Closed ericvn closed 1 year ago
With the release of 4.16, the warnings are now:
su-exec: setgroups(0): Operation not permitted
su-exec: setgroups(0): Operation not permitted
chmod: changing permissions of '/config-copy': Operation not permitted
su-exec: setgroups(0): Operation not permitted
su-exec: setgroups(0): Operation not permitted
cp: cannot stat '/config-copy/*': No such file or directory
Hi @ericvn, could share the command lines that creates those warning? I reproduced them with grpcfuse in lieu of virtiofs, so the cause is to be found elsewhere.
@fredericdalleau I agree that the messages also show up if I select gRPC or VirtioFS.
The easiest way to see these warnings is to git clone
our GitHub repository and then run a command there. Try doing a git clone git@github.com:istio/istio.git
(or similar command to get the repo). Then in the root directory, run a make clean
or make shell
which will leave you at a prompt inside the container).
@fredericdalleau I am also in the Docker Community Slack as @ericvn.
Looks to be related to the use of su-exec
with 4.16. With 4.15, even though docker run -u ...
was specified, su-exec 0:0 ls
would work within the shell. After updating to 4.16, the su-exec
now fails with a su-exec: setgroups(0): Operation not permitted.
If I remove the -u on the docker command, su-exec 0:0 works.
Docker issue on sudo, and seems related, issue with 4.16.0: https://github.com/docker/for-mac/issues/6675
su-exec related failure fixed in 4.16.1.
@fredericdalleau Not sure if I need to respond here as Wike sent a note that there is some question which I still haven't responded to.
Status: If you pull the latest istio/istio and try to recreate this on Docker for Mac Desktop 4.16.1, you will no longer see any errors if you are on the master branch.. This is because I updated the build-tools image to no longer copy the .sock files since the errors occurred in 4.15 and 4.16. Note that this work around hasn't been merged to our release branches, so if you checkout the release-1.16 branch for example, you will see the error (cp: lines below).
> gco release-1.16
Switched to branch 'release-1.16'
Your branch is up to date with 'upstream/release-1.16'.
~/work/go/src/istio.io/istio release-1.16 *1 ?7 git pull
> make clean
Unable to find image 'gcr.io/istio-testing/build-tools:release-1.16-2def55c63b1dcafc9f32045c77468c321a045e48' locally
release-1.16-2def55c63b1dcafc9f32045c77468c321a045e48: Pulling from istio-testing/build-tools
bf065bceb8fc: Already exists
...
Status: Downloaded newer image for gcr.io/istio-testing/build-tools:release-1.16-2def55c63b1dcafc9f32045c77468c321a045e48
cp: cannot stat '/config/.docker/run/docker.sock': No such file or directory
cp: cannot stat '/config/.docker/run/docker-cli-api.sock': No such file or directory
rm -rf /work/out/darwin_amd64 /work/out/linux_amd64
@ericvn thanks for keeping that branch live. The ~/.docker/run/docker.sock
from the host is not a valid file to use inside the VM. I see it is copied as part of your container startup procedure. Although those are visible in the directory listing, those are special files on the host, and cannot be used in the VM (This behavior can differ on native linux).
@fredericdalleau I'm not totally familiar on why things were setup this way, but I believe it has to do with running the docker
command within the build container. I would need to research again how the docker
cli finds the socket. I know that there was a change earlier related to a raw version of the file that affected some of our users.
I did find a solution where we do not try and copy the files to another directory, and that gets rid of the socket messages. It sounds like I need to update all the release branches to not copy the file, or just have people ignore the messages.
There hasn't been any activity on this issue for a long time.
If the problem is still relevant, mark the issue as fresh with a /remove-lifecycle stale
comment.
If not, this issue will be closed in 30 days.
Prevent issues from auto-closing with a /lifecycle frozen
comment.
/lifecycle stale
I did go back and test this again today. For the cases where the code was not updated to not try and copy the files to another directory, the socket messages still appear with Docker Desktop 4.18.0 (4.19.0 has another socket issue so have reverted back).
At this point, I don't expect that the issue will be fixed. I have a work-around and it doesn't sound like anyone else is worried about this problem.
I will close this issue since we do have a work-around.
Closed issues are locked after 30 days of inactivity. This helps our team focus on active issues.
If you have found a problem that seems similar to this, please open a new issue.
/lifecycle locked
Expected behavior
No warning messages starting our build-tools container
Actual behavior
I see two messages:
Information
Output of
/Applications/Docker.app/Contents/MacOS/com.docker.diagnose check
Steps to reproduce the behavior
make
are installed.make shell
. This should yield a shell prompt. It does for versions prior to 4.15, but with 4.15 and a later build mention in roadmap issue 7, I see the two messages above.