Open aymond opened 3 years ago
Looks like FANOTIFY isn't (fully) implemented in the linux version you have running on Windows. Supporting WSL on Windows is on the todo list though I'm still exploring demand for it. Not having a Windows machine to test it doesn't help either :-) Are you running WSL2? Do you have the latest possible version of the linux kernel installed?
Thanks. I also have an Ubuntu workstation, and there everything is working fine.
I installed the latest Microsoft standard kernel for WSL2, and still receive the same error. I will continue using native Ubuntu and wait for WSL2 to support fanotify
uname -r
5.4.91-microsoft-standard-WSL2
docker-slim build ...
cmd=build info=event.error status=received data=SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim/internal/app/sensor/monitors/fanotify/monitor.go}}
Just to double check... what do you see when you run wsl -l -v
> wsl -l -v
NAME STATE VERSION
* Ubuntu-20.04 Running 2
docker-desktop-data Running 2
docker-desktop Running 2
Ubuntu-18.04 Stopped 1
Hello, I seem to have the same error running docker-slim on mac os 12.1
docker-slim build sev2 I
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
cmd=build info=param.http.probe message='using default probe'
cmd=build state=started
cmd=build info=params target.type='image' target='sev2' continue.mode='probe' rt.as.user='true' keep.perms='true' tags=''
cmd=build state=image.inspection.start
cmd=build info=image id='sha256:43caf14b3756d0e9a4b987a86785ca1dedd40e6cb7809966e765d36521c1069d' size.bytes='2114762232' size.human='2.1 GB'
cmd=build info=image.stack id='sha256:28a4c88cdbbf27e06dc5dc6784504d6536e8678284d84dd7f88f95b2145d27b0' index='0' name='python:3.8.5'
cmd=build info=image.stack index='1' name='sev2:latest' id='sha256:43caf14b3756d0e9a4b987a86785ca1dedd40e6cb7809966e765d36521c1069d'
cmd=build state=image.inspection.done
cmd=build state=container.inspection.start
cmd=build info=container status='created' name='dockerslimk_3603_20220214080729' id='a1410867ed44b7ccbdd45a24d914059d0f3bd963ed0ece56b0cdb810f7bd82b5'
cmd=build info=cmd.startmonitor status='sent'
cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}'
cmd=build state=exited code=-124 component=container.inspector version=darwin|Transformer|1.37.3|latest|latest
Version
cmd=version info=app version='darwin|Transformer|1.37.3|latest|latest' container=false dsimage=false
cmd=version info=app outdated=false current=1.37.3 verdict='you have the latest version'
cmd=version info=app location='/usr/local/bin'
cmd=version info=host osname='other'
cmd=version info=host osbuild=21C52
cmd=version info=host version=' Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64'
cmd=version info=host release=21.2.0
cmd=version info=host sysname=darwin
cmd=version info=docker name=minikube
cmd=version info=docker kernel_version=4.19.202
cmd=version info=docker operating_system=Buildroot 2021.02.4
cmd=version info=docker ostype=linux
cmd=version info=docker server_version=20.10.8
cmd=version info=docker architecture=x86_64
cmd=version info=dclient api_version=1.41
cmd=version info=dclient min_api_version=1.12
cmd=version info=dclient build_time=2021-07-30T19:55:09.000000000+00:00
cmd=version info=dclient git_commit=75249d8
``
Same for me on MacOS 11.6.
Same here on MacOS 12.2.1
@al1p-R / @rafaribe / @matthewfischer are you guys using M1 by any chance?
I am not. I'm on a 2020 MBP core i5
Same problem on: MacBook Pro (16-inch, 2019) MacOS 12.3
thank your for sharing your env setup @bedzinsk ! will test with 12.3
+1 on Linux embedded arm device (imx7ulp) (on Linux computer works well)
~$ sudo docker-slim build 8d6193013d37
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
cmd=build info=param.http.probe message='using default probe'
cmd=build state=started
cmd=build info=params rt.as.user='true' keep.perms='true' tags='' target.type='image' target='8d6193013d37' continue.mode='probe'
cmd=build state=image.inspection.start
cmd=build info=image id='sha256:8d6193013d372ccc796596c38f8e684aacb1d652b40b110490c8ae4ec734a67e' size.bytes='53152705' size.human='53 MB'
cmd=build info=image.stack id='sha256:8d6193013d372ccc796596c38f8e684aacb1d652b40b110490c8ae4ec734a67e' index='0' name='erpc:76251b2'
cmd=build info=image.exposed_ports list='1883,8000'
cmd=build state=image.inspection.done
cmd=build state=container.inspection.start
cmd=build info=container id='3c1e06525c9529061e868942deba71e27808274573df1e8e7eb3a59f7a9c9466' status='created' name='dockerslimk_1893_20220804130130'
[ 2544.876151] docker0: port 4(veth71b6634) entered blocking state
[ 2544.882650] docker0: port 4(veth71b6634) entered disabled state
[ 2544.957603] device veth71b6634 entered promiscuous mode
[ 2553.163537] eth0: renamed from vethe02606c
[ 2553.245260] IPv6: ADDRCONF(NETDEV_CHANGE): veth71b6634: link becomes ready
[ 2553.257890] docker0: port 4(veth71b6634) entered blocking state
[ 2553.263906] docker0: port 4(veth71b6634) entered forwarding state
cmd=build info=container status='running' name='dockerslimk_1893_20220804130130' id='3c1e06525c9529061e868942deba71e27808274573df1e8e7eb3a59f7a9c9466'
cmd=build info=container message='obtained IP address' ip='172.17.0.5'
cmd=build info=cmd.startmonitor status='sent'
cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:47,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}'
cmd=build state=exited code=-124 version=linux|Transformer|1.37.6|26a36c88a94c677efd734e874ba081dabb84a224|2022-04-23_06:03:56AM component=container.inspector
cmd=build info=report file='slim.report.json'
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
same on M1 12.4
cmd=build info=cmd.startmonitor status='sent'
cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:47,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}'
cmd=build state=exited code=-124 version=darwin|Transformer|1.37.6-16-gb0122cd|b0122cdb56c4abe2384026a5ee92425ea93e38fd|2022-08-08_03:29:30PM component=container.inspector
cmd=build info=report file='slim.report.json'
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
@pavankumar-go What is the image you are trying to minify? Is this an arm64 container image? Usually you get this when there's no arm64 version and you end up with the amd64 version and the way those images are executed on M1 has limitiations in terms of what system/kernel capabilities are available in the emulation mode they use.
@kcq the image has an arm64 build
docker run -it --entrypoint sh docker.io/REDACTED/test-ds:v2 -c "uname -m"
aarch64
10288 ◯ docker-slim build --target docker.io/REDACTED/test-ds:v2 --tag docker.io/REDACTED/test-ds:v3 --http-probe=false
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
cmd=build info=exec message='changing continue-after from probe to nothing because http-probe is disabled'
cmd=build info=exec message='changing continue-after to enter'
cmd=build state=started
cmd=build info=params keep.perms='true' tags='docker.io/REDACTED/test-ds:v3' target.type='image' target='docker.io/REDACTED/test-ds:v2' continue.mode='enter' rt.as.user='true'
cmd=build state=image.inspection.start
cmd=build info=image id='sha256:5bd92fcf394f83b573ee15abfd2facbba183dbcab426b9a39e9e0a8e932ad8bc' size.bytes='8926111' size.human='8.9 MB' architecture='arm64'
cmd=build info=image.stack index='0' name='REDACTED/test-ds:v2' id='sha256:5bd92fcf394f83b573ee15abfd2facbba183dbcab426b9a39e9e0a8e932ad8bc'
cmd=build state=image.inspection.done
cmd=build state=container.inspection.start
cmd=build info=container status='created' name='dockerslimk_78842_20220809053058' id='d6422fb7d17d1a4934efe4d673a94e89e7e7ea602b63c2eb5260d766a12db92d'
cmd=build info=container status='running' name='dockerslimk_78842_20220809053058' id='d6422fb7d17d1a4934efe4d673a94e89e7e7ea602b63c2eb5260d766a12db92d'
cmd=build info=container message='obtained IP address' ip='172.17.0.12'
cmd=build info=cmd.startmonitor status='sent'
cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:47,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}'
cmd=build state=exited code=-124 component=container.inspector version=darwin|Transformer|1.37.6-16-gb0122cd|b0122cdb56c4abe2384026a5ee92425ea93e38fd|2022-08-08_03:28:24PM
cmd=build info=report file='slim.report.json'
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
Facing same problem, by checking the host device system, it seem that some distros like alpine do not have fanotify support in kernel by default (as you can check by cat /boot/config-<kernel_version> | grep FANOTIFY
) and leading to this error.
Currently my solution is to use a VM of unbuntu (or any other distro with fanotify) to run docker-slim.
Since docker-slim use fanotify only trace the file accessed, it might be possible to use inotify as an fallback replacement, which is more widely supported.
Happens eg. when using Rancher Desktop (and I assume others too) on MacOS.
Facing same problem, by checking the host device system, it seem that some distros like alpine do not have fanotify support in kernel by default (as you can check by
cat /boot/config-<kernel_version> | grep FANOTIFY
) and leading to this error. Currently my solution is to use a VM of unbuntu (or any other distro with fanotify) to run docker-slim.Since docker-slim use fanotify only trace the file accessed, it might be possible to use inotify as an fallback replacement, which is more widely supported.
Disabling the fanotify data source is going to be the easiest route (inotify isn't quite the same). It's not exposed with a flag yet, but it should be possible.
Happens eg. when using Rancher Desktop (and I assume others too) on MacOS.
Are you using M1? What's the architecture for the container?
No, on X86_64 with an X86 container.
Is there a resolution or mitigation for this issue? I am seeing this on my mac with intel chip. Docker service provider is provided by colima.
Facing same problem, by checking the host device system, it seem that some distros like alpine do not have fanotify support in kernel by default (as you can check by
cat /boot/config-<kernel_version> | grep FANOTIFY
) and leading to this error. Currently my solution is to use a VM of unbuntu (or any other distro with fanotify) to run docker-slim. Since docker-slim use fanotify only trace the file accessed, it might be possible to use inotify as an fallback replacement, which is more widely supported.Disabling the fanotify data source is going to be the easiest route (inotify isn't quite the same). It's not exposed with a flag yet, but it should be possible.
@kcq How to disable the fanotify
data source and what's the implication or potential impact on the build? or this is just used for internal notification?
Facing same problem, by checking the host device system, it seem that some distros like alpine do not have fanotify support in kernel by default (as you can check by
cat /boot/config-<kernel_version> | grep FANOTIFY
) and leading to this error. Currently my solution is to use a VM of unbuntu (or any other distro with fanotify) to run docker-slim. Since docker-slim use fanotify only trace the file accessed, it might be possible to use inotify as an fallback replacement, which is more widely supported.Disabling the fanotify data source is going to be the easiest route (inotify isn't quite the same). It's not exposed with a flag yet, but it should be possible.
@kcq How to disable the
fanotify
data source and what's the implication or potential impact on the build? or this is just used for internal notification?
It will be possible to disable the fanotify source soon (WIP)
It will be possible to disable the fanotify source soon (WIP)
Hey @kcq, just wanted to check in on this as I'm hitting the same issue.
As a note, I was getting this same error, but it started working after I removed the existing sensor volume. I'm not sure why that made a difference, because there was only the one volume for the current Slim version.
This is with an M1 on MacOS 13.6.
@jimcottrell +1, THANK YOU. I was spending hours on this.
I was able to solve this on an M2 Mac OS 13.6 by removing the existing sensor volume.
I think what may have happened for me, is I was developing on my AMD64 Windows PC, got it to work there. Ported over to my ARM64 Mac, and try to build with dslim/slim... this did not work, so I changed my script to leverage dslim/slim-arm when run on an ARM64 device. When I did this, I did not clear the volumes on my Mac, so when I pulled the changes, I think it reused the incompatible sensor volume. I am expecting many people may have done this?
I ended up going down a rabbit hole trying to containerize slim, and in so doing crossed a lot of difficulties. Got used to cleaning up volumes and deleting old containers to remove entropy and A/B test my way through this (this was one of my first times using docker to any real extent) I finally got it to work as a container, but was still getting the same error. Then I saw your comment, removed all volumes, containers, and ran docker system prune -f. Then I ran it and it worked.
@kcq I would have found it helpful if the documentation was more clear on the fact that I would need the following settings in a dockerized environment: parameterizing the slim container:
privileged: true
environment:
- DOCKER_HOST=unix:///var/run/docker.sock
network_mode: "host"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
parameterizing the slim build command: (which is hinted at in the readme)
--sensor-ipc-mode=proxy
global parameter to the slim command (which is hinted at in the readme)
--in-container
But it may have just been a me being new to docker thing 🤣
Now, knowing this, I don't think I need containerized slim anymore, however I will put my code here maybe someone finds it useful.
For me, all that work was for 40kb as I already got my container down to 1.7mb without slim, but I am still happy, this was a journey. Unfortunately, go is bloated and I will have to rewrite my server in C or ASM to get to the size I need for my use case. Anyways.
here is my docker build script:
const os = require('os');
const buildDockerImage = (platform) => {
return new Promise((resolve, reject) => {
console.log(`Building Docker image for platform: ${platform}`);
const build = spawn('docker', ['build', '--platform', platform, '-t', 'graph', '--build-arg', `TARGETPLATFORM=${platform}`, '.'], { stdio: 'inherit' });
build.on('close', (code) => {
if (code === 0) {
resolve();
} else {
reject(new Error(`Docker build process exited with code ${code}`));
}
});
build.on('error', (error) => {
reject(new Error(`Failed to start Docker build process: ${error.message}`));
});
});
};
const slimDockerImage = (platform) => {
return new Promise((resolve, reject) => {
console.log(`Slimming Docker image for platform: ${platform}`);
const slimImage = platform === 'linux/amd64' ? 'dslim/slim:latest' : 'dslim/slim-arm';
const composeFile = `
version: '3.8'
services:
graph:
build:
context: .
dockerfile: Dockerfile
privileged: true
ports:
- "443:443"
command: ./serve
slim:
image: ${slimImage}
depends_on:
- graph
privileged: true
network_mode: "host"
environment:
- DOCKER_HOST=unix:///var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: >
slim --debug --in-container build
--show-clogs
--target graph
--tag graph-slim
--include-path=/prod
--include-path=/src
--include-path=/cert.pem
--include-path=/favicon-16-6-0.webp
--include-path=/key.pem
--include-bin=/serve
--sensor-ipc-mode=proxy
`;
const slim = spawn('docker-compose', ['-f', '-', 'up'], { stdio: 'pipe' });
slim.stdin.write(composeFile);
slim.stdin.end();
slim.stdout.on('data', (data) => {
console.log(data.toString());
});
slim.stderr.on('data', (data) => {
console.error(data.toString());
});
slim.on('close', (code) => {
if (code === 0) {
resolve();
} else {
reject(new Error(`DockerSlim process exited with code ${code}`));
}
});
slim.on('error', (error) => {
reject(new Error(`Failed to start DockerSlim process: ${error.message}`));
});
});
};
const main = async () => {
try {
const arch = os.arch() === 'x64' ? 'amd64' : 'arm64';
const platform = `linux/${arch}`;
await buildDockerImage(platform);
console.log("Docker image built successfully");
await slimDockerImage(platform);
console.log(`Docker build and slim process completed successfully for platform: ${platform}`);
} catch (error) {
console.error(`Failed to complete the Docker build and slim process for platform: ${os.platform()} ${os.arch()}:`, error);
}
};
main();
my docker run script:
const { spawn } = require('child_process');
const runDockerContainer = () => {
const run = spawn('docker', ['run', '-p', '443:443', 'graph-slim'], { stdio: 'inherit' });
run.on('close', (code) => {
if (code !== 0) {
console.error(`Docker run process exited with code ${code}`);
}
});
run.on('error', (error) => {
console.error(`Failed to start Docker run process: ${error.message}`);
});
};
runDockerContainer();
my Dockerfile:
FROM node:20 as build
ARG TARGETPLATFORM
ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
ENV PATH=$JAVA_HOME/bin:$PATH
# Install dependencies
RUN apt-get update && apt-get install -y \
curl \
wget \
gnupg \
openssl \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Install OpenJDK based on platform
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
wget https://download.oracle.com/java/21/archive/jdk-21.0.2_linux-x64_bin.deb -O /tmp/openjdk-21_linux-x64_bin.deb && \
apt-get update && \
apt-get install -y /tmp/openjdk-21_linux-x64_bin.deb && \
rm /tmp/openjdk-21_linux-x64_bin.deb; \
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
wget https://download.oracle.com/java/21/archive/jdk-21.0.2_linux-aarch64_bin.tar.gz -O /tmp/openjdk-21_linux-aarch64_bin.tar.gz && \
tar -xzf /tmp/openjdk-21_linux-aarch64_bin.tar.gz -C /opt && \
rm /tmp/openjdk-21_linux-aarch64_bin.tar.gz && \
ln -s /opt/jdk-21.0.2/bin/* /usr/local/bin/; \
else \
echo "Unsupported platform: $TARGETPLATFORM"; exit 1; \
fi
RUN curl -L https://github.com/microsoft/TypeScript/releases/download/v4.7.4/typescript-4.7.4.tgz | tar -xz && \
mv package tsc && \
ln -s /tsc/bin/tsc /usr/local/bin/tsc
# Generate SSL certificates
RUN openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=localhost"
COPY . .
WORKDIR /prod
RUN curl -L https://repo1.maven.org/maven2/com/google/javascript/closure-compiler/v20240317/closure-compiler-v20240317.jar -o closure-compiler-v20240317.jar
RUN node compile.js
# Remove unnecessary files
RUN rm -rf /var/lib/apt/lists/* /tmp/* /root/.cache /usr/lib/jvm /prod/closure-compiler-v20240317.jar
# Stage 2: Build the Go application
FROM --platform=$TARGETPLATFORM golang:alpine as go-build
WORKDIR /app
COPY --from=build serve.go .
COPY --from=build go.mod .
COPY --from=build go.sum .
# Build the Go application with optimizations
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o serve
# Compress the binary using upx
RUN apk add --no-cache upx \
&& upx --best --lzma serve \
&& rm -rf /var/cache/apk/*
FROM scratch
COPY --from=go-build /app/serve /serve
COPY --from=build /prod/compressed /prod/compressed
COPY --from=build /src /src
COPY --from=build /key.pem /key.pem
COPY --from=build /cert.pem /cert.pem
COPY --from=build /favicon-16-6-0.webp /favicon-16-6-0.webp
EXPOSE 443
CMD ["/serve"]
@mark1russell7 thank you for sharing your journey and the snippets!!! I'll update the docs/readme to include the info you shared, so others can benefit from it. I'm also thinking about adding an internal maintenance command to simplify the sensor volume clearing process. First, though i'll add console logs to show the sensor volume that gets used in the slim/build command, so it's easier to catch the cases when the main app ends up picking up a stale sensor volume... By the way, dslim/slim
are the old images... you should use new release and new images
@kcq Thanks! I will pull the latest images. Really appreciate your dedication to this project, its a really awesome tool.
Two things: I forgot to add this in my message as one of the configs I needed in a containerized environment (added it later)
network_mode: "host"
and I tried porting this to an Identical M2 Mac, same OS and everything (slightly newer docker version etc.) and I had to manually set the docker api version: (but doing this on my other envs leads to an error)
- DOCKER_API_VERSION=1.46
Hope you are having a restful holiday weekend.
@mark1russell7 if you are using the 1.40.11
version than the docker api version config is expected (let me know if you had to do it with the latest version, 1.41.5
).
The next release will have a new command, app
, where it now has remove-sensor-volumes
as one of its sub-commands, which will clear existing volumes. And the slim
(aka build
) command now also prints extra sensor and sensor volume metadata, which might help when there's a version mismatch and an older sensor volume is picked up. It's already there if you want to build from source.
The sensor architecture corner case is possible right now on M1/M2/etc Macs because Docker will happily pull any container image regardless of the architecture, so the standard image here, which is AMD64, gets pulled and then executed, so it'll create a sensor volume with the wrong sensor binary. A quick solution for that is to have multi-architecture app images, which i'll add for the next release (that will exist in addition to the architecture specific images).
Expected Behavior
Call docker-slim and receive a slimified image on Windows docker-desktop similar to linux based docker.
Actual Behavior
Steps to Reproduce the Problem
Have image locally
Execute
docker-slim --log-level debug --log-format json --log slim.log build discordbot
Specifications