/var/atlas-probe/data Operation not permitted

Jamesits / docker-ripe-atlas

This is the RIPE Atlas software probe packaged as a Docker image.

https://hub.docker.com/r/jamesits/ripe-atlas

GNU General Public License v3.0

151 stars 22 forks source link

/var/atlas-probe/data Operation not permitted #2

Closed alexmorbo closed 4 years ago

alexmorbo commented 4 years ago

After fresh docker container install i have this at docker logs

...
chmod: changing permissions of '/var/atlas-probe/data': Operation not permitted
perd: in my_exit (exit was called!)
Aborted (core dumped)
eperd: in my_exit (exit was called!)
...

# ls -lah /var/atlas-probe/
total 16K
drwxr-xr-x  4 root            root   4,0K апр 28 13:15 .
drwxr-xr-x 15 root            root   4,0K апр 28 13:15 ..
drwxr-xr-x  2 systemd-resolve docker 4,0K апр 28 13:15 etc
drwxr-xr-x  2 systemd-resolve docker 4,0K апр 28 13:15 status

Maybe i need to set some permissions for directories after container start?

Jamesits commented 4 years ago

Please post the result of id systemd-resolve.

Jamesits commented 4 years ago

Also please confirm you are running the latest version of the docker container.

alexmorbo commented 4 years ago

Please post the result of id systemd-resolve.

# id systemd-resolve
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)

Also please confirm you are running the latest version of the docker container.

# docker inspect ripe-atlas | grep Image
        "Image": "sha256:be9b05992180be689480c93e34368fa5f84607627a76cf390ebff7f83cb78846",
            "Image": "jamesits/ripe-atlas:latest",

# docker pull jamesits/ripe-atlas:latest
latest: Pulling from jamesits/ripe-atlas
Digest: sha256:2c9bb108ff9ad3232cf82967b76872b501e158490fe4775f126225b9997297df
Status: Image is up to date for jamesits/ripe-atlas:latest
docker.io/jamesits/ripe-atlas:latest

Jamesits commented 4 years ago

hmm, this is strange. Do you have --cap-add=SYS_ADMIN --cap-add=CAP_NET_RAW --cap-add=CAP_CHOWN set during the creation of the container?

alexmorbo commented 4 years ago

Yep,

docker run --detach --restart=always \
    --cpus=1 --memory=64m --memory-reservation=64m \
    --cap-add=SYS_ADMIN --cap-add=CAP_NET_RAW --cap-add=CAP_CHOWN \
    --mount type=tmpfs,destination=/var/atlasdata,tmpfs-size=64M \
    -v /var/atlas-probe/etc:/var/atlas-probe/etc \
    -v /var/atlas-probe/status:/var/atlas-probe/status \
    -e RXTXRPT=yes \
    --name ripe-atlas --hostname "myfqdn.xyz" \
    jamesits/ripe-atlas:latest

btw, this probe comfirmed by ripe and works now

Jamesits commented 4 years ago

Looks strange to me. The container will try to fix file permissions every time it starts.

https://github.com/Jamesits/docker-ripe-atlas/blob/2392fe6d9af218239b32916bade739f460c19cd0/entrypoint.sh#L9-L15

alexmorbo commented 4 years ago

Yep inside container /var/atlas-probe has altas ids, except /var/atlasdata

# docker exec ripe-atlas ls -lah /var | grep atlas
drwxr-xr-x 1 atlas atlas 4.0K Apr 28 10:22 atlas-probe
drwxrwxrwx 5 root  root   100 Apr 28 10:22 atlasdata

Jamesits commented 4 years ago

/var/atlasdata is a tmpfs so it should have some 777 permission.

Jamesits commented 4 years ago

Is the Aborted (core dumped) thing still happening to you?

alexmorbo commented 4 years ago

Is the Aborted (core dumped) thing still happening to you?

Once at start


chmod: changing permissions of '/var/atlas-probe/data': Operation not permitted
perd: in my_exit (exit was called!)
Aborted (core dumped)
eperd: in my_exit (exit was called!)
Aborted (core dumped)

alexmorbo commented 4 years ago

Another probe approved and works fine with this alert at start. So i think everything fine :)

Jamesits commented 4 years ago

Sure, closing issue now :)