search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
19.45k stars 730 forks source link

docker slim container still running after failure exit #360

Open leslie-qiwa opened 2 years ago

leslie-qiwa commented 2 years ago

Expected Behavior

docker slim container should quit after analysis

Actual Behavior

It is still running. Every analysis fail and left an running container.

$ docker ps
CONTAINER ID   IMAGE                                                       COMMAND                  CREATED          STATUS          PORTS                                                                                          NAMES
1ac81af314b7   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   2 minutes ago    Up 2 minutes    0.0.0.0:49166->65501/tcp, :::49166->65501/tcp, 0.0.0.0:49165->65502/tcp, :::49165->65502/tcp   dockerslimk_22990_20220803234535
206fea95252b   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   2 minutes ago    Up 2 minutes    0.0.0.0:49164->65501/tcp, :::49164->65501/tcp, 0.0.0.0:49163->65502/tcp, :::49163->65502/tcp   dockerslimk_22792_20220803234519
7ddb9cd72dd1   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   3 minutes ago    Up 3 minutes    0.0.0.0:49162->65501/tcp, :::49162->65501/tcp, 0.0.0.0:49161->65502/tcp, :::49161->65502/tcp   dockerslimk_22595_20220803234436
d4eff8c5599e   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   3 minutes ago    Up 3 minutes    0.0.0.0:49160->65501/tcp, :::49160->65501/tcp, 0.0.0.0:49159->65502/tcp, :::49159->65502/tcp   dockerslimk_22409_20220803234432
4fbbde33b3a8   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   6 minutes ago    Up 6 minutes    0.0.0.0:49158->65501/tcp, :::49158->65501/tcp, 0.0.0.0:49157->65502/tcp, :::49157->65502/tcp   dockerslimk_22162_20220803234205
5f077dd2282d   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   6 minutes ago    Up 6 minutes    0.0.0.0:49156->65501/tcp, :::49156->65501/tcp, 0.0.0.0:49155->65502/tcp, :::49155->65502/tcp   dockerslimk_21964_20220803234119
65e901f86e1a   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   10 minutes ago   Up 10 minutes   0.0.0.0:49154->65501/tcp, :::49154->65501/tcp, 0.0.0.0:49153->65502/tcp, :::49153->65502/tcp   dockerslimk_21628_20220803233802

Steps to Reproduce the Problem

This is probably related with our private image and may not be reproduced at your side 1. run `build` command. After build, `docker ps` shows new running docker slim container 2. ``` $ ~/bin/dist_linux/docker-slim build registry.test.pensando.io:5000/pensando/test-infra:2.17.0 docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community' docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS' docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions' cmd=build info=param.http.probe message='using default probe' cmd=build state=started cmd=build info=params target.type='image' target='registry.test.pensando.io:5000/pensando/test-infra:2.17.0' continue.mode='probe' rt.as.user='true' keep.perms='true' tags='' cmd=build state=image.inspection.start cmd=build info=image id='sha256:4756ac2575092ca210cd75dd6ad778df31fe71f1606c4922ef86f4063d440863' size.bytes='2119981163' size.human='2.1 GB' cmd=build info=image.stack index='0' name='registry.test.pensando.io:5000/pensando/test-infra:2.17.0' id='sha256:4756ac2575092ca210cd75dd6ad778df31fe71f1606c4922ef86f4063d440863' cmd=build state=image.inspection.done cmd=build state=container.inspection.start cmd=build info=container name='dockerslimk_22990_20220803234535' id='1ac81af314b7bfdbf845346758cac402f0ca10cf19275377d078f9fde192079a' status='created' cmd=build info=container status='running' name='dockerslimk_22990_20220803234535' id='1ac81af314b7bfdbf845346758cac402f0ca10cf19275377d078f9fde192079a' cmd=build info=container message='obtained IP address' ip='172.17.0.8' cmd=build info=cmd.startmonitor status='sent' cmd=build info=event.error status='received' data='SensorError{Op:ptrace.App.trace.app.start,Kind:call.error,Wrapped:{Type=*os.PathError,Info=fork/exec /entrypoint.sh: no such file or directory,Line:218,File:github.com/docker-slim/docker-slim/pkg/monitor/ptrace/ptrace.go}}' cmd=build state=exited code=-124 version=linux|Transformer|1.37.6|26a36c88a94c677efd734e874ba081dabb84a224|2022-04-23_06:03:56AM component=container.inspector cmd=build info=report file='slim.report.json' docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community' docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS' docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions' ``` --- Specifications ================= - Version: The latest binary ``` $ ~/bin/dist_linux/docker-slim --version docker-slim version linux|Transformer|1.37.6|26a36c88a94c677efd734e874ba081dabb84a224|2022-04-23_06:03:56AM qiwa@qiwa:~/workspace/golang/src/github.com/pensando/test-infra$ ``` - Platform: Ubuntu AMD64 linux.
kcq commented 2 years ago

Thanks for opening the issue @leslie-qiwa ! This looks like an unexpected failure running the app in the container. The exit path there doesn't cleanup the temporary container docker-slim created. Will be an easy fix :)

The bigger question here is why there's a problem with the entry point in your container image.

os.PathError,Info=fork/exec /entrypoint.sh: no such file or directory

Silly question... Do you have /entrypoint.sh in your image? What does you entrypoint and cmd instructions look like in your Dockerfile?

leslie-qiwa commented 2 years ago

This file is not exist in the base container indeed, because our CI will build another running container based on this base container. In this new build process, it will copy entrypoint.sh to the destination.

I'm adding --mount option, and got new permission deny failure now. Am I using the right command ?

$ ~/bin/dist_linux/docker-slim build --mount ./box-build/entrypoint.sh:/entrypoint.sh registry.test.pensando.io:5000/pensando/test-infra:2.17.0
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
cmd=build info=param.http.probe message='using default probe'
cmd=build state=started
cmd=build info=params target.type='image' target='registry.test.pensando.io:5000/pensando/test-infra:2.17.0' continue.mode='probe' rt.as.user='true' keep.perms='true' tags=''
cmd=build state=image.inspection.start
cmd=build info=image id='sha256:4756ac2575092ca210cd75dd6ad778df31fe71f1606c4922ef86f4063d440863' size.bytes='2119981163' size.human='2.1 GB'
cmd=build info=image.stack index='0' name='registry.test.pensando.io:5000/pensando/test-infra:2.17.0' id='sha256:4756ac2575092ca210cd75dd6ad778df31fe71f1606c4922ef86f4063d440863'
cmd=build state=image.inspection.done
cmd=build state=container.inspection.start
cmd=build info=container status='created' name='dockerslimk_18382_20220804175741' id='3a538228974bf5a95363b415eb3937ddcf4847ec06bfd5896caf3b00971244d0'
cmd=build info=container status='running' name='dockerslimk_18382_20220804175741' id='3a538228974bf5a95363b415eb3937ddcf4847ec06bfd5896caf3b00971244d0'
cmd=build info=container ip='172.17.0.2' message='obtained IP address'
cmd=build info=cmd.startmonitor status='sent'
cmd=build info=event.error status='received' data='SensorError{Op:ptrace.App.trace.app.start,Kind:call.error,Wrapped:{Type=*os.PathError,Info=fork/exec /entrypoint.sh: permission denied,Line:218,File:github.com/docker-slim/docker-slim/pkg/monitor/ptrace/ptrace.go}}'
cmd=build state=exited code=-124 component=container.inspector version=linux|Transformer|1.37.6|26a36c88a94c677efd734e874ba081dabb84a224|2022-04-23_06:03:56AM
cmd=build info=report file='slim.report.json'
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'