New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

failed to map segment from shared object error on start #1339

Closed
gregaumann opened this Issue Apr 24, 2015 · 23 comments

Comments

Projects
None yet
@gregaumann

gregaumann commented Apr 24, 2015

When I run docker-compose --version on a host with noexec set on /tmp I get the following error:
docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted

This is docker-compose version 1.2.0 running on Centos 6

A google search turned up the same error happening with another application and they attributed it to noexec being set on /tmp http://admin-ahead.com/portal/knowledgebase/4/error-while-loading-shared-libraries-libzso1-failed-to-map-segment-from-shared-object-Operation-not-permitted.html

This server has noexec set on /tmp and the error message is the same so I expect that is the cause. Trying to set TMP to another location without noexec didn't work.

@kevana

This comment has been minimized.

kevana commented May 8, 2015

Same issue,

Linux devdocker01 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

Client version: 1.5.0
Client API version: 1.17
Go version (client): go1.3.3
Git commit (client): a8a31ef/1.5.0
OS/Arch (client): linux/amd64
Server version: 1.5.0
Server API version: 1.17
Go version (server): go1.3.3
Git commit (server): a8a31ef/1.5.0

Containers: 98
Images: 892
Storage Driver: devicemapper
 Pool Name: docker-8:17-2097153-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: extfs
 Data file: 
 Metadata file: 
 Data Space Used: 49.5 GB
 Data Space Total: 107.4 GB
 Metadata Space Used: 61.08 MB
 Metadata Space Total: 2.147 GB
 Udev Sync Supported: true
 Library Version: 1.02.89-RHEL6 (2014-09-01)
Execution Driver: native-0.2
Kernel Version: 2.6.32-504.16.2.el6.x86_64
Operating System: <unknown>
CPUs: 4
Total Memory: 31.35 GiB
Name: devdocker01
ID: ZXFF:IZ7S:IEWD:76ZV:B5WR:HWHI:G7WX:DD4T:YDYL:FPEG:D6SR:GSFU
Debug mode (server): false
Debug mode (client): true
Fds: 321
Goroutines: 200
EventsListeners: 0
Init SHA1: bd0359e86e0e97527aa6298afba8df863db179c8
Init Path: /usr/libexec/docker/dockerinit
Docker Root Dir: /var/lib/docker

How reproducible:

100%

Steps to Reproduce:

  1. download docker-compose 1.2.0
  2. $ docker-compose --version

Actual Results:

error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted

Expected Results:

docker-compose 1.2.0

Additional info:

This started when I upgraded to version 1.2.0 on RHEL 6.6 with noexec on /tmp
We got around the issue by setting TMP for 1.1.0, but it doesn't seem to work anymore

#!/bin/bash
TMP=/var/docker-compose-tmp
export TMP
/usr/local/bin/docker-compose-orig "$@"
@kevana

This comment has been minimized.

kevana commented May 8, 2015

Well, this is awkward, it turned out to be a permissions issue with /var/docker-compose-tmp. Happy Friday....

@alexzeitgeist

This comment has been minimized.

alexzeitgeist commented Jun 17, 2015

FWIW this issue is still prevalent in Docker 1.3.0 RC3, requiring /tmp to be exec.

@AndrewSwerlick

This comment has been minimized.

AndrewSwerlick commented Jul 11, 2015

This should probably be called out in documentation somewhere. Just got bit by the fact the this was configured differently on our staging and prod servers, so our new deployment workflow using compose failed in production.

@ChrisRut

This comment has been minimized.

ChrisRut commented Jul 14, 2015

Issue still prevalent in:

$ docker --version
Docker version 1.6.2, build 7c8fca2
$ docker-compose --version
docker-compose version: 1.3.2
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013

@kevana's work around using a wrapper script that exports a different TMP works for me

@KalleDK

This comment has been minimized.

Contributor

KalleDK commented Aug 20, 2015

If i manually do the export TMP to a new location it works with 1.4.0 RC3

@ChrisRut

This comment has been minimized.

