question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Suggestions for improving `eclipse/che start` on a host with SELinux enabled

See original GitHub issue

Running docker run -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start on my Fedora 25 installation fails. It does not matter if the /var/run/docker.sock has been assigned to the docker group, of given chmod 777

Reproduction Steps:

  1. On Fedora 25, using docker, run docker run -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start
Welcome to Eclipse Che

You are missing a mandatory parameter:
   1. Mount 'docker.sock' for accessing Docker with unix sockets.
   2. Or, set DOCKER_HOST to Docker's location (unix or tcp).
...

Che version: 5.5.0.

OS and version:
Fedora 25 (updated)

Docker version:

Client:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-common-1.12.6-4.gitf499e8b.fc25.x86_64
 Go version:      go1.7.4
 Git commit:      f499e8b/1.12.6
 Built:           Fri Jan 13 11:03:22 2017
 OS/Arch:         linux/amd64

Server:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-common-1.12.6-4.gitf499e8b.fc25.x86_64
 Go version:      go1.7.4
 Git commit:      f499e8b/1.12.6
 Built:           Fri Jan 13 11:03:22 2017
 OS/Arch:         linux/amd64

Solution: The Che container needs to be run with --privileged, else docker ps within the Che container will fail on: /scripts/base/startup_02_pre_docker.sh, init_check_docker(), L289 ref

Although inside the Che container:

bash-4.3# ls -al /var/run/docker.sock
srw-rw---- 1 root 1000 0 Mar 17 08:20 /var/run/docker.sock

access to the socket will still result in Permission denied.

When started as:

$ docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start
Bound 'eclipse/che' to 'eclipse/che:5.5.0'
WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
WARNING: bridge-nf-call-ip6tables is disabled
Welcome to Eclipse Che!

We could not detect a location to save data.
Volume mount a local directory to ':/data'.
...

allows this check to pass. However, successive interaction with the data volume will also fail.

Cause: Likely caused by SELinux. If so, setenforce 0 (disable SELinux) should be described as part of the installation instructions or start banner. Better would be to describe steps that allow to function WITH SELinux enabled.

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:41 (12 by maintainers)

github_iconTop GitHub Comments

2reactions
gbraadcommented, Mar 19, 2017

Example:

$ docker run eclipse/che start
INFO: Welcome to Eclipse Che!
INFO:
INFO: You are missing a mandatory parameter:
INFO:    1. Mount 'docker.sock' for accessing Docker with unix sockets.
INFO:    2. Or, set DOCKER_HOST to Docker's location (unix or tcp).
INFO:
INFO: Mount Syntax:
INFO:    Start with 'docker run -it --rm -v /var/run/docker.sock:/var/run/docker                                     .sock' ...
INFO:
INFO: DOCKER_HOST Syntax:
INFO:    Start with 'docker run -it --rm -e DOCKER_HOST=<daemon-location> ...'
INFO:
INFO: Possible root causes:
INFO:    1. Your admin has not granted permissions to /var/run/docker.sock.
INFO:    2. You passed '--user uid:gid' with bad values.
INFO:    3. Your firewall is blocking TCP ports for accessing Docker daemon.

User realizes that he might have to add the configuration to the docker.sock. and so, he adds tihis:

$ docker run -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start
INFO: Welcome to Eclipse Che!
INFO:
INFO: You are missing a mandatory parameter:
INFO:    1. Mount 'docker.sock' for accessing Docker with unix sockets.
INFO:    2. Or, set DOCKER_HOST to Docker's location (unix or tcp).
INFO:
INFO: Mount Syntax:
INFO:    Start with 'docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock' ...
INFO:
INFO: DOCKER_HOST Syntax:
INFO:    Start with 'docker run -it --rm -e DOCKER_HOST=<daemon-location> ...'
INFO:
INFO: Possible root causes:
INFO:    1. Your admin has not granted permissions to /var/run/docker.sock.
INFO:    2. You passed '--user uid:gid' with bad values.
INFO:    3. Your firewall is blocking TCP ports for accessing Docker daemon.

user tries locally: docker ps… tries as a user docker ps, and notices the user has not been granted access. Sure. he modifies the permission on the socket and chmod 770 /var/run/docker.sock,newgrp docker and tries again… and command succeeds.

He runs the same command again: docker -v /var/run/docker.sock:/var/run/docker.sock' eclipse/che start

same results… so he starts wondering if he really had to type docker -it --rm -v /var/run/docker.sock:/var/run/docker.sock' eclipse/che start ? no change in message and no actual error message follows. In this case, showing the error message would be a better idea. WDYT?

A simple test like

[ -S /var/run/docker.sock ] && echo OK || echo FAIL

around https://github.com/eclipse/che/blob/master/dockerfiles/base/scripts/base/startup_02_pre_docker.sh#L289

would have helped to check the state of /var/run/docker.sock. In that case you know something would be wrong with the socket. An additional test, such as:

ls -d -- /var/run/docker.sock > /dev/null

would give you a permission denied (exitcode 2) or pass (exitcode 0), you could accordingly change the message to indicate that a permission denied occured on the docker.sock.

At the moment this is left up to guess from the user. captured in:

INFO: Possible root causes:
INFO:    1. Your admin has not granted permissions to /var/run/docker.sock.
INFO:    2. You passed '--user uid:gid' with bad values.
INFO:    3. Your firewall is blocking TCP ports for accessing Docker daemon.

In this case we surely would know it is:

INFO:    1. Your admin has not granted permissions to /var/run/docker.sock.
2reactions
gbraadcommented, Mar 18, 2017

@eivantsov Even with the data volume is not starting as expected. SELinux needs to be disabled else copy actions on the data volume will fail.

Eventually as @l0rd described

$ mkdir -p /var/chedata
$ docker run -p 8080:8080 \
       --name che \
       -v /var/run/docker.sock:/var/run/docker.sock \
       -v /var/chedata:/data:Z -e CHE_HOST=10.0.21.42 -e CHE_DOCKER_IP_EXTERNAL=10.0.21.42 \
       -e CHE_DOCKER_SERVER__EVALUATION__STRATEGY=docker-local --security-opt label:disable \
       rhche/che-server  # eclipse/che-server

starts and allows the Dashboard to be opened. But all the described issues with docker run eclipse/che start exist: “permission denied on socket and folders”, “WS not detected”, and so on…

Read more comments on GitHub >

github_iconTop Results From Across the Web

Chapter 2, Changing SELinux states and modes
When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these...
Read more >
Unable to restart a workspace: [ERROR] [o.a.c.core ... - GitHub
Tried with the new volume suggestion and by disabling SELinux but I ... Can you run sudo chmod -R 777 /home/eclipseche/data on your...
Read more >
Secure your containers with SELinux - Opensource.com
First, make sure SELinux is enabled: ... To be able to do something bad on the Docker host, the malicious non-root user (...
Read more >
Setting SELinux mode | 6.3.x - Cloudera Documentation
If you are having trouble deploying CDH with your policies, set SELinux in permissive mode on each host before you deploy CDH on...
Read more >
Try Eclipse Che online
Using the online service hosted by Red Hat. Or install it on your Kubernetes cluster. Deploy Eclipse Che on your public or private...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found