Centos repos have version of Docker that cannot run init as default command

[dustalov]

I tried to run the latest rocker/rstudio image (6daa62cd59de) on Fedora 24 (x86_64) as described in the documentation. However, the server does not start due to some permission problems.

$ sudo docker run --rm -p 8787:8787 rocker/rstudio
[fix-attrs.d] applying owners & permissions fixes...
[fix-attrs.d] 00-runscripts: applying... 
[fix-attrs.d] 00-runscripts: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] conf: executing... 
[cont-init.d] conf: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
s6-supervise rstudio: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise rstudio: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise (child): fatal: unable to exec run: Permission denied
^Cs6-svscan: warning: unable to exec finish script .s6-svscan/finish: Permission denied
s6-svscan: warning: executing into .s6-svscan/crash
s6-svscan: fatal: unable to exec .s6-svscan/crash: Permission denied

Interestingly, when I tried to run the initialization script from the container, everything worked fine and RStudio opened successfully at http://localhost:8787/.

$ sudo docker run --rm -it -p 8787:8787 rocker/rstudio /bin/bash
root@f62dc1e639bf:/# /init
[fix-attrs.d] applying owners & permissions fixes...
[fix-attrs.d] 00-runscripts: applying... 
[fix-attrs.d] 00-runscripts: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] conf: executing... 
[cont-init.d] conf: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

This issue also replicates on CentOS 7.2 (x86_64). SELinux is enabled in both cases.

[cboettig]

Hmm, that's pretty strange. I usually work with Ubuntu images, but I just booted up and tested on a vanilla CenOS 7.2 x86_64 image with SELinux enabled and cannot reproduce the error though:

Confirm SELinux is on:

$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

After pulling the latest rocker/rstudio image (6daa62cd59de), here we go:

$ docker run --rm -p 8787:8787 rocker/rstudio
[fix-attrs.d] applying owners & permissions fixes...
[fix-attrs.d] 00-runscripts: applying... 
[fix-attrs.d] 00-runscripts: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] conf: executing... 
[cont-init.d] conf: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

Running Docker version 1.12.3, build 6b644ec with devicemapper (the default get.docker.com installs now).

Can't really debug if I can't reproduce. Really surprising it would fail automatically and work manually though.

Have you tried:

docker run --rm -p 8787:8787 rocker/rstudio /init

If that fails, you could also try running rstudio directly without s6 init system (though note this bypasses the configure script which sets things like custom passwords from the env vars:

docker run --rm -p 8787:8787 rocker/rstudio /etc/services.d/rstudio/run

Anyway, no idea what's going on but it doesn't seem to be due to CentOS / SELinux.

[dustalov]

Running the /init command does not help, but /etc/services.d/rstudio/run actually starts RStudio. Currently, I found a workaround by running /bin/bash -c /init.

I think the irreproducibility problem might be caused by using the Docker version from get.docker.com instead of one from the repositories. The extras repository is bundled with CentOS, while in Fedora the Docker package is shipped in the primary repository.

Name        : docker
Arch        : x86_64
Version     : 1.10.3
Release     : 46.el7.centos.14
Size        : 44 M
Repo        : installed
From repo   : extras

[cboettig]

Cool, sounds promising. Guess this suggests you might try updating to the latest version of docker from the official docker repo instead of the prepackaged centos one?

[paulstaab]

I encountered the same problem on Fedora 24, using docker from the official Fedora repos. I seems that the Red Hat folks have added some modifications if the entrypoint is called /init: https://bugzilla.redhat.com/show_bug.cgi?id=1375661 . I don't completely understand the reasoning behind this, but it seems to prevent RStudio Server from starting, throwing the errors in the first post.

I fixed this for me be renaming "/init" to something else.

[cboettig]

Given that the behavior of the Centos-packaged version of Docker is different from the official current release of Docker, I think the recommendation here is simply to upgrade Docker to the current release from the official docker repos (i.e. <get.docker.com>).

(note that init is the default CMD on the rstudio image, not the default ENTRYPOINT (which is unchanged).

[simw]

For reference, a workaround that works for me with the redhat docker packages is: add VOLUME ["/run"] in your Dockerfile, or add a '-v /run' to the docker run command, ie docker run -v /run ... .

See just-containers/s6-overlay#158 for the related S6 init system issue.

[cboettig]

@simw Thanks, using -v /run is a nice workaround for the Centos systems. I've added a note to the rocker wiki: https://github.com/rocker-org/rocker/wiki/Using-the-RStudio-image/53488f40a24d93df97f6322711ece5e91039b4f2 though maybe this issue thread is still easier to find than the comment in the wiki entry...

[gabx]

I agree that running -v /run will not solve anything. Btw, you need to tell two directories when you bind directories with the volume command.
A workable and clean solution is to log into the container and start manually rstudio-server

I experienced this issue with Fedora 29 Silverblue and the podman command. This issue is not solved at all.

[znmeb]

I'm also seeing it with podman on both Silverblue 29 and Arch. On the other hand, rocker/rstudio works without any hacks or volumes or logging in and starting manually with the distro-supplied Docker from both Arch and Silverblue 29, so unless the Rocker folks are willing to support podman I think we need to use Docker.

I can open an issue on libpodif their mission is to "run anything Docker will run", though. I'll run it by the Silverblue forum.