Open likepunk opened 6 years ago
The images that you are using run peer process as non-root user. That means that the non-root user needs to have permission to docker.sock
file. Changing the permissions on docker.sock
on your host machine will solve the problem.
@dhyey20 I understand for normal docker permission case with usermod permission with adding group for docker, but this is different issue I think. Everything works fine with docker images with Hyperledger provided docker images, but when I change the pointer for images to ibmblockchain, this simplest test case doesn't work. Is this by design?
here's where I modified pointer for docker image in 'docker-compose.yml' file.
peer0.org1.example.com:
container_name: peer0.org1.example.com
image: ibmblockchain/fabric-peer-$ARCH:1.1.0
which used to work w/o issues when it was :
peer0.org1.example.com:
container_name: peer0.org1.example.com
image: hyperledger/fabric-peer:$ARCH-1.1.0
environment:
I just noticed that ibmblockchain docker peer starts with a command "/docker-entrypoint.sh peer node start", where hyperledger docker peer starts only with a command "peer node start" ....why is it different?
here's the docker-entrypoint.sh for the peer(I guess it's common for all ibmblockchain images):
Yongkook-Kims-MacBook-Pro:ibmblockchain yongkook$ docker exec -it peer0.org1.example.com bash
root@f5cceb1298d4:/opt/gopath/src/github.com/hyperledger/fabric# cat /docker-entrypoint.sh
#!/bin/bash
ORIGINAL_IFS=${IFS}
# save the args passed to docker-run
cmd=$@
GROUP_ID=${GROUP_ID:-198}
USER_ID=${USER_ID:-199}
USERNAME=${USERNAME:-fabric}
# check if user exists
_USER_ID=$(id -u ${USERNAME}) &> /dev/null
if [ "$?" == "0" ]; then
:
# echo "User ${USERNAME} already exists"
else
# echo "Creating user ${USERNAME}"
# make a new group and user
groupadd -g ${GROUP_ID} -r ${USERNAME}
useradd -g ${GROUP_ID} -u ${USER_ID} ${USERNAME}
fi
chown -R ${USERNAME}:${USERNAME} /var/hyperledger/
chown -R ${USERNAME}:${USERNAME} /etc/hyperledger/
# set the env var to what is in the file
file_env() {
local var=$(echo "$1" | sed 's/SECRET_//')
eval "local fileVar=\${$1}"
val=$(cat $fileVar)
export "$var"="$val"
unset fileVar
}
# getting list of all env vars with prefix SECRET_
SECRETS=$(printenv|grep SECRET_|awk -F= '{print $1}')
for SECRET in $SECRETS;do
IFS="="
set -- $SECRET
file_env $1
done
IFS=${ORIGINAL_IFS}
cmd=${cmd#*sh -c }
su ${USERNAME} -c "$cmd"
#exec $cmd
GROUP_ID=${GROUP_ID:-198}
USER_ID=${USER_ID:-199}
USERNAME=${USERNAME:-fabric}
These are the user/group ids that the peer image uses, so you can either pass one of the users from your host machine and give it proper docker.sock permissions, or you can use the default ones and give docker.sock 777
permission.
Hi @dhyey20,
I still don't understand why ibmblockchain image contains it while the original hyperledger container doesn't have it. shouldn't both of them have same properties so that users don't have to change permissions when switching back and forth? BTW, not sure if giving dock.sock permission 777 would be recommended practice for security or not. Why IBM created this when Hyperledger images don't have it?
@likepunk as a lot of customers did not want to run any process (even inside the container) as root, we added the option to run the process as a user of customer's choice.
As @dhyey20 mentioned,
thanks @mrshah-at-ibm - I understand it now. Was this change made from HLFV1? or V1.1?
Is there anything documented for #1 method? I searched in both https://ibm-blockchain.github.io/ and dwAnswers for ibmblockchain, but nothing was mentioned about passing user details.
Even in ibm-blockchain.github.io (https://ibm-blockchain.github.io/ibmblockchainimages/ ) where it shows how to change pointer to ibmblockchain docker images from hyperledger docker images, nothing was mentioned to set the permissions for docker.sock nor passing the user details. It looks like all the examples shown in ibm description is copied from hyperledger fabric exmaples, which will not work....I would think it will help users if it was documented in https://ibm-blockchain.github.io/ibmblockchainimages/
Thanks,
BTW, making docker.sock 777 didn't work on MacOS(it worked on Ubuntu). Has this been tested with MacOS?
