Suggestions for improving `eclipse/che start` on a host with SELinux enabled
See original GitHub issueRunning docker run -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start
on my Fedora 25 installation fails. It does not matter if the /var/run/docker.sock
has been assigned to the docker group, of given chmod 777
…
Reproduction Steps:
- On Fedora 25, using docker, run
docker run -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start
Welcome to Eclipse Che
You are missing a mandatory parameter:
1. Mount 'docker.sock' for accessing Docker with unix sockets.
2. Or, set DOCKER_HOST to Docker's location (unix or tcp).
...
Che version: 5.5.0.
OS and version:
Fedora 25 (updated)
Docker version:
Client:
Version: 1.12.6
API version: 1.24
Package version: docker-common-1.12.6-4.gitf499e8b.fc25.x86_64
Go version: go1.7.4
Git commit: f499e8b/1.12.6
Built: Fri Jan 13 11:03:22 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Package version: docker-common-1.12.6-4.gitf499e8b.fc25.x86_64
Go version: go1.7.4
Git commit: f499e8b/1.12.6
Built: Fri Jan 13 11:03:22 2017
OS/Arch: linux/amd64
Solution:
The Che container needs to be run with --privileged
, else docker ps
within the Che container will fail on: /scripts/base/startup_02_pre_docker.sh
, init_check_docker(), L289 ref
Although inside the Che container:
bash-4.3# ls -al /var/run/docker.sock
srw-rw---- 1 root 1000 0 Mar 17 08:20 /var/run/docker.sock
access to the socket will still result in Permission denied
.
When started as:
$ docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start
Bound 'eclipse/che' to 'eclipse/che:5.5.0'
WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
WARNING: bridge-nf-call-ip6tables is disabled
Welcome to Eclipse Che!
We could not detect a location to save data.
Volume mount a local directory to ':/data'.
...
allows this check to pass. However, successive interaction with the data volume will also fail.
Cause:
Likely caused by SELinux. If so, setenforce 0
(disable SELinux) should be described as part of the installation instructions or start banner. Better would be to describe steps that allow to function WITH SELinux enabled.
Issue Analytics
- State:
- Created 7 years ago
- Comments:41 (12 by maintainers)
Top GitHub Comments
Example:
User realizes that he might have to add the configuration to the
docker.sock
. and so, he adds tihis:user tries locally:
docker ps
… tries as a userdocker ps
, and notices the user has not been granted access. Sure. he modifies the permission on the socket andchmod 770 /var/run/docker.sock
,newgrp docker
and tries again… and command succeeds.He runs the same command again:
docker -v /var/run/docker.sock:/var/run/docker.sock' eclipse/che start
…same results… so he starts wondering if he really had to type
docker -it --rm -v /var/run/docker.sock:/var/run/docker.sock' eclipse/che start
? no change in message and no actual error message follows. In this case, showing the error message would be a better idea. WDYT?A simple test like
around https://github.com/eclipse/che/blob/master/dockerfiles/base/scripts/base/startup_02_pre_docker.sh#L289
would have helped to check the state of
/var/run/docker.sock
. In that case you know something would be wrong with the socket. An additional test, such as:would give you a permission denied (exitcode 2) or pass (exitcode 0), you could accordingly change the message to indicate that a permission denied occured on the docker.sock.
At the moment this is left up to guess from the user. captured in:
In this case we surely would know it is:
@eivantsov Even with the data volume is not starting as expected. SELinux needs to be disabled else copy actions on the data volume will fail.
Eventually as @l0rd described
starts and allows the Dashboard to be opened. But all the described issues with
docker run eclipse/che start
exist: “permission denied on socket and folders”, “WS not detected”, and so on…