Open liudonghua123 opened 5 years ago
This problem is related to the storage-driver bug, see https://github.com/moby/moby/issues/28391, https://github.com/moby/moby/issues/20240. Currently I can only change storage-driver
to overlay
, use the default aufs
or recommended overlay2
will break.
Have you tried updating to a newer version? 17.03 is over a year old and currently out of support.
@seemethere I haved updated to the latest version 18.06.1-ce, build e68fc7a
, but this problem still remains.
overlay2 will break
plz make sure docker info
contains Supports d_type: true
@AkihiroSuda Hi, I can find Supports d_type: true
contained in docker info
, but it still did not work using aufs
or overlay
, maybe I should upgrade the kernel to 4.6 or upon.
These are some info of my linux and docker.
ldh@ldh55:~$ uname -a
Linux ldh55.liudonghua.com 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
ldh@ldh55:~$
ldh@ldh55:~$
ldh@ldh55:~$ cat /etc/issue
Ubuntu 16.04.2 LTS \n \l
ldh@ldh55:~$ docker info
Containers: 20
Running: 11
Paused: 0
Stopped: 9
Images: 169
Server Version: 18.06.1-ce
Storage Driver: overlay
Backing Filesystem: extfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-43-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 31.41GiB
Name: ldh55.liudonghua.com
ID: BK3U:E6HW:NWFC:A3HA:NHFZ:QANX:NURK:CZHI:5AAT:OFTH:Z5K4:OPQD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: liudonghua123
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
http://fc54583c.m.daocloud.io/
Live Restore Enabled: false
WARNING: No swap limit support
ldh@ldh55:~$
ldh@ldh55:~$ docker -v
Docker version 18.06.1-ce, build e68fc7a
ldh@ldh55:~$
@liudonghua123 Hi, I finally get you here. Sorry for interrupting you in this issue, But I tried every way to make a touch with you, please take a look at liudonghua123/gatsby-remark-sequence#1. Thanks for your good job with that plugin, but it does not work now, I made a pr, please take a look, Sorry for this way to let you know I am looking for you.
Big sorry and Big thanks for your great works.
Sorry for up this old issue but today, I have also the same. Any solution for the question marks for file permissions in containers ? I'm in v19.03 on CentOS 7.
# docker -v
Docker version 19.03.3, build a872fc2f86
# docker-compose -v
docker-compose version 1.24.1, build 4667896b
Thanks.
@guitaro docker info
?
Yes sorry, here is output :
Client: Debug Mode: false
Server: Containers: 6 Running: 4 Paused: 0 Stopped: 2 Images: 14 Server Version: 19.03.3 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: false Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f init version: fec3683 Security Options: seccomp Profile: default Kernel Version: 3.10.0-514.6.2.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 7.639GiB Name: vmw-odigo-paas-04 ID: 5WG4:XZWI:RMVR:4GM6:RAZG:O4XE:MCOA:PK64:ZVZC:PW6R:3F2C:Z47Z Docker Root Dir: /appli/docker Debug Mode: true File Descriptors: 54 Goroutines: 62 System Time: 2019-10-16T09:40:49.516623703+02:00 EventsListeners: 0 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
@dmcgowan PTAL?
I got the same problem and my storage driver is overlay2.
I run on Fedora 30:
Linux 5.3.8-200.fc30.x86_64
With docker version 1.13.1, build 47e2230/1.13.1:
docker info
Containers: 15
Running: 2
Paused: 0
Stopped: 13
Images: 96
Server Version: 1.13.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Authorization: rhel-push-plugin
Swarm: inactive
Runtimes: runc oci
Default Runtime: oci
Init Binary: /usr/libexec/docker/docker-init-current
containerd version: (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1)
runc version: N/A (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f)
init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
seccomp
WARNING: You're not using the default seccomp profile
Profile: /etc/docker/seccomp.json
selinux
Kernel Version: 5.3.8-200.fc30.x86_64
Operating System: Fedora 30 (Workstation Edition)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 4
Total Memory: 11.58 GiB
Name: %
ID: WL5N:W3LH:72MH:63MT:REKR:I6UI:2GH5:Z2KL:LZSD:Y6WQ:KEU7:JX3C
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: true
Registries: docker.io (secure), registry.fedoraproject.org (secure), quay.io (secure), registry.access.redhat.com (secure), registry.centos.org (secure), docker.io (secure)
1.13.1 is ancient and unsupported.
Soooo, my problem was caused because one of the 3 volumes was not mounted with the ":z" option and Selinux block the access to one of my filffes
It's also happening on Docker version 19.03.7
, build 7141c199a2
.
In my case it's happening for a volume mounted with the shared
flag.
docker info
:
Client:
Debug Mode: false
Server:
Containers: 28
Running: 27
Paused: 0
Stopped: 1
Images: 99
Server Version: 19.03.7
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-165-generic
Operating System: Ubuntu 16.04.6 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 5.824GiB
Name: 32642.hostserv.eu
ID: ULG6:F6GP:JJIN:2RM6:N53H:XIEJ:C2OL:Y57I:BZ72:JIRY:HDHQ:CJ3U
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Disabling selinux
works for me.
Here is an image built with a small Dockerfile (see below) that demonstrates the problem:
docker run --rm -it runsascoded/docker-bug:debian
ls
as non-root user
gives erroneous Permission denied
errors and returns lines like ?????????? ? ? ? ? ? dir
. Performing the same ls
once as root
snaps the storage layer into correct behavior, and performing ls
again as user
works for the rest of the container's lifetime.
docker version
docker info
test.sh
I also built a version on Alpine:
docker run --rm -it runsascoded/docker-bug:alpine
This time it omits the ?????????? ? ? ? ? ? dir
line, but still shows Permission denied
(and fails to display the /root/dir
in question altogether).
@ryan-williams your case may be specific to aufs. I see you're running docker 18.06 (which reached EOL two years ago), and Ubuntu 14.04 (which also reached EOL); if possible, I'd recommend upgrading both, because both have unpatched vulnerabilities.
I have similar problem as @ryan-williams.
An external volume which is mounted to two containers, one Alpine and one Debian, on the second one with user which is not root (www-data) the files permissions and owners are listed with question marks (?????).
``` Client: Cloud integration: 1.0.17 Version: 20.10.7 API version: 1.41 Go version: go1.16.4 Git commit: f0df350 Built: Wed Jun 2 11:56:23 2021 OS/Arch: darwin/arm64 Context: desktop-linux Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.7 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: b0f5bc3 Built: Wed Jun 2 11:55:36 2021 OS/Arch: linux/arm64 Experimental: false containerd: Version: 1.4.6 GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d runc: Version: 1.0.0-rc95 GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 docker-init: Version: 0.19.0 GitCommit: de40ad0 ```
``` Client: Context: desktop-linux Debug Mode: false Plugins: buildx: Build with BuildKit (Docker Inc., v0.5.1-docker) compose: Docker Compose (Docker Inc., 2.0.0-beta.4) scan: Docker Scan (Docker Inc., v0.8.0) Server: Containers: 4 Running: 4 Paused: 0 Stopped: 0 Images: 29 Server Version: 20.10.7 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: d71fcd7d8303cbf684402823e425e9dd2e99285d runc version: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 init version: de40ad0 Security Options: seccomp Profile: default Kernel Version: 5.10.25-linuxkit Operating System: Docker Desktop OSType: linux Architecture: aarch64 CPUs: 4 Total Memory: 1.928GiB Name: docker-desktop ID: MLSG:XYLE:2FO7:QFMO:UVEL:57LG:LSGS:4VXB:S6ZJ:4H24:LGOQ:NIGJ Docker Root Dir: /var/lib/docker Debug Mode: false HTTP Proxy: http.docker.internal:3128 HTTPS Proxy: http.docker.internal:3128 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false ```
@bozhidarc That can be expected; Linux may show ????
if it's unable to "stat" a directory / file (if it does not have permissions to read), see (e.g.) https://stackoverflow.com/a/541644/1811501
You can reproduce this in a container;
Build an image that has a directory, owned by root, with 0744
(drwxr--r--
) permissions. The image has user 123:123
set as default user;
docker build -t foo -<<EOF
FROM debian
RUN mkdir /somedir && chmod 0744 /somedir
USER 123:123
CMD ls -lsa /somedir
EOF
Run a container from that image, and see it shows ???
:
docker run --rm foo
ls: cannot access '/somedir/.': Permission denied
ls: cannot access '/somedir/..': Permission denied
total 0
? d????????? ? ? ? ? ? .
? d????????? ? ? ? ? ? ..
Run the container as root
, and see that it shows the permissions normally:
docker run --rm --user root:root foo
total 8
4 drwxr--r-- 2 root root 4096 Jul 6 08:04 .
4 drwxr-xr-x 1 root root 4096 Jul 6 08:08 ..
Note that it depends on the container's base image how this case is presented. For example, doing the same with an alpine
base image:
docker build -t foo -<<EOF
FROM alpine
RUN mkdir /somedir && chmod 0744 /somedir
USER 123:123
CMD ls -lsa /somedir
EOF
Then running the container does not show the question marks, but only the permission denied
error:
docker run --rm foo
total 0
ls: /somedir/.: Permission denied
ls: /somedir/..: Permission denied
I wrote a Dockerfile, the last contents are
When I build this image, it gave me the following errors.
Expected behavior
Work as expected.
Actual behavior
Build failed
Steps to reproduce the behavior
My full Dockerfile with some debugging info is
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.)