Looking for package.json of Business Network Definition
Input directory: /Users/yongkook/ibmblockchain/composer-sample-applications/packages/digitalproperty-app/node_modules/digitalproperty-network
Found:
Description: Digital Property Network
Name: digitalproperty-network
Identifier: digitalproperty-network@0.2.3
Written Business Network Definition Archive file to
Output file: digitalPropertyNetwork.bna
Command succeeded
composer network install --archiveFile ./digitalPropertyNetwork.bna --card PeerAdmin@hlfv1
✔ Installing business network. This may take a minute...
Successfully installed business network digitalproperty-network, version 0.2.3
Command succeeded
composer network start --networkName digitalproperty-network --networkVersion ${VERSION} --card PeerAdmin@hlfv1 -A admin -S adminpw -l INFO
Starting business network digitalproperty-network at version 0.2.3
Processing these Network Admins:
userName: admin
✖ Starting business network definition. This may take a minute...
Error: Error trying to start business network. Error: No valid responses from any peers.
Response from attempted peer comms was an error: Error: 2 UNKNOWN: error starting container: Post http://unix.sock/containers/create?name=dev-peer0.org1.example.com-digitalproperty-network-0.2.3: dial unix /host/var/run/docker.sock: connect: permission denied
Command failed
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! digitalproperty-app@0.0.7 deployNetwork: `./deployNetwork.sh`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the digitalproperty-app@0.0.7 deployNetwork script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/yongkook/.npm/_logs/2018-05-11T04_25_22_466Z-debug.log
Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$ ls -al /var/run/docker.sock
lrwxrwxrwx 1 root daemon 61 May 10 11:07 /var/run/docker.sock -> /Users/yongkook/Library/Containers/com.docker.docker/Data/s60
Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$
Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$ ls -al /Users/yongkook/Library/Containers/com.docker.docker/Data/s60
srwxrwxrwx 1 yongkook staff 0 May 10 11:07 /Users/yongkook/Library/Containers/com.docker.docker/Data/s60
Also, #1 methods works fine in Ubuntu, but in MacOS, the default group for symbolic linked /var/run/docker.sock gid is 1(daemon, but it's linked file group is staff, which gid=20 that in peer image already occupied with dialout!).
I was not able to give proper user details to peer...has anyone tried it within MacOS without creating any issues with changing host id/gid(I am searching for a easier way to do it on MacOS without causing issues).
The reason I am trying on both platform is because it was shown in following documentation as 'developer environment'..
https://ibm-blockchain.github.io/develop/installing/installing-prereqs.html
Thanks in advance,
Alex
Just FYI - in case if anyone has same the issue and trying to pass the value, here's what I added to docker-compose.yml
peer0.org1.example.com:
container_name: peer0.org1.example.com
image: ibmblockchain/fabric-peer-$ARCH:1.1.0
environment:
- CORE_LOGGING_LEVEL=debug
- CORE_CHAINCODE_LOGGING_LEVEL=DEBUG
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_PEER_ID=peer0.org1.example.com
- CORE_PEER_ADDRESS=peer0.org1.example.com:7051
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=composer_default
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/msp
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
- USERNAME=(your userid)
- USER_ID=1000
- GROUP_ID=999
Please follow "Setting Users and Groups in the containers" at https://ibm-blockchain.github.io/ibmblockchainimages/
Hello,
I converted sample network docker images from 'hyperledger' to 'ibmblockchain', then having an issue creating peer chaincode container.
Is this a known issue? I am running HLFV11 and composer version 0.19.4 on x86...(latest docker ce 18.03.1)
I get same error either through CLI or composer-playground....it works perfectly with Hyperledger docker images.
yongkook$ composer network start --networkName digitalproperty-network --networkVersion 0.2.3 --card PeerAdmin@hlfv1 -A admin -S adminpw -l INFO
Starting business network digitalproperty-network at version 0.2.3
Processing these Network Admins: userName: admin
✖ Starting business network definition. This may take a minute...
Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$ composer --version v0.19.4