New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cap_set_file not permitted on aufs storage driver only #6980

Closed
jakedt opened this Issue Jul 11, 2014 · 70 comments

Comments

Projects
None yet
@jakedt
Contributor

jakedt commented Jul 11, 2014

When running this minimal Dockerfile:

FROM centos
RUN yum install -y httpd mod_ssl

The following error occurs only when using the aufs storage driver:

Installing : httpd-2.4.6-17.el7.centos.1.x86_64                           8/9
Error unpacking rpm package httpd-2.4.6-17.el7.centos.1.x86_64

error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file

When running with the devicemapper driver the command succeeds successfully. The capabilities listed for the process are identical under both storage drivers and include CAP_SETFCAP and CAP_FOWNER which are listed by set_cap_file as requirements.

Here is the full list of capabilities which both processes have:

Capabilities for `11004': =ep cap_chown,cap_dac_override,cap_fowner,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_setfcap+i cap_dac_read_search,cap_fsetid,cap_linux_immutable,cap_net_broadcast,cap_net_admin,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_lease,cap_audit_write,cap_audit_control,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend-ep
@tiborvass

This comment has been minimized.

Show comment
Hide comment
@tiborvass

tiborvass Jul 16, 2014

Collaborator

@jakedt Can you please paste the output of docker version and docker info ?

Collaborator

tiborvass commented Jul 16, 2014

@jakedt Can you please paste the output of docker version and docker info ?

@jakedt

This comment has been minimized.

Show comment
Hide comment
@jakedt

jakedt Jul 16, 2014

Contributor

Sure thing!

[sudo] password for jake: 
Client version: 1.1.1
Client API version: 1.13
Go version (client): go1.2.1
Git commit (client): bd609d2
Server version: 1.1.1
Server API version: 1.13
Go version (server): go1.2.1
Git commit (server): bd609d2
Containers: 5
Images: 356
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 367
Execution Driver: native-0.2
Kernel Version: 3.13.0-24-generic
Debug mode (server): true
Debug mode (client): false
Fds: 10
Goroutines: 9
EventsListeners: 0
Init Path: /usr/bin/docker
Sockets: [unix:///var/run/docker.sock]
WARNING: No swap limit support

Of course the storage driver is just the one I happen to use by default.

Contributor

jakedt commented Jul 16, 2014

Sure thing!

[sudo] password for jake: 
Client version: 1.1.1
Client API version: 1.13
Go version (client): go1.2.1
Git commit (client): bd609d2
Server version: 1.1.1
Server API version: 1.13
Go version (server): go1.2.1
Git commit (server): bd609d2
Containers: 5
Images: 356
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 367
Execution Driver: native-0.2
Kernel Version: 3.13.0-24-generic
Debug mode (server): true
Debug mode (client): false
Fds: 10
Goroutines: 9
EventsListeners: 0
Init Path: /usr/bin/docker
Sockets: [unix:///var/run/docker.sock]
WARNING: No swap limit support

Of course the storage driver is just the one I happen to use by default.

@tiborvass

This comment has been minimized.

Show comment
Hide comment
Collaborator

tiborvass commented Jul 16, 2014

@henning

This comment has been minimized.

Show comment
Hide comment
@henning

henning Jul 22, 2014

Contributor

This topic is already blogged (and from the blog post also communicated to the docker dev team): http://major.io/2014/03/26/docker-trusted-builds-and-fedora-20/ meanwhile, I'm too still searching for a way to install httpd on a centos based docker image... iputils (installed when you try to install the development package group) has the same issue

Contributor

henning commented Jul 22, 2014

This topic is already blogged (and from the blog post also communicated to the docker dev team): http://major.io/2014/03/26/docker-trusted-builds-and-fedora-20/ meanwhile, I'm too still searching for a way to install httpd on a centos based docker image... iputils (installed when you try to install the development package group) has the same issue

@shykes

This comment has been minimized.

Show comment
Hide comment
@shykes

shykes Jul 22, 2014

Collaborator

@henning feel free to contribute to the upstream docs, so that the wider Docker community can benefit.

Collaborator

shykes commented Jul 22, 2014

@henning feel free to contribute to the upstream docs, so that the wider Docker community can benefit.

@henning

This comment has been minimized.

Show comment
Hide comment
@henning

henning Jul 22, 2014

Contributor

@shykes: not clear what you mean, but sure, as soon as i have a solution or
a workaround i do so.
For now i'm still trying to understand whats going on.

Contributor

henning commented Jul 22, 2014

@shykes: not clear what you mean, but sure, as soon as i have a solution or
a workaround i do so.
For now i'm still trying to understand whats going on.

@henning

This comment has been minimized.

Show comment
Hide comment
@henning

henning Jul 23, 2014

Contributor

Some more research:

  • running docker with --privileged isn't helping, plus, --privileged option is not available for the build command (maybe because it's runing privileged anyway?)
  • there's another bug with the same symptom said to be fixed already: #5928
  • Theres also an info on cap_set_file stuff in Linux - it might mean that the host OS Kernel needs to be specifically compiled, so at least in my case when running centos7 in a container on an Ubuntu hist might not work? http://rglinuxtech.com/?p=140
  • Redhat Bugs related to cap_set_file:

Next thing I'll try is checking if there's any different behaviour when running docker on an centos7 host.

Contributor

henning commented Jul 23, 2014

Some more research:

  • running docker with --privileged isn't helping, plus, --privileged option is not available for the build command (maybe because it's runing privileged anyway?)
  • there's another bug with the same symptom said to be fixed already: #5928
  • Theres also an info on cap_set_file stuff in Linux - it might mean that the host OS Kernel needs to be specifically compiled, so at least in my case when running centos7 in a container on an Ubuntu hist might not work? http://rglinuxtech.com/?p=140
  • Redhat Bugs related to cap_set_file:

Next thing I'll try is checking if there's any different behaviour when running docker on an centos7 host.

@jamshid

This comment has been minimized.

Show comment
Hide comment
@jamshid

jamshid Jul 23, 2014

Contributor

Just encountered this, it is breaking my "FROM centos" Dockerfiles after upgrading to current boot2docker.

$ docker run -ti centos bash
bash-4.2# yum install -y java-1.7.0-openjdk
...
  Installing : iputils-20121221-6.el7.x86_64                              45/80 
Error unpacking rpm package iputils-20121221-6.el7.x86_64
error: unpacking of archive failed on file /usr/bin/ping: cpio: cap_set_file
  Installing : fontpackages-filesystem-1.44-8.el7.noarch                  46/80 
error: iputils-20121221-6.el7.x86_64: install failed
...
Failed:
  iputils.x86_64 0:20121221-6.el7                                               
Complete!

Not sure what the best fix is (using --privileged didn't help), so for now I changed my "FROM centos" to "FROM centos:centos6".

Contributor

jamshid commented Jul 23, 2014

Just encountered this, it is breaking my "FROM centos" Dockerfiles after upgrading to current boot2docker.

$ docker run -ti centos bash
bash-4.2# yum install -y java-1.7.0-openjdk
...
  Installing : iputils-20121221-6.el7.x86_64                              45/80 
Error unpacking rpm package iputils-20121221-6.el7.x86_64
error: unpacking of archive failed on file /usr/bin/ping: cpio: cap_set_file
  Installing : fontpackages-filesystem-1.44-8.el7.noarch                  46/80 
error: iputils-20121221-6.el7.x86_64: install failed
...
Failed:
  iputils.x86_64 0:20121221-6.el7                                               
Complete!

Not sure what the best fix is (using --privileged didn't help), so for now I changed my "FROM centos" to "FROM centos:centos6".

@jaenswart

This comment has been minimized.

Show comment
Hide comment
@jaenswart

jaenswart Jul 25, 2014

same for me,

xorg-x11-fonts-Type1.noarch 0:7.5-9.el7

Failed:
iputils.x86_64 0:20121221-6.el7

Complete!
2014/07/25 16:02:54 The command [/bin/sh -c yum install -y java-1.7.0-openjdk which telnet unzip openssh-server sudo openssh-clients] returned a non-zero code: 1

same for me,

xorg-x11-fonts-Type1.noarch 0:7.5-9.el7

Failed:
iputils.x86_64 0:20121221-6.el7

Complete!
2014/07/25 16:02:54 The command [/bin/sh -c yum install -y java-1.7.0-openjdk which telnet unzip openssh-server sudo openssh-clients] returned a non-zero code: 1

@crosbymichael

This comment has been minimized.

Show comment
Hide comment
@crosbymichael

crosbymichael Jul 25, 2014

Contributor

From looking into this it appears to be an AUFS specific bug which means fixing it requires patching AUFS and recompiling the kernel. I suggest using BTRFS or devicemapper instead because we really have nothing to change in docker to fix this issue.

@unclejack thoughts?

Contributor

crosbymichael commented Jul 25, 2014

From looking into this it appears to be an AUFS specific bug which means fixing it requires patching AUFS and recompiling the kernel. I suggest using BTRFS or devicemapper instead because we really have nothing to change in docker to fix this issue.

@unclejack thoughts?

@jgangemi

This comment has been minimized.

Show comment
Hide comment
@jgangemi

jgangemi Aug 8, 2014

i'm having the same issue as @jamshid abd @jaenswart - coud this is a bug in centos7 itself caused by a recent update. a co-worker didn't have this problem against a centos7 image from ~5-6 (maybe a little more/less) weeks ago but he now sees this after a 'docker pull centos'.

centos6 doesn't seem to exhibit this issue.

jgangemi commented Aug 8, 2014

i'm having the same issue as @jamshid abd @jaenswart - coud this is a bug in centos7 itself caused by a recent update. a co-worker didn't have this problem against a centos7 image from ~5-6 (maybe a little more/less) weeks ago but he now sees this after a 'docker pull centos'.

centos6 doesn't seem to exhibit this issue.

@bruceadams

This comment has been minimized.

Show comment
Hide comment
@bruceadams

bruceadams Aug 30, 2014

I see no way around this problem when my host system is Ubuntu 14.04 (both physical and a VM). However it works fine in a CentOS 7 VM host system. So, doing the docker build on a CentOS 7 host is a workaround for this issue. (I just used a small DigitalOcean droplet for my build.)

I see the problem when doing a "yum update" in a CentOS 7 docker image, such as:

$ docker run -i -t --rm centos:centos7 /bin/bash
bash-4.2# yum update -y

I only see errors on Ubuntu host systems. The error messages (amidst a bunch of output from yum) are:

Error unpacking rpm package systemd-208-11.el7_0.2.x86_64
error: unpacking of archive failed on file /usr/bin/systemd-detect-virt: cpio: cap_set_file

Once I've created a CentOS 7 image on a CentOS 7 host system, I can use the image just fine on Ubuntu, so long as I don't need to do a further yum install of any problematic package.

I see no way around this problem when my host system is Ubuntu 14.04 (both physical and a VM). However it works fine in a CentOS 7 VM host system. So, doing the docker build on a CentOS 7 host is a workaround for this issue. (I just used a small DigitalOcean droplet for my build.)

I see the problem when doing a "yum update" in a CentOS 7 docker image, such as:

$ docker run -i -t --rm centos:centos7 /bin/bash
bash-4.2# yum update -y

I only see errors on Ubuntu host systems. The error messages (amidst a bunch of output from yum) are:

Error unpacking rpm package systemd-208-11.el7_0.2.x86_64
error: unpacking of archive failed on file /usr/bin/systemd-detect-virt: cpio: cap_set_file

Once I've created a CentOS 7 image on a CentOS 7 host system, I can use the image just fine on Ubuntu, so long as I don't need to do a further yum install of any problematic package.

@omidraha

This comment has been minimized.

Show comment
Hide comment
@omidraha

omidraha Oct 1, 2014

I have same problem, my host system is Linux debian 3.16-2-amd64 and my image is CentOS 7.

bash-4.2# yum install -y iputils

Running transaction
  Installing : iputils-20121221-6.el7.x86_64
Error unpacking rpm package iputils-20121221-6.el7.x86_64
error: unpacking of archive failed on file /usr/bin/ping: cpio: cap_set_file
  Verifying  : iputils-20121221-6.el7.x86_64

Failed:
  iputils.x86_64 0:20121221-6.el7 
bash-4.2# yum install -y systemd

Running transaction
  Updating   : systemd-208-11.el7_0.2.x86_64
Error unpacking rpm package systemd-208-11.el7_0.2.x86_64
error: unpacking of archive failed on file /usr/bin/systemd-detect-virt: cpio: cap_set_file
systemd-208-11.el7.x86_64 was supposed to be removed but is not!
  Verifying  : systemd-208-11.el7.x86_64
  Verifying  : systemd-208-11.el7_0.2.x86_64

Failed:
  systemd.x86_64 0:208-11.el7  systemd.x86_64 0:208-11.el7_0.2

omidraha commented Oct 1, 2014

I have same problem, my host system is Linux debian 3.16-2-amd64 and my image is CentOS 7.

bash-4.2# yum install -y iputils

Running transaction
  Installing : iputils-20121221-6.el7.x86_64
Error unpacking rpm package iputils-20121221-6.el7.x86_64
error: unpacking of archive failed on file /usr/bin/ping: cpio: cap_set_file
  Verifying  : iputils-20121221-6.el7.x86_64

Failed:
  iputils.x86_64 0:20121221-6.el7 
bash-4.2# yum install -y systemd

Running transaction
  Updating   : systemd-208-11.el7_0.2.x86_64
Error unpacking rpm package systemd-208-11.el7_0.2.x86_64
error: unpacking of archive failed on file /usr/bin/systemd-detect-virt: cpio: cap_set_file
systemd-208-11.el7.x86_64 was supposed to be removed but is not!
  Verifying  : systemd-208-11.el7.x86_64
  Verifying  : systemd-208-11.el7_0.2.x86_64

Failed:
  systemd.x86_64 0:208-11.el7  systemd.x86_64 0:208-11.el7_0.2
@metal3d

This comment has been minimized.

Show comment
Hide comment
@metal3d

metal3d Nov 12, 2014

@crosbymichael is right. AUFS is the problem. I had a "solution" (workaround) on debian and maybe ubuntu...

Export your images and/or containers (because they will be unaccessibles unless you revert the following instructions)

service docker stop 

Open "/etc/default/docker" and set DOCKER_OPTS with

DOCKER_OPTS="-s devicemapper"

Then relaunch docker service

service docker start

Now, Docker is using devicemapper and not AUFS, that should stop to complain with yum and httpd (or other problem with cap_set_file).

I was able to retrieve my images and containers by removing the modification in /etc/default/docker and restarting docker service. I guess that this modification can be dagerous, so please make images and containers backups before to test.

Now... who can manage this bug ? docker team ? AUFS team ?

metal3d commented Nov 12, 2014

@crosbymichael is right. AUFS is the problem. I had a "solution" (workaround) on debian and maybe ubuntu...

Export your images and/or containers (because they will be unaccessibles unless you revert the following instructions)

service docker stop 

Open "/etc/default/docker" and set DOCKER_OPTS with

DOCKER_OPTS="-s devicemapper"

Then relaunch docker service

service docker start

Now, Docker is using devicemapper and not AUFS, that should stop to complain with yum and httpd (or other problem with cap_set_file).

I was able to retrieve my images and containers by removing the modification in /etc/default/docker and restarting docker service. I guess that this modification can be dagerous, so please make images and containers backups before to test.

Now... who can manage this bug ? docker team ? AUFS team ?

@asinus666

This comment has been minimized.

Show comment
Hide comment
@asinus666

asinus666 Nov 20, 2014

I do see the same issue when trying to install httpd in a centos container though my docker runs using devicemapper as storage backend:

[root@30b87986efbd ~]# yum -y install httpd
[...]
Running transaction
Installing : httpd-2.4.6-18.el7.centos.x86_64 1/1
Error unpacking rpm package httpd-2.4.6-18.el7.centos.x86_64
error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
Verifying : httpd-2.4.6-18.el7.centos.x86_64 1/1
[...]

breuerma@data ~ $ docker info
Containers: 39
Images: 305
Storage Driver: devicemapper
Pool Name: docker-8:1-1179116-pool
Pool Blocksize: 65.54 kB
Data file: /var/lib/docker/devicemapper/devicemapper/data
Metadata file: /var/lib/docker/devicemapper/devicemapper/metadata
Data Space Used: 12.8 GB
Data Space Total: 107.4 GB
Metadata Space Used: 16.54 MB
Metadata Space Total: 2.147 GB
Library Version: 1.02.77 (2012-10-15)
Execution Driver: native-0.2
Kernel Version: 3.17.3-data-8.1
Operating System:

breuerma@data ~ $ docker version
Client version: 1.3.1
Client API version: 1.15
Go version (client): go1.3.3
Git commit (client): 4e9bbfa
OS/Arch (client): linux/amd64
Server version: 1.3.1
Server API version: 1.15
Go version (server): go1.3.3
Git commit (server): 4e9bbfa

OS is gentoo.

I do see the same issue when trying to install httpd in a centos container though my docker runs using devicemapper as storage backend:

[root@30b87986efbd ~]# yum -y install httpd
[...]
Running transaction
Installing : httpd-2.4.6-18.el7.centos.x86_64 1/1
Error unpacking rpm package httpd-2.4.6-18.el7.centos.x86_64
error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
Verifying : httpd-2.4.6-18.el7.centos.x86_64 1/1
[...]

breuerma@data ~ $ docker info
Containers: 39
Images: 305
Storage Driver: devicemapper
Pool Name: docker-8:1-1179116-pool
Pool Blocksize: 65.54 kB
Data file: /var/lib/docker/devicemapper/devicemapper/data
Metadata file: /var/lib/docker/devicemapper/devicemapper/metadata
Data Space Used: 12.8 GB
Data Space Total: 107.4 GB
Metadata Space Used: 16.54 MB
Metadata Space Total: 2.147 GB
Library Version: 1.02.77 (2012-10-15)
Execution Driver: native-0.2
Kernel Version: 3.17.3-data-8.1
Operating System:

breuerma@data ~ $ docker version
Client version: 1.3.1
Client API version: 1.15
Go version (client): go1.3.3
Git commit (client): 4e9bbfa
OS/Arch (client): linux/amd64
Server version: 1.3.1
Server API version: 1.15
Go version (server): go1.3.3
Git commit (server): 4e9bbfa

OS is gentoo.

@fogfish

This comment has been minimized.

Show comment
Hide comment
@fogfish

fogfish Nov 23, 2014

I used to have same issue but with librsvg2-tools. The problem has been solved by removing all centos and re-create app images from scratch.

fogfish commented Nov 23, 2014

I used to have same issue but with librsvg2-tools. The problem has been solved by removing all centos and re-create app images from scratch.

@metal3d

This comment has been minimized.

Show comment
Hide comment
@metal3d

metal3d Nov 24, 2014

The other solution I will use from now: not use Debian as host. My other server that is a CentOS server has no problem to use debian, centos or other images/containers + installation.

metal3d commented Nov 24, 2014

The other solution I will use from now: not use Debian as host. My other server that is a CentOS server has no problem to use debian, centos or other images/containers + installation.

@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon Nov 24, 2014

Member

I use Debian + BTRFS, and it works swell. ;)

Member

tianon commented Nov 24, 2014

I use Debian + BTRFS, and it works swell. ;)

@metal3d

This comment has been minimized.

Show comment
Hide comment
@metal3d

metal3d Nov 24, 2014

I feel the troll coming behind me ;)
BTRFS ok, but RAID support is not fully implemented and I don't know it enought to install it on my production servers without any risk.
At this time, I'm using LVM/ext4 with CentOS and everything is ok. That's not against Debian, but I have less problem and more solutions and knowledge on CentOS (and Fedora). Maybe one day I'll come back ;)

BTW: yes, I will deeply try BTRFS in next weeks

metal3d commented Nov 24, 2014

I feel the troll coming behind me ;)
BTRFS ok, but RAID support is not fully implemented and I don't know it enought to install it on my production servers without any risk.
At this time, I'm using LVM/ext4 with CentOS and everything is ok. That's not against Debian, but I have less problem and more solutions and knowledge on CentOS (and Fedora). Maybe one day I'll come back ;)

BTW: yes, I will deeply try BTRFS in next weeks

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Nov 27, 2014

Contributor

@metal3d you can also use devicemapper on debian - that way its the same as your centos default.

Contributor

SvenDowideit commented Nov 27, 2014

@metal3d you can also use devicemapper on debian - that way its the same as your centos default.

@metal3d

This comment has been minimized.

Show comment
Hide comment
@metal3d

metal3d Nov 27, 2014

@SvenDowideit This is exactly what I said 2 comments earlier ;) #issuecomment-62723470

Le Thu Nov 27 2014 at 07:21:42, Sven Dowideit notifications@github.com a
écrit :

@metal3d https://github.com/metal3d you can also use devicemapper on
debian - that way its the same as your centos default.


Reply to this email directly or view it on GitHub
#6980 (comment).

metal3d commented Nov 27, 2014

@SvenDowideit This is exactly what I said 2 comments earlier ;) #issuecomment-62723470

Le Thu Nov 27 2014 at 07:21:42, Sven Dowideit notifications@github.com a
écrit :

@metal3d https://github.com/metal3d you can also use devicemapper on
debian - that way its the same as your centos default.


Reply to this email directly or view it on GitHub
#6980 (comment).

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Nov 28, 2014

Contributor

@metal3d ah - that makes your comment in #6980 (comment) that your solution was not to use debian even more confusing.

Contributor

SvenDowideit commented Nov 28, 2014

@metal3d ah - that makes your comment in #6980 (comment) that your solution was not to use debian even more confusing.

@metal3d

This comment has been minimized.

Show comment
Hide comment
@metal3d

metal3d Nov 28, 2014

Yes, my other comment was for @fogfish that removes the whole centos containers. That was for trolling ;) I consider that removing containers that use CentOS because Debian cannot use them is a worse solution than removing Debian host.
Yes, I don't like Debian :p (troll inside)

metal3d commented Nov 28, 2014

Yes, my other comment was for @fogfish that removes the whole centos containers. That was for trolling ;) I consider that removing containers that use CentOS because Debian cannot use them is a worse solution than removing Debian host.
Yes, I don't like Debian :p (troll inside)

@fogfish

This comment has been minimized.

Show comment
Hide comment
@fogfish

fogfish Nov 28, 2014

No trolling here :)

I have not meet an issue with cap_set_file at production (container runs on top of AWS Linux, which is derived from CentOS) but cap_set_file have ruined my development environment. I am using Boot2Docker on MacOS, it uses CentOS as host. I've tried to build a container with librsvg2-tools. The container was derived from centos:latest. The build procedure failed with same reason as described above.

The quick fix was to clean up cache and remove all centos:latest images and all derived image from my dev env cache, after that problem with cap_set_file magically disapperars once latest centos was downloaded).

BTW, dev uses aufs but prod is dev-mapper. I guess dev-mapper is the way to address this issue like it was suggested.

fogfish commented Nov 28, 2014

No trolling here :)

I have not meet an issue with cap_set_file at production (container runs on top of AWS Linux, which is derived from CentOS) but cap_set_file have ruined my development environment. I am using Boot2Docker on MacOS, it uses CentOS as host. I've tried to build a container with librsvg2-tools. The container was derived from centos:latest. The build procedure failed with same reason as described above.

The quick fix was to clean up cache and remove all centos:latest images and all derived image from my dev env cache, after that problem with cap_set_file magically disapperars once latest centos was downloaded).

BTW, dev uses aufs but prod is dev-mapper. I guess dev-mapper is the way to address this issue like it was suggested.

@metal3d

This comment has been minimized.

Show comment
Hide comment
@metal3d

metal3d Nov 28, 2014

@fogfish that was me who was trolling :) I was joking.
What I meant is that it's a pitty to drop CentOS contianers because of a Debian problem.
I understand your point of view and you are absolutly right.
Anyway, the problem should not appear using devicemapper or BTRFS, I will try to move my EXT4 partition to BTRFS tomorow.
EDIT: I just understand that your host is CentOS... so it's not the same problem as mine
EDIT2: And now I re-read your comments, I understand that you didn't dropped CentOS: I really have to read twice - I'm not english

metal3d commented Nov 28, 2014

@fogfish that was me who was trolling :) I was joking.
What I meant is that it's a pitty to drop CentOS contianers because of a Debian problem.
I understand your point of view and you are absolutly right.
Anyway, the problem should not appear using devicemapper or BTRFS, I will try to move my EXT4 partition to BTRFS tomorow.
EDIT: I just understand that your host is CentOS... so it's not the same problem as mine
EDIT2: And now I re-read your comments, I understand that you didn't dropped CentOS: I really have to read twice - I'm not english

@hwongcom

This comment has been minimized.

Show comment
Hide comment
@hwongcom

hwongcom Dec 3, 2014

Ok, I see the problem here as well. What's the solution again for CentOS 7? Are you guys saying switch to the slower dev-mapper? THAT'S a solution?!?!

Come on, how to solve this without switching to dev-mapper?

I need CentOS 7. Solutions please! Thanks!

hwongcom commented Dec 3, 2014

Ok, I see the problem here as well. What's the solution again for CentOS 7? Are you guys saying switch to the slower dev-mapper? THAT'S a solution?!?!

Come on, how to solve this without switching to dev-mapper?

I need CentOS 7. Solutions please! Thanks!

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Dec 3, 2014

Contributor

overlayfs is being merged in Docker 1.4 and the 3.18 kernel, this would
also give you the opportunity to upgrade your kernel to something other
than a 2.6.x kernel.....

On Wed, Dec 3, 2014 at 2:06 AM, hwongcom notifications@github.com wrote:

Ok, I see the problem here as well. What's the solution again for CentOS
7? Are you guys saying switch to the slower dev-mapper? THAT'S a
solution?!?!

Come on, how to solve this without switching to dev-mapper?


Reply to this email directly or view it on GitHub
#6980 (comment).

Contributor

jessfraz commented Dec 3, 2014

overlayfs is being merged in Docker 1.4 and the 3.18 kernel, this would
also give you the opportunity to upgrade your kernel to something other
than a 2.6.x kernel.....

On Wed, Dec 3, 2014 at 2:06 AM, hwongcom notifications@github.com wrote:

Ok, I see the problem here as well. What's the solution again for CentOS
7? Are you guys saying switch to the slower dev-mapper? THAT'S a
solution?!?!

Come on, how to solve this without switching to dev-mapper?


Reply to this email directly or view it on GitHub
#6980 (comment).

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Dec 3, 2014

Contributor

Yes, from my understanding of the state of things, aufs issues aren't really being worked on by anyone. Our hope is in overlayfs, and subsequent backports to older kernels by the various distro vendors.

Also, devmapper may be slower (significantly so) but in terms of the performance of your actual containers you shouldn't see any issue.

Contributor

cpuguy83 commented Dec 3, 2014

Yes, from my understanding of the state of things, aufs issues aren't really being worked on by anyone. Our hope is in overlayfs, and subsequent backports to older kernels by the various distro vendors.

Also, devmapper may be slower (significantly so) but in terms of the performance of your actual containers you shouldn't see any issue.

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Dec 4, 2014

Contributor

we should add a little documentation to the cli.md list of storage driver pros&cons for this permissions issue.

Contributor

SvenDowideit commented Dec 4, 2014

we should add a little documentation to the cli.md list of storage driver pros&cons for this permissions issue.

@hwongcom

This comment has been minimized.

Show comment
Hide comment
@hwongcom

hwongcom Dec 4, 2014

Ok I have the solution... actually switching from dev mapper and then switch back to default... the images after save and export and load still works as normal.

hwongcom commented Dec 4, 2014

Ok I have the solution... actually switching from dev mapper and then switch back to default... the images after save and export and load still works as normal.

@SvenDowideit SvenDowideit self-assigned this Dec 5, 2014

@markturansky

This comment has been minimized.

Show comment
Hide comment
@markturansky

markturansky Dec 18, 2014

FYI, this is still an issue on osx running the latest boot2docker.

I can run "yum -y install httpd" inside the container, but calling it from the Dockerfile fails with the same error described above. The Dockerfile works fine on linux (running Fedora20).

From the boot2docker readme: "Kernel 3.16.7 with AUFS, Docker v1.4.1 - using libcontainer"

FYI, this is still an issue on osx running the latest boot2docker.

I can run "yum -y install httpd" inside the container, but calling it from the Dockerfile fails with the same error described above. The Dockerfile works fine on linux (running Fedora20).

From the boot2docker readme: "Kernel 3.16.7 with AUFS, Docker v1.4.1 - using libcontainer"

@testn

This comment has been minimized.

Show comment
Hide comment
@testn

testn Jan 13, 2015

Any updates on this. I tried to switch to use devicemapper which eliminates the problem. However, devicemapper is way slower than aufs. So I would like to see this fixed in aufs eventually.

testn commented Jan 13, 2015

Any updates on this. I tried to switch to use devicemapper which eliminates the problem. However, devicemapper is way slower than aufs. So I would like to see this fixed in aufs eventually.

@ailjushkin

This comment has been minimized.

Show comment
Hide comment
@ailjushkin

ailjushkin Jan 19, 2015

@metal3d thank you, your solution works on ubuntu

@metal3d thank you, your solution works on ubuntu

@Thorndike

This comment has been minimized.

Show comment
Hide comment
@Thorndike

Thorndike Jan 23, 2015

Problem still existing in the latest docker version:

==== docker version =====
Client version: 1.4.1
Client API version: 1.16
Go version (client): go1.3.3
Git commit (client): 5bc2ff8
OS/Arch (client): linux/amd64
Server version: 1.4.1
Server API version: 1.16
Go version (server): go1.3.3
Git commit (server): 5bc2ff8
===== docker info ====
Containers: 2
Images: 70
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Dirs: 74
Execution Driver: native-0.2
Kernel Version: 3.13.0-44-generic
Operating System: Ubuntu 14.04.1 LTS
CPUs: 8
Total Memory: 15.6 GiB
Name: PC10004846
ID: 5A67:DFNS:TJIG:MIY3:KHD4:EERC:Q5HD:T4FF:LTHU:LYUY:O4Z4:XYTN
WARNING: No swap limit support
==== failed ====
Running transaction
Installing : apr-1.4.8-3.el7.x86_64 1/5
Installing : apr-util-1.5.2-6.el7.x86_64 2/5
Installing : httpd-tools-2.4.6-19.el7.centos.x86_64 3/5
Installing : mailcap-2.1.41-2.el7.noarch 4/5
Error unpacking rpm package httpd-2.4.6-19.el7.centos.x86_64
Installing : httpd-2.4.6-19.el7.centos.x86_64 5/5
error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
Verifying : mailcap-2.1.41-2.el7.noarch 1/5
Verifying : httpd-tools-2.4.6-19.el7.centos.x86_64 2/5
Verifying : apr-util-1.5.2-6.el7.x86_64 3/5
Verifying : apr-1.4.8-3.el7.x86_64 4/5
Verifying : httpd-2.4.6-19.el7.centos.x86_64 5/5

Dependency Installed:
apr.x86_64 0:1.4.8-3.el7 apr-util.x86_64 0:1.5.2-6.el7
httpd-tools.x86_64 0:2.4.6-19.el7.centos mailcap.noarch 0:2.1.41-2.el7

Failed:
httpd.x86_64 0:2.4.6-19.el7.centos

Problem still existing in the latest docker version:

==== docker version =====
Client version: 1.4.1
Client API version: 1.16
Go version (client): go1.3.3
Git commit (client): 5bc2ff8
OS/Arch (client): linux/amd64
Server version: 1.4.1
Server API version: 1.16
Go version (server): go1.3.3
Git commit (server): 5bc2ff8
===== docker info ====
Containers: 2
Images: 70
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Dirs: 74
Execution Driver: native-0.2
Kernel Version: 3.13.0-44-generic
Operating System: Ubuntu 14.04.1 LTS
CPUs: 8
Total Memory: 15.6 GiB
Name: PC10004846
ID: 5A67:DFNS:TJIG:MIY3:KHD4:EERC:Q5HD:T4FF:LTHU:LYUY:O4Z4:XYTN
WARNING: No swap limit support
==== failed ====
Running transaction
Installing : apr-1.4.8-3.el7.x86_64 1/5
Installing : apr-util-1.5.2-6.el7.x86_64 2/5
Installing : httpd-tools-2.4.6-19.el7.centos.x86_64 3/5
Installing : mailcap-2.1.41-2.el7.noarch 4/5
Error unpacking rpm package httpd-2.4.6-19.el7.centos.x86_64
Installing : httpd-2.4.6-19.el7.centos.x86_64 5/5
error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
Verifying : mailcap-2.1.41-2.el7.noarch 1/5
Verifying : httpd-tools-2.4.6-19.el7.centos.x86_64 2/5
Verifying : apr-util-1.5.2-6.el7.x86_64 3/5
Verifying : apr-1.4.8-3.el7.x86_64 4/5
Verifying : httpd-2.4.6-19.el7.centos.x86_64 5/5

Dependency Installed:
apr.x86_64 0:1.4.8-3.el7 apr-util.x86_64 0:1.5.2-6.el7
httpd-tools.x86_64 0:2.4.6-19.el7.centos mailcap.noarch 0:2.1.41-2.el7

Failed:
httpd.x86_64 0:2.4.6-19.el7.centos

@buley

This comment has been minimized.

Show comment
Hide comment
@buley

buley Aug 15, 2015

Happens with centos7 boxen building on continuous integration platforms circleci and shippable. For me the freshest working build is centos6.6.

buley commented Aug 15, 2015

Happens with centos7 boxen building on continuous integration platforms circleci and shippable. For me the freshest working build is centos6.6.

weldpua2008 added a commit to weldpua2008/ansible-apache that referenced this issue Sep 12, 2015

weldpua2008 added a commit to weldpua2008/ansible-nginx that referenced this issue Sep 12, 2015

weldpua2008 added a commit to weldpua2008/ansible-php that referenced this issue Sep 12, 2015

namikingsoft added a commit to namikingsoft/docker-restyaboard that referenced this issue Oct 12, 2015

Change base image: `centos7` to `debian:wheezy` #3
similar issue
moby/moby#6980

and reduce docker image size
@MBoretto

This comment has been minimized.

Show comment
Hide comment
@MBoretto

MBoretto Oct 20, 2015

I got this issue when try to install wireshark on a fedora 22 container.
What can I do?

Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
warning: Unable to get systemd shutdown inhibition lock
Installing : wireshark-1.12.7-2.fc22.x86_64
Error unpacking rpm package wireshark-1.12.7-2.fc22.x86_64
error: unpacking of archive failed on file /usr/sbin/dumpcap;56269be8: cpio: cap_set_file

Docker version
Client:
Version: 1.8.2
API version: 1.20
Go version: go1.4.2
Git commit: 0a8c2e3
Built: Thu Sep 10 19:19:00 UTC 2015
OS/Arch: linux/amd64

Server:
Version: 1.8.2
API version: 1.20
Go version: go1.4.2
Git commit: 0a8c2e3
Built: Thu Sep 10 19:19:00 UTC 2015
OS/Arch: linux/amd64

docker info
Containers: 48
Images: 15
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 111
Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.13.0-37-generic
Operating System: Ubuntu 14.04 LTS
CPUs: 4
Total Memory: 7.705 GiB
Name: feinfren
ID: QXUH:OMU2:QZM3:62T2:CGTG:2RXE:QT7V:FXDQ:2IDW:Q4IH:JSAD:UR4W
WARNING: No swap limit support

I got this issue when try to install wireshark on a fedora 22 container.
What can I do?

Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
warning: Unable to get systemd shutdown inhibition lock
Installing : wireshark-1.12.7-2.fc22.x86_64
Error unpacking rpm package wireshark-1.12.7-2.fc22.x86_64
error: unpacking of archive failed on file /usr/sbin/dumpcap;56269be8: cpio: cap_set_file

Docker version
Client:
Version: 1.8.2
API version: 1.20
Go version: go1.4.2
Git commit: 0a8c2e3
Built: Thu Sep 10 19:19:00 UTC 2015
OS/Arch: linux/amd64

Server:
Version: 1.8.2
API version: 1.20
Go version: go1.4.2
Git commit: 0a8c2e3
Built: Thu Sep 10 19:19:00 UTC 2015
OS/Arch: linux/amd64

docker info
Containers: 48
Images: 15
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 111
Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.13.0-37-generic
Operating System: Ubuntu 14.04 LTS
CPUs: 4
Total Memory: 7.705 GiB
Name: feinfren
ID: QXUH:OMU2:QZM3:62T2:CGTG:2RXE:QT7V:FXDQ:2IDW:Q4IH:JSAD:UR4W
WARNING: No swap limit support

@Thorndike

This comment has been minimized.

Show comment
Hide comment
@Thorndike

Thorndike Oct 21, 2015

@MBoretto: What I have done is to use a computer with CentOS to build those images. Once build they are running on Ubuntu just fine.

@MBoretto: What I have done is to use a computer with CentOS to build those images. Once build they are running on Ubuntu just fine.

@fedya

This comment has been minimized.

Show comment
Hide comment
@fedya

fedya Oct 26, 2015

still valid for centos7
Containers: 2
Images: 22
Storage Driver: aufs
Root Dir: /var/cache/docker/aufs
Backing Filesystem: extfs
Dirs: 26
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.1.3-nrjQL-desktop-3omv
Operating System: OpenMandriva Lx 2014.0 (Phosphorus)
CPUs: 8
Total Memory: 15.58 GiB
Name: localhost.localdomain
ID: COKL:J2ED:CDNE:NYZM:5ZR2:JMEW:73RD:MKKB:K7BD:I53Q:253G:3KB7
Username: fedya
Registry: https://index.docker.io/v1/
WARNING: No memory limit support
WARNING: No swap limit support

fedya commented Oct 26, 2015

still valid for centos7
Containers: 2
Images: 22
Storage Driver: aufs
Root Dir: /var/cache/docker/aufs
Backing Filesystem: extfs
Dirs: 26
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.1.3-nrjQL-desktop-3omv
Operating System: OpenMandriva Lx 2014.0 (Phosphorus)
CPUs: 8
Total Memory: 15.58 GiB
Name: localhost.localdomain
ID: COKL:J2ED:CDNE:NYZM:5ZR2:JMEW:73RD:MKKB:K7BD:I53Q:253G:3KB7
Username: fedya
Registry: https://index.docker.io/v1/
WARNING: No memory limit support
WARNING: No swap limit support

@The-Judge

This comment has been minimized.

Show comment
Hide comment
@The-Judge

The-Judge Feb 9, 2016

This happens on Docker's own infrastructure, when using Automated Builds; see here for example. Changing the local Build Host or storage driver seems like a poor workaround, since it only enables one to build the image locally.

This happens on Docker's own infrastructure, when using Automated Builds; see here for example. Changing the local Build Host or storage driver seems like a poor workaround, since it only enables one to build the image locally.

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Feb 10, 2016

Member

@The-Judge have you contacted support@docker.com for that? Perhaps the support team for docker hub can look into that

Member

thaJeztah commented Feb 10, 2016

@The-Judge have you contacted support@docker.com for that? Perhaps the support team for docker hub can look into that

@matanster

This comment has been minimized.

Show comment
Hide comment
@matanster

matanster Feb 21, 2016

Same problem here so it seems (client version 1.10.1). Trying to get a grip of what's going on ―

What does it mean:

The following error occurs only when using the aufs storage driver

Doesn't docker use aufs by default?

Now, Docker is using devicemapper and not AUFS

― as per the workaround suggested above, what are the overall ramifications of switching docker to devicemapper?

Same problem here so it seems (client version 1.10.1). Trying to get a grip of what's going on ―

What does it mean:

The following error occurs only when using the aufs storage driver

Doesn't docker use aufs by default?

Now, Docker is using devicemapper and not AUFS

― as per the workaround suggested above, what are the overall ramifications of switching docker to devicemapper?

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Feb 21, 2016

Member

@matanster see the storage driver section of the docs for more in-depth information on the differences between drivers https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/

Member

thaJeztah commented Feb 21, 2016

@matanster see the storage driver section of the docs for more in-depth information on the differences between drivers https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/

@Nagoo

This comment has been minimized.

Show comment
Hide comment
@Nagoo

Nagoo Apr 13, 2016

+1 , centos:7 container on a ubuntu 15.10 host

Nagoo commented Apr 13, 2016

+1 , centos:7 container on a ubuntu 15.10 host

@martinsbalodis

This comment has been minimized.

Show comment
Hide comment
@martinsbalodis

martinsbalodis May 6, 2016

This problem isn't fixed in ubuntu 16.04.

This problem isn't fixed in ubuntu 16.04.

@ttroy50

This comment has been minimized.

Show comment
Hide comment
@ttroy50

ttroy50 May 7, 2016

I've also seen the problem building a centos:7 image on an ubuntu 16.04 host.

To use the devicemapper workaround on 16.04 you can do the following

systemctl stop docker

Edit /lib/systemd/system/docker.service to add -s devicemapper to the ExecStart command. See https://docs.docker.com/engine/admin/systemd/

reload the service file

systemctl daemon-reload

start docker

systemctl start docker

ttroy50 commented May 7, 2016

I've also seen the problem building a centos:7 image on an ubuntu 16.04 host.

To use the devicemapper workaround on 16.04 you can do the following

systemctl stop docker

Edit /lib/systemd/system/docker.service to add -s devicemapper to the ExecStart command. See https://docs.docker.com/engine/admin/systemd/

reload the service file

systemctl daemon-reload

start docker

systemctl start docker

@crashbit666

This comment has been minimized.

Show comment
Hide comment
@crashbit666

crashbit666 May 19, 2016

docker/hub-feedback#461 In this thread solves the problem

crashbit666 commented May 19, 2016

docker/hub-feedback#461 In this thread solves the problem

@josdotso

This comment has been minimized.

Show comment
Hide comment
@josdotso

josdotso Aug 2, 2016

This issue went away for me when I upgraded to Ubuntu 16.04.1 and rebooted.

josdotso commented Aug 2, 2016

This issue went away for me when I upgraded to Ubuntu 16.04.1 and rebooted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment