Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Docker Swarm Service Container : Capability prefixed with CAP_ cannot be deserialized (InvalidFormatException)
See original GitHub issueDocker: version 20.10.18, build b40c2f6 docker-java:3.2.8
Description We have a service deployed to a Docker Swarm, using docker-compose to set the IPC_LOCK capability, as follows:
services:
myService:
image: myImage
cap_add:
- IPC_LOCK
Calling the docker-java InspectContainerCmdImpl to inspect the container on the node to which the service task has been deployed fails and produces the following exception:
2022-10-11T14:40:41.800756150Z java.lang.RuntimeException: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `com.github.dockerjava.api.model.Capability` from String "CAP_IPC_LOCK": value not one of declared Enum instance names: [ALL, SYS_BOOT, DAC_OVERRIDE, NET_RAW, BLOCK_SUSPEND, FOWNER, IPC_LOCK, IPC_OWNER, SYS_PACCT, NET_BIND_SERVICE, WAKE_ALARM, FSETID, DAC_READ_SEARCH, SYS_CHROOT, SYS_RAWIO, SYS_ADMIN, KILL, MAC_ADMIN, SYS_RESOURCE, CHOWN, SETPCAP, SYS_PTRACE, NET_ADMIN, SETFCAP, SYS_NICE, LINUX_IMMUTABLE, AUDIT_CONTROL, LEASE, AUDIT_WRITE, SYS_MODULE, MKNOD, SYSLOG, MAC_OVERRIDE, SYS_TIME, SETGID, SETUID, SYS_TTY_CONFIG, NET_BROADCAST]
2022-10-11T14:40:41.800761129Z at [Source: (com.github.dockerjava.core.DefaultInvocationBuilder$2); line: 1, column: 2062] (through reference chain: com.github.dockerjava.api.command.InspectContainerResponse["HostConfig"]->com.github.dockerjava.api.model.HostConfig["CapAdd"]->java.lang.Object[][0])
2022-10-11T14:40:41.800784357Z at com.github.dockerjava.core.DefaultInvocationBuilder.get(DefaultInvocationBuilder.java:77) ~[docker-java-core-3.2.8.jar!/:na]
2022-10-11T14:40:41.800787901Z at com.github.dockerjava.core.exec.InspectContainerCmdExec.execute(InspectContainerCmdExec.java:31) ~[docker-java-core-3.2.8.jar!/:na]
2022-10-11T14:40:41.800792420Z at com.github.dockerjava.core.exec.InspectContainerCmdExec.execute(InspectContainerCmdExec.java:13) ~[docker-java-core-3.2.8.jar!/:na]
2022-10-11T14:40:41.800795370Z at com.github.dockerjava.core.exec.AbstrSyncDockerCmdExec.exec(AbstrSyncDockerCmdExec.java:21) ~[docker-java-core-3.2.8.jar!/:na]
2022-10-11T14:40:41.800798829Z at com.github.dockerjava.core.command.AbstrDockerCmd.exec(AbstrDockerCmd.java:35) ~[docker-java-core-3.2.8.jar!/:na]
2022-10-11T14:40:41.800802249Z at com.github.dockerjava.core.command.InspectContainerCmdImpl.exec(InspectContainerCmdImpl.java:52) ~[docker-java-core-3.2.8.jar!/:na]
Based on the documentation, Docker uses a capability name with/without the CAP_ prefix interchangeably: https://docs.docker.com/engine/reference/run/
The --cap-add and --cap-drop flags accept capabilities to be specified with a CAP_ prefix. The following examples are therefore equivalent: docker run --cap-add=SYS_ADMIN … docker run --cap-add=CAP_SYS_ADMIN …
This does not appear to be a Docker / Docker swarm bug. Can the CAP_ prefix be automatically stripped to prevent the deserialization issue?
Thanks
Issue Analytics
- State:
- Created a year ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@kiview
The docker-compose version we are using is fairly recent : v2.11.2
@eddumelendez
I have not, but can. It may be an inconsistency they can address, but I feel the behavior is acceptable based on the wording of their documentation.
Of course, I would be happy to contribute.
@armband are you willing to contribute with option 3?