ChrisRut commented Sep 9, 2015

Just upgraded, issue still prevalent in:

$ docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d
OS/Arch (server): linux/amd64
$ docker-compose version
docker-compose version: 1.4.0
docker-py version: 1.3.1
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013

Still using @kevana's work around

@thjaeckle

This comment has been minimized.

thjaeckle commented Oct 30, 2015

Have the same issue on CentOS 6.7 with both compose version 1.4.2 and 1.5.0rc2 - unfortunately even the workaround doesn't work for me.
Any chances this will be fixed in the near future?

@dnephin

This comment has been minimized.

Contributor

dnephin commented Oct 30, 2015

I'd suggest using the workaround of setting a new temp directory (by setting TMPDIR I believe). There isn't much we can do about this. The installer need a place to extract and exec a file. The default place to do that type of operation on linux is /tmp. So either you set a different tmp, or you can't install using the binary.

Note there are other install options as well: https://github.com/docker/compose/blob/master/docs/install.md#alternative-install-options

@zerr0s

This comment has been minimized.

zerr0s commented Jan 21, 2016

Hi, same issue with centos 7. The workaround doesn't works. Any suggestion ?
Thanks.

docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted

@dnephin

This comment has been minimized.

Contributor

dnephin commented Jan 21, 2016

You can also remount /tmp to add exec permission I believe.

@sizrar

This comment has been minimized.

sizrar commented Mar 15, 2016

sudo mount /tmp -o remount,exec might do the trick, yes.

@RafPe

This comment has been minimized.

RafPe commented Mar 25, 2016

Workaround given by @dnephin worked for me on CentOs 7 with SELinux being disabled.

@Kostanos

This comment has been minimized.

Kostanos commented Jan 19, 2017

got error by trying Workaround by @dnephin @sizrar

root@fd24f6b228c7:~/app# mount /tmp -o remount,exec
mount: permission denied

@patakijv

This comment has been minimized.

patakijv commented Feb 4, 2017

@Kostanos It appears you are inside a container (from the root@fd24f6b228c7 prompt). The suggested command in this issue sudo mount /tmp -o remount,exec is for the host not inside a container.

@helmo

This comment has been minimized.

helmo commented Mar 31, 2017

Wouldn't it be possible to add a check early in the code to see if tmp is mounted with the exec option? A useful error message would save time ;)

@shin- shin- closed this Jul 6, 2017

@sunilposhala

This comment has been minimized.

sunilposhala commented Sep 26, 2017

Thank you so much , this worked for me.
$mount /tmp -o remount,exec

@ronnicek

This comment has been minimized.

ronnicek commented Nov 7, 2017

But mounting /tmp with exec is not so good for security :) (for example CIS need to have noexec on /tmp folder). And case was closed just.. like that without any word @shin- ?

@shin-

This comment has been minimized.

Member

shin- commented Nov 7, 2017

If executing inside the temp folder is not an option for you, you can always use the python package.

@ronnicek

This comment has been minimized.

ronnicek commented Nov 8, 2017

But I think that error message could be better ;-)

@dnephin

This comment has been minimized.

Contributor

dnephin commented Nov 8, 2017

Unfortunately the error is not from docker-compose. It comes from pyinstaller which is used to package it for the "single binary install" option, so the fix for the error message would need to be in pyinstaller.

To summarize the workarounds (for anyone else who hits this issue):

@vishalvsh1

This comment has been minimized.

vishalvsh1 commented Mar 7, 2018

Thanks @dnephin
we were in such environment where we do not have root access.
use the environment variable TMPDIR to point at a directory that has permission to execute files
worked for me.

@frederikbosch

This comment has been minimized.

frederikbosch commented Aug 22, 2018

  1. Move /usr/local/bin/docker-compose to /usr/local/bin/docker-compose-with-tmp
  2. Create /usr/local/bin/docker-compose with contents below.
  3. Execute chmod +x /usr/local/bin/docker-compose.
  4. Create a folder /srv/compose-tmp (or to your own choice, then also change below) and give it execute rights.
#!/bin/bash
export TMPDIR=/srv/compose-tmp
/usr/local/bin/docker-compose-with-tmp "$@"

Basically it is a proxy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment