Permission denied error creating chaincode peer on ibmblockchain docker image - when used with composer

[likepunk]

Hello,

I converted sample network docker images from 'hyperledger' to 'ibmblockchain', then having an issue creating peer chaincode container.

Is this a known issue? I am running HLFV11 and composer version 0.19.4 on x86...(latest docker ce 18.03.1)

I get same error either through CLI or composer-playground....it works perfectly with Hyperledger docker images.

yongkook$ composer network start --networkName digitalproperty-network --networkVersion 0.2.3 --card PeerAdmin@hlfv1 -A admin -S adminpw -l INFO

Starting business network digitalproperty-network at version 0.2.3

Processing these Network Admins: userName: admin

✖ Starting business network definition. This may take a minute...

Error: Error trying to start business network. Error: No valid responses from any peers. Response from attempted peer comms was an error: Error: 2 UNKNOWN: error starting container: Post http://unix.sock/containers/create?name=dev-peer0.org1.example.com-digitalproperty-network-0.2.3: dial unix /host/var/run/docker.sock: connect: permission denied Command failed

Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$ composer --version v0.19.4

[dhyey20]

The images that you are using run peer process as non-root user. That means that the non-root user needs to have permission to docker.sock file. Changing the permissions on docker.sock on your host machine will solve the problem.

[likepunk]

@dhyey20 I understand for normal docker permission case with usermod permission with adding group for docker, but this is different issue I think. Everything works fine with docker images with Hyperledger provided docker images, but when I change the pointer for images to ibmblockchain, this simplest test case doesn't work. Is this by design?

here's where I modified pointer for docker image in 'docker-compose.yml' file.

  peer0.org1.example.com:
    container_name: peer0.org1.example.com
    image: ibmblockchain/fabric-peer-$ARCH:1.1.0

which used to work w/o issues when it was :

peer0.org1.example.com:
    container_name: peer0.org1.example.com
    image: hyperledger/fabric-peer:$ARCH-1.1.0
    environment:

[likepunk]

I just noticed that ibmblockchain docker peer starts with a command "/docker-entrypoint.sh peer node start", where hyperledger docker peer starts only with a command "peer node start" ....why is it different?

here's the docker-entrypoint.sh for the peer(I guess it's common for all ibmblockchain images):

Yongkook-Kims-MacBook-Pro:ibmblockchain yongkook$ docker exec -it  peer0.org1.example.com bash
root@f5cceb1298d4:/opt/gopath/src/github.com/hyperledger/fabric# cat /docker-entrypoint.sh 
#!/bin/bash

ORIGINAL_IFS=${IFS}
# save the args passed to docker-run
cmd=$@

GROUP_ID=${GROUP_ID:-198}
USER_ID=${USER_ID:-199}
USERNAME=${USERNAME:-fabric}

# check if user exists
_USER_ID=$(id -u ${USERNAME}) &> /dev/null
if [ "$?" == "0" ]; then
    :
    # echo "User ${USERNAME} already exists"
else
    # echo "Creating user ${USERNAME}"
    # make a new group and user
    groupadd -g ${GROUP_ID} -r ${USERNAME}
    useradd -g ${GROUP_ID} -u ${USER_ID} ${USERNAME}    
fi

chown -R ${USERNAME}:${USERNAME} /var/hyperledger/
chown -R ${USERNAME}:${USERNAME} /etc/hyperledger/

# set the env var to what is in the file
file_env() {
        local var=$(echo "$1" | sed 's/SECRET_//')
        eval "local fileVar=\${$1}"
        val=$(cat $fileVar)
        export "$var"="$val"
        unset fileVar
}

# getting list of all env vars with prefix SECRET_
SECRETS=$(printenv|grep SECRET_|awk -F= '{print $1}')

for SECRET in $SECRETS;do
  IFS="="
  set -- $SECRET
  file_env $1
done

IFS=${ORIGINAL_IFS}
cmd=${cmd#*sh -c }
su ${USERNAME} -c "$cmd"
#exec $cmd

[dhyey20]

GROUP_ID=${GROUP_ID:-198}
USER_ID=${USER_ID:-199}
USERNAME=${USERNAME:-fabric}

These are the user/group ids that the peer image uses, so you can either pass one of the users from your host machine and give it proper docker.sock permissions, or you can use the default ones and give docker.sock 777 permission.

[likepunk]

Hi @dhyey20,
I still don't understand why ibmblockchain image contains it while the original hyperledger container doesn't have it. shouldn't both of them have same properties so that users don't have to change permissions when switching back and forth? BTW, not sure if giving dock.sock permission 777 would be recommended practice for security or not. Why IBM created this when Hyperledger images don't have it?

[mrshah-at-ibm]

@likepunk as a lot of customers did not want to run any process (even inside the container) as root, we added the option to run the process as a user of customer's choice.

As @dhyey20 mentioned,

1. You can pass the user details and the script will run the script as a user. or
2. You can give the permissions to a particular UID to docker socket file and run it.

[likepunk]

thanks @mrshah-at-ibm - I understand it now. Was this change made from HLFV1? or V1.1?

Is there anything documented for #1 method? I searched in both https://ibm-blockchain.github.io/ and dwAnswers for ibmblockchain, but nothing was mentioned about passing user details.

Even in ibm-blockchain.github.io (https://ibm-blockchain.github.io/ibmblockchainimages/ ) where it shows how to change pointer to ibmblockchain docker images from hyperledger docker images, nothing was mentioned to set the permissions for docker.sock nor passing the user details. It looks like all the examples shown in ibm description is copied from hyperledger fabric exmaples, which will not work....I would think it will help users if it was documented in https://ibm-blockchain.github.io/ibmblockchainimages/

Thanks,

[likepunk]

BTW, making docker.sock 777 didn't work on MacOS(it worked on Ubuntu). Has this been tested with MacOS?

Looking for package.json of Business Network Definition
    Input directory: /Users/yongkook/ibmblockchain/composer-sample-applications/packages/digitalproperty-app/node_modules/digitalproperty-network

Found:
    Description: Digital Property Network
    Name: digitalproperty-network
    Identifier: digitalproperty-network@0.2.3

Written Business Network Definition Archive file to 
    Output file: digitalPropertyNetwork.bna

Command succeeded

composer network install --archiveFile ./digitalPropertyNetwork.bna --card PeerAdmin@hlfv1
✔ Installing business network. This may take a minute...
Successfully installed business network digitalproperty-network, version 0.2.3

Command succeeded

composer network start --networkName digitalproperty-network --networkVersion ${VERSION} --card PeerAdmin@hlfv1 -A admin -S adminpw -l INFO
Starting business network digitalproperty-network at version 0.2.3

Processing these Network Admins: 
    userName: admin

✖ Starting business network definition. This may take a minute...
Error: Error trying to start business network. Error: No valid responses from any peers.
Response from attempted peer comms was an error: Error: 2 UNKNOWN: error starting container: Post http://unix.sock/containers/create?name=dev-peer0.org1.example.com-digitalproperty-network-0.2.3: dial unix /host/var/run/docker.sock: connect: permission denied
Command failed

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! digitalproperty-app@0.0.7 deployNetwork: `./deployNetwork.sh`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the digitalproperty-app@0.0.7 deployNetwork script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/yongkook/.npm/_logs/2018-05-11T04_25_22_466Z-debug.log

Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$ ls -al /var/run/docker.sock
lrwxrwxrwx  1 root  daemon  61 May 10 11:07 /var/run/docker.sock -> /Users/yongkook/Library/Containers/com.docker.docker/Data/s60
Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$ 

Yongkook-Kims-MacBook-Pro:digitalproperty-app yongkook$ ls -al /Users/yongkook/Library/Containers/com.docker.docker/Data/s60
srwxrwxrwx  1 yongkook  staff  0 May 10 11:07 /Users/yongkook/Library/Containers/com.docker.docker/Data/s60

[likepunk]

Also, #1 methods works fine in Ubuntu, but in MacOS, the default group for symbolic linked /var/run/docker.sock gid is 1(daemon, but it's linked file group is staff, which gid=20 that in peer image already occupied with dialout!).

I was not able to give proper user details to peer...has anyone tried it within MacOS without creating any issues with changing host id/gid(I am searching for a easier way to do it on MacOS without causing issues).

The reason I am trying on both platform is because it was shown in following documentation as 'developer environment'..

https://ibm-blockchain.github.io/develop/installing/installing-prereqs.html

Thanks in advance,

Alex

[likepunk]

Just FYI - in case if anyone has same the issue and trying to pass the value, here's what I added to docker-compose.yml

  peer0.org1.example.com:
    container_name: peer0.org1.example.com
    image: ibmblockchain/fabric-peer-$ARCH:1.1.0
    environment:
      - CORE_LOGGING_LEVEL=debug
      - CORE_CHAINCODE_LOGGING_LEVEL=DEBUG
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      - CORE_PEER_ID=peer0.org1.example.com
      - CORE_PEER_ADDRESS=peer0.org1.example.com:7051
      - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=composer_default
      - CORE_PEER_LOCALMSPID=Org1MSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/msp
      - CORE_LEDGER_STATE_STATEDATABASE=CouchDB
      - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
      - USERNAME=(your userid)
      - USER_ID=1000
      - GROUP_ID=999

[mrshah-at-ibm]

Please follow "Setting Users and Groups in the containers" at https://ibm-blockchain.github.io/ibmblockchainimages/