Snappy

Command `docker build` is broken

Bug #1412343 reported by Ilya Dmitrichenko on 2015-01-19

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Fix Released	Medium	Kick In
	Ubuntu Core Project	New	Undecided	Unassigned

Bug Description

Firstly, as the shell wrapper for docker currently does `cd /apps/docker/1.3.3.001`, it breaks commands that assume current directory of docker is the same as the directory of the parent shell.

ubuntu@localhost:~/weave-demos-master/hello-apps/elasticsearch-js$ cat ./Dockerfile
FROM errordeveloper/iojs-minimal-runtime:v1.0.1

ADD ./ /app/

EXPOSE 80
ubuntu@localhost:~/weave-demos-master/hello-apps/elasticsearch-js$
ubuntu@localhost:~/weave-demos-master/hello-apps/elasticsearch-js$ docker build -t hello-es-app ./
2015/01/19 08:37:03 no Dockerfile found in ./

Secondly, passing absolute path give "permission denied" error:

docker build -t hello-es-app `pwd`
2015/01/19 08:37:24 Error checking context is accessible: 'can't stat '/home/ubuntu/weave-demos-master/hello-apps/elasticsearch-js''. Please check permissions and try again.

Revision history for this message

Ilya Dmitrichenko (errordeveloper) wrote on 2015-01-19:

Clearly it's caused by the current security policy:
Jan 19 08:37:46 localhost.localdomain kernel: audit: type=1400 audit(1421656666.123:11): apparmor="DENIED" operation="open" profile="docker_docker_1.3.3.001" name="/home/ubuntu/weave-demos-master/hello-apps/elasticsearch-js/" pid=4293 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I would be less surprised if the policy did not allow to pass `-v $(pwd):/vol` to `docker run`, but that actually works, which is arguably more of security thread then `docker build $(pwd)`...

Revision history for this message

Ilya Dmitrichenko (errordeveloper) wrote on 2015-01-20:

If chdir is absolutely required, fixing relative path wouldn't be an elegant one... It would be best to avoid chdir.

Revision history for this message

Michael Vogt (mvo) wrote on 2015-01-28:

There is a way to fix this on the way in our docker pacakge.

Changed in snappy-ubuntu:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Kick In (kick-d)

Revision history for this message

Alexander Sack (asac) wrote on 2015-03-31:

kick-d: any update?

Revision history for this message

Kick In (kick-d) wrote on 2015-03-31:

Yes, it is working now with new docker-1.3.3.002 uploaded to the store.

Wanted to update it once docker-1.5.0 is out.

For 'docker build .' to work, you need to be in your $HOME/apps/docker directory, as docker will be restricted from reading/loading files outside this directory by apparmor.

Changed in snappy-ubuntu:
status:	Confirmed → Fix Released

Michael Terry (mterry) on 2015-05-18

affects:

snappy-ubuntu → snappy

Revision history for this message

Pedro I. Sanchez (pirivan) wrote on 2015-09-18:

Where is the fix?
I just started with snappy and hit this problem. Here is my system:

$ snappy info
release: ubuntu-core/15.04/stable
architecture: amd64
frameworks: docker, webdm
apps:

$ snappy list
Name Date Version Developer
ubuntu-core 2015-09-17 5 ubuntu
docker 2015-09-17 1.6.2.003 canonical
webdm 2015-09-17 0.9 canonical
generic-amd64 2015-09-17 1.4 canonical

$ cd my-image
$ docker build -t my-image .
FATA[0000] Error checking context is accessible: 'can't stat '.''. Please check permissions and try again.
$ cd ~/apps/docker
$ docker build -t my-image .
FATA[0000] Error checking context is accessible: 'no permission to read from 'Dockerfile''. Please check permissions and try again.

Revision history for this message

h (hsdch) wrote on 2015-09-20:

Mr Sanchez - you nearly had it!
On Ubuntu Snappy: I had to copy the dockerfile folder to /home/ubuntu/apps/docker/1.6.2.003
Then "cd /home/ubuntu/apps/docker/1.6.2.003/mydockerbuildfolder"
Running "docker build -t my-image ." from here works !

Revision history for this message

Huygens (huygens-25) wrote on 2017-02-14:

I think I have a bug which is related.

I've installed Ubuntu Core on a Raspberry Pi 2 and then I have installed Docker using `snap install docker`.

Now I've created a folder under my home directory `mkdir tmux`, and created a Dockerfile under that folder.

Running `sudo docker build -t tmux .` fails:

Error checking context: 'can't stat '/home/huygens-25/tmux''.

Checking the logs, I see that docker is denied access to the folder by AppArmor.

Where are we suppose to create Dockerfile?

How to solve it?

Revision history for this message

Gary.Wang (gary-wzl77) wrote on 2017-03-21:

@Huygens
If you remove sudo in your command line, docker build command will be working for you.
Here is the reason
https://bugs.launchpad.net/snappy/+bug/1674505/comments/1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.