python installation issues on docker snap #81
Comments
|
BTW once I did find where my daemon.json file was, I switched to using the vfs engine and did not have any further problems with python. But I think the issue should be fixed for overlay2. |
|
For now, you can work around this by using the vfs storage-driver instead:
|
|
Observing the same issue here |
|
The issue can be easily triggered with following command This seems to caused by the apparmor policy. Maybe this one? But I'm out of idea why the kernel doesn't use the path which is translated after overlayfs. |
Looks like it's indeed blocked by the snap apparmor. My guess is that the realChroot patch https://github.com/docker-snap/docker-snap/blob/8e57d1fdee6d4b31f9a2f389c6081451d8bd3191/dockerd-patches/snappy-real-chroot.patch#L9-L14 doesn't work now. Maybe it's broken since docker was split to containerd and runc? |
Updates canonical#81 Signed-off-by: Shengjing Zhu <shengjing.zhu@canonical.com>
This is simliar to patches/engine/snappy-real-chroot.patch. Fixes canonical#81 Signed-off-by: Shengjing Zhu <shengjing.zhu@canonical.com>
Updates canonical#81 Signed-off-by: Shengjing Zhu <shengjing.zhu@canonical.com>
This is simliar to patches/engine/snappy-real-chroot.patch. Fixes canonical#81 Signed-off-by: Shengjing Zhu <shengjing.zhu@canonical.com>
Updates canonical#81 Signed-off-by: Shengjing Zhu <shengjing.zhu@canonical.com>
|
Hmm, this issue doesn't present on ubuntu 20.04. So I fail to add a regression test in GitHub actions. |
|
It happens when I use 5.19 kernel (the HWE version) in Ubuntu 22.04. |
|
So I have a patch (#116) to workaround it. But it looks dangerous. After #116, Compared to the old behavior on kernel 5.15 (without the patch), @xnox do you have some thoughts wrt the kernel? |
|
In recent kernels there is overlay mitigations available so it should be possible to make this work. Will need to check this with apparmor maintainer |
|
So far I see it fails from Ubuntu kernel However I didn't find any working Debian kernel for this snap :/ (old versions fail with cgroup/bpf thing, new versions fail for this issue). So my guess is that the docker-snap only works with some Ubuntu specific overlayfs patches, which is lost since Ubuntu kernel 5.19. |
we do have some feature changes and regressions in overlayfs & shiftfs which both might be at play here. This is very much annoying. |
Fully confined snaps, and docker containers, look very similar. As moveroot/pivotroot/chroot is changed, and apparmor confinement applied. Yet confined snaps constantly try to write to .pyc files of the base snap, whereas docker containers are trying to write .pyc files inside hte docker container, and both are denied. Whilst former is undesired, the latter is very confusing. Attempt to address canonical/docker-snap#81 without disrupting intent of LP: #1496895
Fully confined snaps, and docker containers, look very similar. As moveroot/pivotroot/chroot is changed, and apparmor confinement applied. Yet confined snaps constantly try to write to .pyc files of the base snap, whereas docker containers are trying to write .pyc files inside the child docker containers... and yet both are denied. Whilst former is undesired, the latter is very confusing. Attempt to address canonical/docker-snap#81 without disrupting intent of LP: #1496895 Introduce a new inline template replacement for pycache deny rules (such that all existing snippet tests remain intact), and make docker-support interface suppress pycache deny rules.
Fully confined snaps, and docker containers, look very similar. As moveroot/pivotroot/chroot is changed, and apparmor confinement applied. Yet confined snaps constantly try to write to .pyc files of the base snap, whereas docker containers are trying to write .pyc files inside the child docker containers... and yet both are denied. Whilst former is undesired, the latter is very confusing. Attempt to address canonical/docker-snap#81 without disrupting intent of LP: #1496895 Introduce a new inline template replacement for pycache deny rules (such that all existing snippet tests remain intact), and make docker-support interface suppress pycache deny rules.
Fully confined snaps, and docker containers, look very similar. As moveroot/pivotroot/chroot is changed, and apparmor confinement applied. Yet confined snaps constantly try to write to .pyc files of the base snap, whereas docker containers are trying to write .pyc files inside the child docker containers... and yet both are denied. Whilst former is undesired, the latter is very confusing. Attempt to address canonical/docker-snap#81 without disrupting intent of LP: #1496895 Introduce a new inline template replacement for pycache deny rules (such that all existing snippet tests remain intact), and make docker-support interface suppress pycache deny rules.
Fully confined snaps, and docker containers, look very similar. As moveroot/pivotroot/chroot is changed, and apparmor confinement applied. Yet confined snaps constantly try to write to .pyc files of the base snap, whereas docker containers are trying to write .pyc files inside the child docker containers... and yet both are denied. Whilst former is undesired, the latter is very confusing. Attempt to address canonical/docker-snap#81 without disrupting intent of LP: #1496895 Introduce a new inline template replacement for pycache deny rules (such that all existing snippet tests remain intact), and make docker-support interface suppress pycache deny rules.
|
with snapd built with canonical/snapd#12822 this seems to work for me now. Waiting to see if snapd team will agree on the approach. |
* interfaces: Allow suppressing pycache deny rule Fully confined snaps, and docker containers, look very similar. As moveroot/pivotroot/chroot is changed, and apparmor confinement applied. Yet confined snaps constantly try to write to .pyc files of the base snap, whereas docker containers are trying to write .pyc files inside the child docker containers... and yet both are denied. Whilst former is undesired, the latter is very confusing. Attempt to address canonical/docker-snap#81 without disrupting intent of LP: #1496895 Introduce a new inline template replacement for pycache deny rules (such that all existing snippet tests remain intact), and make docker-support interface suppress pycache deny rules. * Fix comment typo --------- Co-authored-by: Michael Vogt <mvo@ubuntu.com>
* interfaces: Allow suppressing pycache deny rule Fully confined snaps, and docker containers, look very similar. As moveroot/pivotroot/chroot is changed, and apparmor confinement applied. Yet confined snaps constantly try to write to .pyc files of the base snap, whereas docker containers are trying to write .pyc files inside the child docker containers... and yet both are denied. Whilst former is undesired, the latter is very confusing. Attempt to address canonical/docker-snap#81 without disrupting intent of LP: #1496895 Introduce a new inline template replacement for pycache deny rules (such that all existing snippet tests remain intact), and make docker-support interface suppress pycache deny rules. * Fix comment typo --------- Co-authored-by: Michael Vogt <mvo@ubuntu.com>
Install docker snap and create an Ubuntu 22.10 container, and try to install python, you will get an error:
Setting up python3.10-minimal (3.10.7-1) ...
[Errno 13] Permission denied: '/usr/lib/python3.10/pycache/future.cpython-310.pyc.139786761293248'dpkg: error processing package python3.10-minimal (--configure):
installed python3.10-minimal package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
python3.10-minimal
E: Sub-process /usr/bin/dpkg returned an error code (1)
See
https://forums.docker.com/t/bug-on-apt-install-permission-denied/100196/6
for discussion. Apparently only a problem with the snap version.
The text was updated successfully, but these errors were encountered: