Closed abshkd closed 5 years ago
just doing USER root
resolves this issue. If this is acceptable resolution then I can submit a PR. Perhaps there are other reasons for having a sudoer than I am not aware of.
@abshkd Can you output your docker version
and docker info
for me? Also do you have buildkit enabled?
docker info
Containers: 11
Running: 9
Paused: 0
Stopped: 2
Images: 157
Server Version: 18.09.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 96ec2177ae841256168fcf76954f7177af9446eb
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-43-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 64
Total Memory: 125.8GiB
Name: tiny
ID: YQKR:AKLW:ELUR:PV3S:SRQZ:TMWU:D4Q4:JRPZ:NCA3:MYB4:SLTX:CJNV
Docker Root Dir: /mnt/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: No swap limit support
docker version
Client:
Version: 18.09.1
API version: 1.39
Go version: go1.10.6
Git commit: 4c52b90
Built: Wed Jan 9 19:35:31 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.1
API version: 1.39 (minimum version 1.12)
Go version: go1.10.6
Git commit: 4c52b90
Built: Wed Jan 9 19:02:44 2019
OS/Arch: linux/amd64
Experimental: false
I dont know what is buildkit and have not used it before so I am assuming I dont have it enabled.
I believe your issue is related to where you have Docker installed? Your docker info
shows:
Docker Root Dir: /mnt/docker
Normally, Docker keeps its contents in /var/lib/docker which is owned by root:root. Is this a shared mount point? Either way, it seems like the permissions of this mount point which Docker is trying to use is too restrictive, and thus the docker build
command within the Makefile is failing.
I dont run docker in root. Its running as user. You are spot on, it appears
to be that Splunk requires root ownership in order to run. I dont have this
issue with other docker images. This isnt a shared mount point but the
system has 8 drives with LVM RAID, I simply remapped /var/lib/docker
to
something easier to manage administratively.
Not to worry. I will close this bug report. sorry for the delay in response
On Tue, Feb 19, 2019 at 9:16 AM Nelson Wang notifications@github.com wrote:
I believe your issue is related to where you have Docker installed? Your docker info shows:
Docker Root Dir: /mnt/docker
Normally, Docker keeps its contents in /var/lib/docker which is owned by root:root. Is this a shared mount point? Either way, it seems like the permissions of this mount point which Docker is trying to use is too restrictive, and thus the docker build command within the Makefile is failing.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/splunk/docker-splunk/issues/118#issuecomment-465225897, or mute the thread https://github.com/notifications/unsubscribe-auth/AAvFHKnDeoqAScOHONgwXdAcmxjRRXv9ks5vPDF3gaJpZM4aZyq7 .
Just an update. I got it to work with minor edits. I am on non-root docker with non-root splunk
Just an update. I got it to work with minor edits. I am on non-root docker with non-root splunk
Hi @abshkd sounds good, I have the same problem (container in OpenShift run as random user). What edits did you do to get splunk image running as non-root-container-user?
Second @ivohechmann, @abshkd can you share the edits made?
Second @ivohechmann, @abshkd can you share the edits made? Did not get it to work properly, so if there's a solution I'd be interested :)
can you share the edit, thanks!
PLAY [Run default Splunk provisioning] *****
TASK [Gathering Facts] ***** fatal: [localhost]: FAILED! => { "ansible_facts": {}, "changed": false, "failed_modules": { "ansible.legacy.setup": { "failed": true, "module_stderr": "sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1 } } }
MSG:
The following modules failed to execute: ansible.legacy.setup
can you share the edit, thanks!
PLAY [Run default Splunk provisioning] *****
TASK [Gathering Facts] ***** fatal: [localhost]: FAILED! => { "ansible_facts": {}, "changed": false, "failed_modules": { "ansible.legacy.setup": { "failed": true, "module_stderr": "sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1 } } }
MSG:
The following modules failed to execute: ansible.legacy.setup
Apologies. I was under the impression that the way I fixed my setup was not recommended so I did not post it. I have left Splunk many years ago and no longer have this setup on me. If I come across it in my person I will submit here or in a separate repo. I don't recall much but I believe you can edit the Dockerfile to fix the issue where it needs root access.
@abshkd Great thanks for your kindly comment! Add docker-compose.yml with --security-opt with no-new-privileges=false the issue fixed, thanks!
I get this error in both centos and debian build. I dont have issues running docker containers and images outside of this. Any clue as to whats causing this?
I believe the issue is with using sudo. Would it be better to go with
USER
instead of sudo?make splunk-debian-9
output [snipped]