Call for testing of the docker snap


#21

Hi,

I followed the same steps I listed above to reproduce the problem:

$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete 
Digest: sha256:2557e3c07ed1e38f26e389462d03ed943586f744621577a99efb77324b0fe535
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:109: jailing process inside rootfs caused \\\"permission denied\\\"\"": unknown.
ERRO[0004] error waiting for container: context canceled 

The Apparmor syslog messages:

$ journalctl --no-pager -e -k | grep apparmor | grep -v kmod | grep snap.docker.dockerd
Jan 15 23:25:22 localhost kernel: audit: type=1400 audit(1547591122.578:23266): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.docker.dockerd" pid=24945 comm="apparmor_parser"
Jan 15 23:25:28 localhost kernel: audit: type=1400 audit(1547591128.486:23288): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.docker.dockerd" pid=25250 comm="apparmor_parser"
Jan 15 23:25:34 localhost kernel: audit: type=1400 audit(1547591134.559:23317): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.docker.dockerd" pid=25511 comm="apparmor_parser"
Jan 15 23:25:43 localhost kernel: audit: type=1400 audit(1547591143.047:23361): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="snap.docker.dockerd" name="docker-default" pid=25939 comm="apparmor_parser"
Jan 15 23:25:43 localhost kernel: audit: type=1400 audit(1547591143.415:23364): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="snap.docker.dockerd" name="docker-default" pid=26037 comm="apparmor_parser"
Jan 15 23:25:43 localhost kernel: audit: type=1400 audit(1547591143.887:23367): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="snap.docker.dockerd" name="docker-default" pid=26124 comm="apparmor_parser"
Jan 15 23:33:29 localhost kernel: audit: type=1400 audit(1547591609.053:23377): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="snap.docker.dockerd" name="docker-default" pid=945 comm="apparmor_parser"
Jan 15 23:33:41 localhost kernel: audit: type=1400 audit(1547591621.721:23387): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="snap.docker.dockerd" name="docker-default" pid=1275 comm="apparmor_parser"
Jan 15 23:33:42 localhost kernel: audit: type=1400 audit(1547591622.329:23392): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/@/var/snap/docker/common/var-lib-docker/overlay2/cdf26482d3545a13f95e18e82f13385a824d6cb0cfd789b95f9db1525f7c5108/diff/" pid=1307 comm="runc:[2:INIT]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

#22

Thanks for the output. The last denial is the culprit here it seems. It’s very odd that the path that docker attempts to access is name="/@/var/snap/docker/common/var-lib-docker/overlay2/cdf26482d3545a13f95e18e82f13385a824d6cb0cfd789b95f9db1525f7c5108/diff/
The filepath it should be using and the one it has access to is "/var/snap/docker/common/*", I’m not sure why that leading "/@" is there, but that’s why it got denied.

I’ll have to look into this more, but thanks for the info. I will post back if I’m able to figure out a fix for this or a workaround for you.


#23

I’m noticing the error="mkdir </...>: read-only file system" problem when I try to --volume mount when using the “docker-outside-of-docker” paradigm. In other words, I share two volumes with a container (a standard directory and the docker socket [/var/run/docker.sock]), then I share the standard directory as a volume into a subsequent container.

Interestingly, it HAS worked once or twice before, however it almost always fails. I know computers are deterministic, so I have no idea how this happens. I don’t think it is a race condition, but I imagine it is some form of statefulness.

There are others with a similar experience, the current recommendation from the internet is to uninstall the snap and install Docker natively. Perhaps you could do a side-by-side install and compare the difference?

I love the snap and I hate to move away from it.


#24

Snappy updated docker and I’m running into the same issue as @tk83:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:109: jailing process inside rootfs caused \\\"permission denied\\\"\"": unknown.

It has the same cause: AppArmor denies access to a path prefixed with /@.

I think the /@ prefix has something to do with btrfs because the btrfs subvolume is called @. I’m using overlay2 as storage driver and it does not happen with vfs. But overlay2 worked before the update.

Any ideas?