I have created one docker multiarch image with buildx command.
sudo docker buildx build -f build/Dockerfile --platform linux/arm/v7,linux/arm64,linux/amd64 -t uditgaurav/chaos-operator:v3 . --push
build/Dockerfile:
FROM golang:1.13
ENV GO111MODULE=on \
CGO_ENABLED=1
ENV OPERATOR=/usr/local/bin/chaos-operator \
USER_UID=1001 \
USER_NAME=chaos-operator
# install operator binary
COPY build/_output/bin/chaos-operator ${OPERATOR}
COPY build/bin /usr/local/bin
RUN /usr/local/bin/user_setup
RUN export GOOS=$(echo ${TARGETPLATFORM} | cut -d / -f1) && \
export GOARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) && \
GOARM=$(echo ${TARGETPLATFORM} | cut -d / -f3 | cut -c2-)
ENTRYPOINT ["/usr/local/bin/entrypoint"]
USER ${USER_UID}
In dockerhub the images came with diff arch:
But when I ran it in arm clusters it is showing error:
standard_init_linux.go:211: exec user process caused "exec format error"
Docker Version on ARM cluster
Client:
Version: 19.03.6
API version: 1.40
Go version: go1.12.17
Git commit: 369ce74a3c
Built: Fri Feb 28 23:47:53 2020
OS/Arch: linux/arm64
Experimental: false
Server:
Engine:
Version: 19.03.6
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: 369ce74a3c
Built: Wed Feb 19 01:06:16 2020
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.3.3-0ubuntu1~18.04.2
GitCommit:
runc:
Version: spec: 1.0.1-dev
GitCommit:
docker-init:
Version: 0.18.0
GitCommit:
can anyone help on this?
Docker multiarch build is not the problem. The problem is that /usr/local/bin/chaos-operator is an linux/amd64 binary and you're trying to run it on linux/arm64.
Related
Looking to fix this issue. I'm running RHEL7 with docker-compose 2.9.0. I've boiled things down to these files:
[<user>]$ ls -la
-rw-rw-r--. 1 glaisne glaisne 166 Aug 4 14:22 docker-compose.cloud-build.yml
-rw-rw-r--. 1 glaisne glaisne 76 Aug 4 14:04 .env.azure
drwxrwxr-x. 2 glaisne glaisne 24 Aug 4 14:12 helloWorld
[<user>]$ ls ./helloWorld
Dockerfile
[<user>]$ cat ./docker-compose.cloud-build.yml
version: '3.4'
services:
hello-world:
image: ${AZURE_DOCKER_REGISTRY}<servername>.hello-world:${DOCKER_IMAGE_TAG}
build:
context: ./helloWorld
[<user>]$ cat .env.azure
AZURE_DOCKER_REGISTRY=<server>.azurecr.io/
DOCKER_IMAGE_TAG=dev
[<user>]$ cat ./helloWorld/Dockerfile
FROM alpine
CMD ["echo", "Hello World"]
If I run
sudo docker-compose -f ./docker-compose.cloud-build.yml --env-file=./.env.azure build
I get this error:
[+] Building 0.0s (0/0)
listing workers for Build: failed to list workers: Unavailable: connection error: desc = "transport: Error while dialing unable to upgrade to h2c, received 404"
I am no Linux or docker guru, but I've done about all I can to fix this with no luck. The Docker service is running on the system (Docker version info below). Any insight on what this could be would be helpful. I've rebooted, Docker service has been given enough time to run, I don't see any network/firewall issues that I can tell ( from 404 ). I've even looked at the source (I don't speak go), and can't fine any reference to 'dial', 'h2c', 'workers.'
TIA
Docker version info:
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-209.git7d71120.el7_9.x86_64
Go version: go1.10.3
Git commit: 7d71120/1.13.1
Built: Fri Jan 7 13:15:46 2022
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-209.git7d71120.el7_9.x86_64
Go version: go1.10.3
Git commit: 7d71120/1.13.1
Built: Fri Jan 7 13:15:46 2022
OS/Arch: linux/amd64
Experimental: false
It seems that this problem has not yet been completely solved, but for the moment this may help you, try to set DOCKER_BUILDKIT=0 env var to disable the use of the buildkit API.
Reference: https://github.com/containers/podman/issues/13889
Note: If you use the sudo command for execute docker-compose please use the -E flag for preserve the env variables.
I am trying to use docker's user namespaces feature using the official documentation here
I have added the configuration to my daemon.json file like
{
"debug":true,
"experimental": false,
"features":{"buildkit": false},
"userns-remap":"default"
}
I also verified that both subuid and subguid in /etc contain the following entries
dhost:100000:65536
dockremap:165536:65536
I built my image to verify the functionality using an alpine:latest like so
FROM alpine:latest
RUN mkdir -p /root/.cache
WORKDIR /app
command used in building the image docker image build -t myimage:1 .
Then I run a container from this image using
docker container run -it --rm --name mycontainer -v "$(pwd)/test:/app" myimage:1 sh
I get access to the workdir inside the container (app) but I cannot touch/create any file without getting permission denied. Do I need to change the owner of the test directory I used to mount? if yes, who should own it?
docker version
docker version
Client: Docker Engine - Community
Version: 20.10.14
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 24 01:47:57 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 87a90dc
Built: Thu Mar 24 01:45:46 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Host OS info
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
I am trying to follow this article to reproduce a container escape vulnerability that exists in docker. As mentioned in the article (Refining the proof of concept section), I first run,
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
to create a docker container with needed privileges. After, when I run
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
which is the next step but I get an error saying mount: /tmp/cgrp: permission denied. Not sure why that happens. I tried the solutions mentioned in this (adding --privileged flag etc) but nothing seemed to work.
Here is the output of the docker version command.
Client:
Version: 20.10.5+dfsg1
API version: 1.41
Go version: go1.15.9
Git commit: 55c4c88
Built: Wed Aug 4 19:55:57 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.5+dfsg1
API version: 1.41 (minimum version 1.12)
Go version: go1.15.9
Git commit: 363e9a8
Built: Wed Aug 4 19:55:57 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.12~ds1
GitCommit: 1.4.12~ds1-1~deb11u1
runc:
Version: 1.0.0~rc93+ds1
GitCommit: 1.0.0~rc93+ds1-5+b2
docker-init:
Version: 0.19.0
GitCommit:
How do I go about this?
#1
On my Mac
$ uname -a
Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64
$ md5 `which docker`
MD5 (/usr/local/bin/docker) = d0da0db0b35f2d8ccad29296c297faf3
#2
In a dind container
$ docker run --rm --privileged --name dind1 -it -v /var/run/docker.sock:/var/run/docker.sock docker:1.8-dind sh
/ # docker version
Client:
Version: 1.8.3
API version: 1.20
Go version: go1.4.2
Git commit: f4bf5c7
Built: Mon Oct 12 18:01:15 UTC 2015
OS/Arch: linux/amd64
Error response from daemon: 400 Bad Request: malformed Host header
/ # which docker
/usr/local/bin/docker
/ # md5sum /usr/local/bin/docker
73804379c30833e79345dced46f55e91 /usr/local/bin/docker
#3
To avoid "Error response from daemon: 400 Bad Request: malformed Host header" I need the docker client binary for the Mac OS (not Linux), so I do a bind mount
$ docker run --rm --privileged --name dind1 -it -v /var/run/docker.sock:/var/run/docker.sock -v /usr/local/bin/docker:/usr/local/bin/docker docker:1.8-dind sh
/ # md5sum /usr/local/bin/docker
1abd4fcb4e4bddf17574e2e85d9a42eb /usr/local/bin/docker
/ # docker version
Client: Docker Engine - Community
Version: 19.03.13
API version: 1.40
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:00:06 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.13
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:07:04 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.3.7
GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Question:
Why are the /usr/local/bin/docker md5sums different in #1 and #3 ?
I am trying to expose docker remote API on CentOS7.
$ docker version
Client:
Version: 1.10.3
API version: 1.22
Package version: docker-common-1.10.3-46.el7.centos.14.x86_64
Go version: go1.6.3
Git commit: cb079f6-unsupported
Built: Fri Sep 16 13:24:25 2016
OS/Arch: linux/amd64
Server:
Version: 1.10.3
API version: 1.22
Package version: docker-common-1.10.3-46.el7.centos.14.x86_64
Go version: go1.6.3
Git commit: cb079f6-unsupported
Built: Fri Sep 16 1
I have conf file set up on /etc/systemd/system/docker.service.d/docker-external.conf
[Service]
ExecStart=
ExecStart=/usr/bin/docker -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
followed by
systemctl daemon-reload
systemctl docker restart
This doesn't seem to start any docker process on 4243
Adding add -H tcp://0.0.0.0:4243 to your /lib/systemd/system/docker.service file then running systemctl daemon-reload, followed by systemctl restart docker helps expose the remote API.
ExecStart=/usr/bin/docker-current daemon \
--exec-opt native.cgroupdriver=systemd \
-H tcp://0.0.0.0:4243 -H unix://var/run/docker.sock \