Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

D4M 17.04.0-ce-rc2-mac6 (16165): Volume labels no longer accepted in stack file #32579

Open
briantd opened this issue Apr 12, 2017 · 15 comments
Open

Comments

@briantd
Copy link

@briantd briantd commented Apr 12, 2017

Description
Docker stack deploy throws errors when encountering volume labels.
This error surfaced when I upgraded to 17.04.0-ce-rc2-mac6 (16165). Rolling back to stable fixes the problem. I've opened this issue in the D4M project, and they diagnosed it as a docker/docker issue.

docker stack deploy --with-registry-auth -c docker-compose.yml my_app
1 error(s) decoding:
invalid spec: /var/run/docker.sock:/var/run/docker.sock:z: unknown option: z

The previous version of Beta worked, as does the current version of Stable.
Version 17.03.1-ce-mac5 (16048)
Channel: stable
b18e2a50cc

Documentation still shows volume labels as a supported feature:
https://docs.docker.com/engine/tutorials/dockervolumes/#volume-labels

Steps to reproduce the issue:
The following docker command should be able to launch a stack with volumes that have volume labels

docker stack deploy -c docker-compose.yml my_app
e.g.

services:
  # Docker Swarm visualizer
  # See https://docs.docker.com/engine/tutorials/dockervolumes/#volume-labels for info on the ":z"
  viz:
    image: manomarks/visualizer
    ports:
      - 8081:8080
    networks:
      - jenkins-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:z
    deploy:
      placement:
        constraints: [node.role==manager]

Describe the results you received:
1 error(s) decoding:

invalid spec: /var/run/docker.sock:/var/run/docker.sock:z: unknown option: z

Describe the results you expected:
A successfully deployed stack

Additional information you deem important (e.g. issue happens only occasionally):

Issue raised in 2 other forums, I was directed to raise the issue here:
https://github.com/docker/editions/issues/1006
docker/for-mac#1519

Output of docker version:

Client:
 Version:      17.04.0-ce
 API version:  1.28
 Go version:   go1.7.5
 Git commit:   4845c56
 Built:        Wed Apr  5 06:06:36 2017
 OS/Arch:      darwin/amd64

Server:
 Version:      17.04.0-ce
 API version:  1.28 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   4845c56
 Built:        Tue Apr  4 00:37:25 2017
 OS/Arch:      linux/amd64
 Experimental: true

Output of docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 17.04.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary:
containerd version: 422e31ce907fd9c3833a38d7b8fdd023e5a76e73
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.19-moby
Operating System: Alpine Linux v3.5
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 1.952GiB
Name: moby
ID: 2OCU:DGH2:6HS3:YPAB:LUEB:MZ7S:FUYZ:SVI6:R2FE:Z4EY:5LWQ:7VCR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 16
 Goroutines: 26
 System Time: 2017-04-12T22:26:58.076470584Z
 EventsListeners: 1
No Proxy: *.local, 169.254/16
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

briandonaldson@Br

Additional environment details (AWS, VirtualBox, physical, etc.):
OSX 10.12.4, Macbook Pro 15"

@vieux
Copy link
Contributor

@vieux vieux commented Apr 12, 2017

/cc @dnephin

Loading

@dnephin
Copy link
Member

@dnephin dnephin commented Apr 13, 2017

In previous versions there was no error, but they were being ignored. The swarm mode mount definition does not support these flags.

We could continue to ignore them, and warn they are being ignored, instead of returning an error.

Loading

@briantd
Copy link
Author

@briantd briantd commented Apr 13, 2017

Please continue to ignore, or better yet, ignore+warn; throwing an error breaks existing stack files.

Also, this behavior should be called out in the documentation. There's no mention of swarm-specific expectations:
https://docs.docker.com/engine/tutorials/dockervolumes/#volume-labels

Loading

@cpuguy83
Copy link
Member

@cpuguy83 cpuguy83 commented Apr 13, 2017

I'm pretty sure swarm mode supports these in "VolumeOptions"

Loading

@dnephin
Copy link
Member

@dnephin dnephin commented Apr 13, 2017

@cpuguy83 :z is different from a "dockers label" right? I see they're both being called "volume labels", but I thought they were different things.

I think VolumeOptions only has "docker labels"

Loading

@cpuguy83
Copy link
Member

@cpuguy83 cpuguy83 commented Apr 13, 2017

Oh yes, you are right. We don't support selinux relabeling in swarm mode.

Loading

@stevvooe
Copy link
Contributor

@stevvooe stevvooe commented May 10, 2017

Aren't these for bind propagation? Swarmkit handles them explicitly: https://github.com/docker/swarmkit/blob/master/agent/exec/dockerapi/container.go#L290.

Loading

@cpuguy83
Copy link
Member

@cpuguy83 cpuguy83 commented May 11, 2017

z and Z are for selinux.

Loading

@stevvooe
Copy link
Contributor

@stevvooe stevvooe commented May 11, 2017

@cpuguy83 We should almost just pass these through directly...

Loading

@cpuguy83
Copy link
Member

@cpuguy83 cpuguy83 commented May 11, 2017

@stevvooe It was a conscious decision to not support these at the time because it actually modifies the host path.

Loading

@briantd
Copy link
Author

@briantd briantd commented Jun 30, 2017

I recently updated my D4M and noticed the "invalid spec" error again.

$ docker version
Client:
 Version:      17.06.0-ce
 API version:  1.26 (downgraded from 1.30)
 Go version:   go1.8.3
 Git commit:   02c1d87
 Built:        Fri Jun 23 21:31:53 2017
 OS/Arch:      darwin/amd64

Loading

@AhmedAnwarM
Copy link

@AhmedAnwarM AhmedAnwarM commented Jan 28, 2021

I know this was 4 years ago, but I'm facing this issue now and looking for advise.
What is the best practice here? I am using docker swarm and I need to mount a volume for logs, config, etc.

Loading

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Jan 28, 2021

For config, use swarm configs: https://docs.docker.com/engine/swarm/configs/

For logs; make sure the container sends logs to stdout/stderr, so that they're captured by docker's logging drivers

Loading

@ducttapecoder-vt
Copy link

@ducttapecoder-vt ducttapecoder-vt commented Mar 1, 2021

@thaJeztah What is the best practice for larger non-config mounts (such as the TSDB for prometheus?) I generally prefer bind mounts to volumes due to the simplicity of working with them but it seems like it will be necessary to switch to a volume when working with persistent storage in docker swarm services.

@cpuguy83 Can you elaborate on the background of the decision not to support SELinux tags in services?

Loading

@cpuguy83
Copy link
Member

@cpuguy83 cpuguy83 commented Mar 1, 2021

@ducttapecoder-vt Because the settings are not namespaced. It happens on the host, directly to those files records.

What is the best practice here?

Set the selinux labels on the host.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
10 participants