I want to use XFS filesystem quotas inside a docker container to limit the size of some directories. I already put quotactl in the seccomp whitelist (I am fully aware that this is not secure), but now I get a no such file or directory error.
The XFS filesystem is just accessible by a bind mount, so I tried using both the storage device from the host and from the container for the system call (for example /dev/sda2 and /dev/sda5), neither of them worked. The exact same program works perfectly fine on the host system.
Edit:
This is was strace tells me:
# On host system
quotactl(QCMD(Q_XSETQLIM, PRJQUOTA), "/dev/sda5", 0, {d_version=1, d_flags=XFS_PROJ_QUOTA, d_fieldmask=0x8, d_id=0, d_blk_hardlimit=20480, d_blk_softlimit=0, d_ino_hardlimit=0, d_ino_softlimit=0, d_bcount=0, d_icount=0, d_itimer=0, d_btimer=0, d_iwarns=0, d_bwarns=0, d_rtb_hardlimit=0, d_rtb_softlimit=0, d_rtbcount=0, d_rtbtimer=0, d_rtbwarns=0}) = 0
# Inside container
quotactl(QCMD(Q_XSETQLIM, PRJQUOTA), "/dev/sda5", 0, {d_version=1, d_flags=XFS_PROJ_QUOTA, d_fieldmask=0x8, d_id=0, d_blk_hardlimit=20480, d_blk_softlimit=0, d_ino_hardlimit=0, d_ino_softlimit=0, d_bcount=0, d_icount=0, d_itimer=0, d_btimer=0, d_iwarns=0, d_bwarns=0, d_rtb_hardlimit=0, d_rtb_softlimit=0, d_rtbcount=0, d_rtbtimer=0, d_rtbwarns=0}) = -1 ENOENT (No such file or directory)
With some help from the comments I was able to solve this problem, there are three things you need to do in order to use quotactl inside a docker container:
Use your own seccomp configuration for the container and whitelist the quotactl system call
Add the device to the container with the command line option --device=/dev/sdXX:/dev/sdXX
Run the container in privileged mode with --privileged
Related
I am pretty new to MapR and I have a task about creating a MapR volume. I used this command
maprcli volume create -name test-volume -path /MyCluster/apps/application_logs/node1
to create the volume but I get this error:
ERROR (2) - Failed to mount test-volume, parent of mount dir /MyCluster/apps/application_logs/node1 does not exist, No such file or directory
Before running the command I created this path '/MyCluster/apps/application_logs/node1' using mkdir :
Does anyone know why I get this error and if someone can help me with fixing it?
Thank you.
When you say;
I created this path '/MyCluster/apps/application_logs/node1' using mkdir
I assume that you have created it in local file system. The path parameter needs to be created in MapR file system.
To do that, you can either create the dir by interacting with MapR file system directly as follows;
hadoop fs -mkdir -p <path>
or you can mount MapR fs to local file system so that you can interact with it from mount point; /mapr/<cluster-name>/
From the doc;
Parameter: path
Default Value: No default value
Possible Values: Any valid path.
Description: The path at which to mount the volume. The path must be relative to / and cannot be in the form of a global namespace path (for example, /mapr/<cluster-name>/).
I'm new to Docker and I'm trying to bind-mount using following command:
docker service create --mount type=bind,src=/mnt/c/Users/Elev/Desktop/iris,dst=/mnt/c/Users/Elev/Desktop/iris --name myservice1 myservice
and I'm getting following message:
image myservice:latest could not be accessed on a registry to record
its digest. Each node will access image:latest independently,
possibly leading to different nodes running different
versions of the image.
e32lbdbvn3meq5i4cpgsnes4m
overall progress: 0 out of 1 tasks
1/1: invalid mount config for type "bind": bind source path does not exist: /mn…
I'm able to cd to the '/mnt/c/Users/Elev/Desktop/iris' directory and I'm sure it exists. So why am I getting this error and how can this be fixed?
I am learning Docker. Wen i run two MYSQL containers with -v options whose two volumes names are the same , only one of those two volumes is created on the host file system. Would the second one override the first one or the system keeps the first one ? I don't see any command showing the volume names conflict. Here are my commands
docker container run -d --name mysql_1 -e MYSQL_ALLOW_EMPTY_PASSWORD=True -v mysql_db:/var/lib/mysql mysql
docker container run -d --name mysql_2 -e MYSQL_ALLOW_EMPTY_PASSWORD=True -v mysql_db:/var/lib/mysql mysql
I check the logs with command docker volume [name] inspect and it seems the second volume will override the first one
[
{
"CreatedAt": "2020-07-24T09:34:05Z",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/mysql_db78/_data",
"Name": "mysql_db78",
"Options": null,
"Scope": "local"
}
]
The createdAt is the time that i typed the last docker container run -v .. command. But it is strange that docker didn't notify about volume name conflict
You're allowed to mount the same volume into different containers. Files read and written by one can be read and written by the other. There's no "conflict" here.
In both docker run commands you're telling Docker to mount a volume named mysql_db on to the path /var/lib/mysql. In the first command, Docker automatically creates the named volume, as though you had run docker volume create mysql_db, since it doesn't exist yet. Then the second docker run command reuses that some volume.
(Operationally, you can't have multiple MySQL servers running off the same data store, so you should see a startup-time error referring to a lock file in the mysql_2 container. At a design level, try to avoid file sharing and prefer cross-container API calls instead, since coordinating file sharing can be tricky and it doesn't scale well to more advanced environments like Kubernetes.)
I am using a docker image which does not have the ALSA's snd-dummy module available. I need to emulate a sound card. I do not need (or want) to listen to audio.
Based on the many searches I have done I am rather certain that I want to use ALSA's snd-dummy module for emulating a sound card, which is essentially /dev/null.
Looking over the guide for ALSA Matrix:Module-dummy, it states that if "modinfo soundcore" returns that you have this module, then you don't need to recompile your kernel.
In my instance, I do NOT have "soundcore" or "sound" available. I gather that this means I have to recompile the kernel. Recompiling the kernel of a docker image is a new concept to me. Docker is a new concept to me.
In sort, I need to install ALSA's snd-dummy module onto a Linux docker image, which does NOT have soundcore/sound compiled into the kernel.
Docker Image:
https://github.com/fcwu/docker-ubuntu-vnc-desktop
ALSA Matrix snd-dummy:
https://www.alsa-project.org/main/index.php/Matrix:Module-dummy
Is this a potential solution for me?:
https://github.com/torvalds/linux/blob/master/sound/drivers/dummy.c
Edit:
When replacing ~/.asoundrc to the following and running "alsactl restore" I get the following output. Also, my host machine's volume is affected.
# .asoundrc
pcm.dummy {
type hw
card 0
}
ctl.dummy {
type hw
card 0
}
$ alsactl restore
alsactl: load_state:1683: Cannot open /var/lib/alsa/asound.state for
reading: No such file or directory Found hardware: "HDA-Intel"
"Realtek ALC269VB" "HDA:10ec0269,10280446,00100100
HDA:80862805,80860101,00100000" "0x1028" "0x0446" Hardware is
initialized using a generic method Found hardware: "Dummy" "Dummy
Mixer" "" "" "" Hardware is initialized using a generic method
I think the solution would be to mount the sound device into docker, the problem here that you must use privileged:
docker run -v /dev/snd:/dev/snd --privileged myImage ...
UPDATE
you may also insert kernel module snd-aloop and specify 2 as the index of sound loop device on your host:
sudo modprobe snd-aloop index=2
docker run -it --rm -p 6080:80 --device /dev/snd -e ALSADEV=hw:2,0 dorowu/ubuntu-desktop-lxde-vnc
I doing Docker tests about using apps with GUI. SublimeText,Eclipse,Hangout and others apps good working but in this case i try install popcorntime app in to docker container using Debian image and when i execute the app show me some errors. Sorry, but i'm new in Docker world and would like know how to fix this problem for future occasions.
First, I execute to docker container of next form:
docker run -ti -v /tmp/.X11-unix/:/tmp/.X11-unix -e DISPLAY --shm-size=1024m --memory 512m --device /dev/snd popcorntime bash
Next, into contaniner:
root#1cc4aea76556:/opt/popcorntime# ./Popcorn-Time
libudev: udev_has_devtmpfs: name_to_handle_at on /dev: Operation not permitted [59:1106/211526:WARNING:x11_util.cc(315)] X failed to attach to shared memory segment 262145 [59:1106/211529:INFO:CONSOLE(120)] "Uncaught ReferenceError: pageOptions is not defined", source: http://app.time4popcorn.eu/?uid=17F98CC7FD403488DA7B5E1D6989EE2C®ister_date=1478465906&version=0.3.0&os=linux&r=0.025844353018328547 (120) [59:1106/211529:INFO:CONSOLE(120)] "Uncaught ReferenceError: pageOptions is not defined", source: http://app.time4popcorn.eu/?uid=17F98CC7FD403488DA7B5E1D6989EE2C®ister_date=1478465906&version=0.3.0&os=linux&r=0.025844353018328547 (120) [59:1106/211529:ERROR:crash_handler_host_linux.cc(380)] Failed to write crash dump for pid 79 Cannot upload crash dump: cannot alloc [59:1106/211529:ERROR:breakpad_linux.cc(1225)] crash dump file written to /tmp/chromium-renderer-minidump-b10e73ec0d1694fc.dmp
Please, someone that me orient for know how to execute this app using docker container???....
Docker Seccomp default profile disabled a system call that your container is calling.
As quick and dirty solution, try running the container with additional option after docker run
--security-opt seccomp=unconfined
This way you run a container without the default seccomp profile. Then it should be better to use a custom profile putting in the white list the systemn call your container needs.