build -t hello-world-2 .
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM alpine
 ---> a41a7446062d
Step 2/2 : CMD echo "hello-world"
 ---> Using cache
 ---> e78b8e69cbc0
Successfully built e78b8e69cbc0
root@localhost:~/test2# docker run -it hello-world-2
hello-world
root@localhost:~/test2# 

I hope this's helpful for you.

P.S
1). If you run docker build or compose on Ubuntu Classic, you could add the login user into docker group so that you won't need sudo for every docker command. https://github.com/docker/docker-snap/blob/master/bin/help#L9
2). If you run docker build or compose on Ubuntu Core 16, you have to follow above suggestion to do that. The reason here is that you're not able to add the login user into a system group even though docker group is pre-shipped in core image since /etc/passwd, /etc/group is read-only for now.

@anweiss
Copy link
Author

anweiss commented Jun 7, 2017

Worked great, thanks!

@weigoldh
Copy link

I'm using a different approach.
I'm running docker build from within a docker container mapping the docker socket into the container.
You have to keep your source files in a subfolder under root. Map them into the container filesystem.

sudo docker run -ti --rm --name docker -v $(pwd)/source:/source -v /var/run/docker.sock:/var/run/docker.sock rpi-docker /bin/sh

Im running Ubuntu Core 16.

@egeexyz
Copy link

egeexyz commented Feb 20, 2018

This issue can be solved entirely by simply installing docker in devmode, like so: sudo snap install docker --devmode. I'm aware that this is an anti-pattern, however I do not find the workarounds suggested to be acceptable at all.

Also, it is worth pointing out that the instructions listed at the snapcraft site are wrong. Particularly, the section:

you need to place your dockerfile within $HOME.

Had absolutely no effect for me.

@LordOfRhun
Copy link

got it working using @egee-irl answer ! thank you

@rickrain
Copy link

rickrain commented May 11, 2018

Is this issue a result of installing docker using snap? I have a fresh ubuntu 18.04 LTS install and installed Docker using sudo snap install docker. In the past, I followed the installation instructions here and I didn't have these kinds of problems.

@wendreof
Copy link

wendreof commented May 26, 2018

Here worked great, thanks!!!

@benyanke
Copy link

benyanke commented Jun 7, 2018

Can confirm that placing the dockerfile within the homedir tree did not work. It seems the docker snap is broken.

@julien-montmartin
Copy link

julien-montmartin commented Jun 19, 2018

Same kind of issues here with docker snap. Running the very simple

sudo docker run hello-world

Fails with error

docker: failed to register layer: ApplyLayer exit status 1 stdout: stderr: mkdir /temp-docker-extract662270098: permission denied.

Relevant line in /var/log/syslog

/var/log/syslog:Jun 19 12:38:35 ZBook-Julien kernel: [ 3262.106348] audit: type=1400 audit(1529404715.486:56): apparmor="DENIED" operation="mkdir" profile="snap.docker.dockerd" name="/temp-docker-extract662270098/" pid=2690 comm="exe" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Apparmor denied ?

@egee-irl --devmode workaround did work for me.

Ubuntu Bionic packages at https://download.docker.com/linux/ubuntu/dists/bionic/stable/ are zero byte long, so using snap with --devmode is really the least bad option I could find.

@andreiSenseutchiWork
Copy link

Creating a UNIX GROUP "docker" and adding the $USER has worked for me.
here are the steps to follow:
https://docs.docker.com/install/linux/linux-postinstall/

@iamarkadyt
Copy link

@adglkh, worked great, thanks!

@shubhampateliitm
Copy link

@rickrain If you are using docker on ubuntu from snap follow.
To install the latest stable release of Docker CE using snap:

$ sudo snap install docker
If you are using Ubuntu Core 16,

Connect the docker:home plug as it's not auto-connected by default:

$ sudo snap connect docker:home
If you are using an alternative snap-compatible Linux distribution ("classic" in snap lingo), and would like to run docker as a normal user:

Create and join the docker group.

$ sudo addgroup --system docker
$ sudo adduser $USER docker
$ newgrp docker
You will also need to disable and re-enable the docker snap if you added the group while it was running.

$ sudo snap disable docker
$ sudo snap enable docker

anonymouse64 added a commit to anonymouse64/docker-snap that referenced this issue Sep 17, 2018
This allows root to read from non-root owned folders.
This specifically should fix docker-archive#8
@anonymouse64
Copy link

anonymouse64 commented Sep 20, 2018

Hi folks, I've released a new version of the docker snap to edge and beta channels that uses a new feature with the home plug that allows root to read non-root files. You can try this out by refreshing the snap to the edge channel for testing:

sudo snap refresh docker --edge

And then attempt to build a Dockerfile owned by your user somewhere:

echo "FROM ubuntu:16.04" > Dockerfile
sudo docker build -t my-dockerfile-test .

And it should work.

Update:

Unfortunately use of this feature needs snap store approval. I've disabled it for now until we get it approved here: https://forum.snapcraft.io/t/auto-connection-for-home-interface-for-docker-snap/7502

Update 2:

This feature has been approved for use by the docker snap and is available in the edge and beta channels. You can try it out with the above. It should land into stable shortly.

@psftw
Copy link
Contributor

psftw commented Nov 28, 2018

Closing all issues and pull requests since this repo is getting archived (see notice at the top of README).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests