Closed rajadain closed 5 years ago
I am worried that this issue is tied to the kernel running on Ubuntu 14.04. You can reproduce the failure within the virtual machine with the snippet below. No need to use Ansible as part of the feedback loop:
vagrant@app:~$ docker run node:8 yarn
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:297: copying bootstrap data to pipe caused \"write init-p: broken pipe\"": unknown.
Finally got to the bottom of this! Turns out it is in fact a kernel issue. There was a security patch release of Docker CE (18.6.2
) at noon EST yesterday. From the release notes (https://docs.docker.com/engine/release-notes/#18092):
Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel
Our boxes are all running 3.13 kernels. Other users have noted that downgrading to Docker CE version 18.06.1~ce~3-0~ubuntu
works around the problem. See: https://github.com/docker/for-linux/issues/591
Downgrading seems like the fastest fix, but I can't tell whether the CVE implies that this is insecure for our use-case: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
😞
I think downgrading Docker should be OK since we’re really only using it to build a static bundle. The stuff in the CVE would still be possible because we don’t uninstall Docker, but there is no straightforward path for anyone to get to it.
It looks like the plan to uninstall Docker is at odds with the AMI build process. The Docker daemon configuration change queues up a service restart for the end of the Ansible run, but by that time the service no longer exists.
See: http://civicci01.internal.azavea.com/view/bees/job/bee-pollinator-app-and-worker/139/
Ugh, I was worried something in the build step would interfere with the Docker deinstall. Are you OK moving forward with leaving Docker installed on the AMI?
develop
is failing with this during provisioning:Formatted error: