'make microk8s-operator-update' fails with docker snap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
Medium
|
John A Meinel | ||
2.7 |
Fix Released
|
Medium
|
John A Meinel |
Bug Description
If you 'snap install docker' that 'docker' binary cannot read /tmp because it is a confined snap. I'm not sure what the exact permissions are, but it probably is allowed to see $HOME, but not /tmp.
I also ran into the problem that 'docker build' needs access to /var/run/
srw-rw---- 1 root root 0 Mar 9 18:12 /var/run/
So it has to be run as 'sudo docker build'. However, you can "chown :adm /var/run/
The actual diff to not require /tmp is pretty trivial:
diff --git a/Makefile b/Makefile
index 4b27f3e88f.
--- a/Makefile
+++ b/Makefile
@@ -189,7 +189,7 @@ check-deps:
# CAAS related targets
DOCKER_USERNAME ?= jujusolutions
-JUJUD_STAGING_DIR ?= /tmp/jujud-operator
+JUJUD_STAGING_DIR ?= ${GOPATH}
JUJUD_BIN_DIR ?= ${GOPATH}/bin
OPERATOR_
# By default the image tag is the full version number, including the build number.
@@ -208,7 +208,7 @@ endif
operator-image: operator-
rm -rf ${JUJUD_
- mkdir ${JUJUD_
+ mkdir -p ${JUJUD_
cp ${JUJUD_
cp caas/jujud-
cp caas/jujud-
Note that there are still places in the Makefile that use /tmp (and not $TMP), though those use:
docker save ${OPERATOR_
Which doesn't ask *docker* to access those paths, but only your shell.
That said, if we are going to build in JUJUD_STAGING_DIR, it seems odd to use yet-another temp directory for the compressed image. So we might want something more like:
diff --git a/Makefile b/Makefile
index 4b27f3e88f.
--- a/Makefile
+++ b/Makefile
@@ -189,7 +189,8 @@ check-deps:
# CAAS related targets
DOCKER_USERNAME ?= jujusolutions
-JUJUD_STAGING_DIR ?= /tmp/jujud-operator
+DOCKER_STAGING_DIR ?= ${GOPATH}/tmp
+JUJUD_STAGING_DIR ?= ${DOCKER_
JUJUD_BIN_DIR ?= ${GOPATH}/bin
OPERATOR_
# By default the image tag is the full version number, including the build number.
@@ -208,7 +209,7 @@ endif
operator-image: operator-
rm -rf ${JUJUD_
- mkdir ${JUJUD_
+ mkdir -p ${JUJUD_
cp ${JUJUD_
cp caas/jujud-
cp caas/jujud-
@@ -233,8 +234,8 @@ check-k8s-model:
local-
$(eval kubeworkers != juju status -m ${JUJU_K8S_MODEL} kubernetes-worker --format json | jq -c '.machines | keys' | tr -c '[:digit:]' ' ' 2>&1)
- docker save ${OPERATOR_
- $(foreach wm,$(kubeworkers), juju scp -m ${JUJU_K8S_MODEL} /tmp/jujud-
+ docker save ${OPERATOR_
+ $(foreach wm,$(kubeworkers), juju scp -m ${JUJU_K8S_MODEL} ${DOCKER_
$(foreach wm,$(kubeworkers), juju ssh -m ${JUJU_K8S_MODEL} $(wm) -- "zcat /tmp/jujud-
STATIC_
(the other references to /tmp above are on the target nodes, so less likely to be a problem.)
Oddly, we don't 'rm /tmp/jujud-
Changed in juju: | |
status: | Triaged → Fix Committed |
milestone: | none → 2.8-beta1 |
assignee: | nobody → John A Meinel (jameinel) |
Changed in juju: | |
status: | Fix Committed → Fix Released |
I should state this differently. snaps *do* have access to a '/tmp' directory. but it is intentionally a *different* directory than the host machines' /tmp
See places like: /forum. snapcraft. io/t/temporaryd irectory- and-how- to-manage- access- to-tmp/ 10176 /forum. snapcraft. io/t/sharing- files-via- tmp/1613/ 20
https:/
https:/
Regardless the fix is still that you cannot use '/tmp' for files that you want to share between snaps and things- that-aren' t-that- snap.