Permissioned Denied, Unable to install packages using Docker Build in CoreOS

redjar · March 14, 2022, 7:59pm

While running a simple docker build in CoreOS I am unable to install any packages. As seen below it won’t accept install commands and throws permission denied.

If I run docker run --privileged -it alpine bash I can update and install whatever I like. It seems that the privileged flag is required here for the DockerFile as well, except you can’t do that.

Anyone know of way to set privileged for the docker build command?

FROM alpine:latest
RUN apk update 

# Add needed directories
RUN mkdir -p /app /var/log/supervisor
# Add needed packages
RUN apk add --no-cache supervisor rsync

# Copy out config files
COPY supervisord.conf /app/supervisord.conf

# Add aplications to the supervisord.conf
ENTRYPOINT ["supervisord", "-n", "-c", "/app/supervisord.conf"]

The followin error is seen…

> docker rmi cron; docker build -t cron .
Error: No such image: cron
[+] Building 0.9s (8/9)
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                                               0.0s
 => => transferring dockerfile: 441B                                                                                                                                                                                                                                               0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                                  0.0s
 => => transferring context: 2B                                                                                                                                                                                                                                                    0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                                                                                                                                                   0.0s
 => [1/5] FROM docker.io/library/alpine:latest                                                                                                                                                                                                                                     0.0s
 => [internal] load build context                                                                                                                                                                                                                                                  0.0s
 => => transferring context: 97B                                                                                                                                                                                                                                                   0.0s
 => CACHED [2/5] RUN apk update                                                                                                                                                                                                                                                    0.0s
 => CACHED [3/5] RUN mkdir -p /app /var/log/supervisor                                                                                                                                                                                                                             0.0s
 => ERROR [4/5] RUN apk add --no-cache supervisor rsync                                                                                                                                                                                                                            0.8s
------
 > [4/5] RUN apk add --no-cache supervisor rsync:
#7 0.794 exec /bin/sh: permission denied
------
executor failed running [/bin/sh -c apk add --no-cache supervisor rsync]: exit code: 1

EDIT: Maybe this needs a bug report. I am thinking security is too heavy here and they (RHEL) in essence broke docker.

vwbusguy · March 14, 2022, 8:57pm

RHEL has nothing to do with this, especially since RHEL hasn’t even shipped docker since RHEL 7 (podman is the current default for Fedora, RHEL, and CentOS). Privileged shouldn’t matter here, but are you able to install this with docker run without --privileged. Also, is this running as root or regular user. I’m less familiar with docker than podman at this point, but if you’re not running as root, I’m wondering if you need to populate subuid/subgids?

redjar · March 14, 2022, 10:26pm

Sorry I meant RHEL to generically refer to CentOS, CoreOS, Fedora, etc. I know podman is the new default and had a suspicion that possibly docker could have more “bugs” or less testing as a result.

I have attempted building wtih root and my regular ‘core’ user. I am not able to install using “docker run” by itself, I have to use --privileged. If I do not I receive the following: sh: error while loading shared libraries: libc.so.6: cannot change memory protections. I believe I was able to install packages on an earlier version of CoreOS, but am not 100% on that.

Worth mentioning I have had to run a large number of my stacks/containers with privileged set to true. Which IMO kind of defeats the purpose of privileged, but it seems to be required.

This builds without issue on a separate server with host os Debian and Docker. It’s something having to do with CoreOS.

I was able to get around this by setting up a local registry and building on my debian box and pushing to the registry. In other words I have to have a separate box to build Dockfile’s, but hey at least I have a work around.

Thanks for the response!

redjar · March 22, 2022, 12:45pm

My suspicion here is because my Docker app directory is located on a different filesystem/disk CoreOS is throwing a fit. I can’t find anything that say this isn’t explicitly supported but I have a feeling this may be a possible cause. Maybe when docker tries to use a filesystem CoreOS isn’t comfortable with it requires sudo/root privs all the way down. IDK maybe in the future I will move the directory back to /var and symlink.

vwbusguy · March 22, 2022, 6:28pm

No idea. Back in RHEL 7, I used to mount a different filesystem to /var/lib/docker without issue and regularly do that now on my podman/cri systems to /var/lib/containers/storage. I haven’t needed to set --privileged everywhere on those systems. That said, I’ve only ever done cri-o on CoreOS and have never tried Docker engine on it.

redjar · March 22, 2022, 6:37pm

Thanks for the info, good to know you have alternate filesystems working with podman! Maybe it has to do with docker vs podman. Podman being more “compatible”. IDK.

vwbusguy · March 22, 2022, 6:51pm

Docker suffered from a number of issues. For a long time, it didn’t support cgroups2 or nftables (long after iptables had been deprecated) and rootless docker is still an emerging thing. I don’t know how to set this up on CoreOS, but if your heart is set on using Moby instead of podman or cri-o, I assume you alternatively should be able to run containerd in CoreOS, though that is more geared toward kubernetes workloads and you may find it a bit tedious if you’re just wanting to run containers on a standalone host.

redjar · April 7, 2022, 3:09pm

Yeah, I moved the root docker lib directory back over to/var/lib/docker, and many of my problems have gone away. CoreOS does not like having /var/lib/docker on a different disk.