Snappy

Error checking context: 'can't stat '/home/user/docker-project' when runing docker build

Bug #1674505 reported by Gary.Wang on 2017-03-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Invalid	Undecided	Unassigned

Bug Description

gary@ubuntu:~/snap/docker/bug1$ snap --version
snap 2.23.1
snapd 2.23.1
series 16
ubuntu 16.04
kernel 4.4.0-67-generic

To reproduce the issue:
1. install the docker snap from stable channel
    sudo snap install docker
2. check if home interface is connected (actually, it's auto-connected)
    snap interfaces
3. get the test app and put it under home directory
    bzr branch lp:~gary-wzl77/+junk/test_build ~/test_build
4. go to the docker project folder and try to build
    cd ~/test_build && sudo docker build -t hello-world .
    Error checking context: 'can't stat '/home/gary/test_build''.
5. check the syslog
    Mar 21 07:33:54 ubuntu kernel: [155777.026938] audit: type=1400 audit(1490052834.915:56320): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/home/gary/test_build/" pid=99651 comm="docker" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

*.Similar apparmor denies error occurs when running docker.compose
*.Put the project file under ~/apps/docker/ or ~/snap/docker/ ,try to re-build and get the same error.
*.Someone already had the same issue running "docker build" with the docker-snap in the store
https://bugs.launchpad.net/snappy/+bug/1412343/comments/8

Revision history for this message

Gary.Wang (gary-wzl77) wrote on 2017-03-21:

Okay, I found the root cause why docker build and docker compose doesn't work for me now.

Regarding the "Error checking context: 'can't stat "
We have apparmor policy for the read-only home area

owner @{HOME}/snap/@{SNAP_NAME}/ r,
owner @{HOME}/snap/@{SNAP_NAME}/** mrkix,

and read/write home area in @{HOME} if home interface is declared in yaml file and connected

owner @{HOME}/ r,
owner @{HOME}/[^s.] rwk,
owner @{HOME}/s[^n] rwk,
owner @{HOME}/sn[^a] rwk,
owner @{HOME}/sna[^p] rwk,
owner @{HOME}/{s,sn,sna}{,/} rwk,

I'm carrying over habits from snap command with sudo. However when I pre-append "sudo" in docker command it turns out the read/write home area ending up to
/root/
instead of user's $HOME
/home/gary/ (in my case)

That's why I see the "apparmor denies" error when running the following command
cd ~/test_build && sudo docker build -t hello-world .
after removing sudo, image can be generated successfully.

However with docker(docker.io deb package), running sudo docker
works well and image can be created as usual.
That's the difference in the usage of docker between deb package and snap package at this point.

Gary.Wang (gary-wzl77) on 2017-03-21

Changed in snappy:
status:	New → Invalid

Revision history for this message

Ara Pulido (ara) wrote on 2017-03-22:

Back to new, as Gary is finding that this is still doesn't work in Ubuntu Core

Changed in snappy:
status:	Invalid → New

Revision history for this message

Ara Pulido (ara) wrote on 2017-03-22:

Back to invalid, this is an issue with the snap

Changed in snappy:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.