Command `docker build` is broken

Bug #1412343 reported by Ilya Dmitrichenko on 2015-01-19
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Kick In
Snappy Ubuntu Core

Bug Description

Firstly, as the shell wrapper for docker currently does `cd /apps/docker/`, it breaks commands that assume current directory of docker is the same as the directory of the parent shell.

ubuntu@localhost:~/weave-demos-master/hello-apps/elasticsearch-js$ cat ./Dockerfile
FROM errordeveloper/iojs-minimal-runtime:v1.0.1

ADD ./ /app/

ubuntu@localhost:~/weave-demos-master/hello-apps/elasticsearch-js$ docker build -t hello-es-app ./
2015/01/19 08:37:03 no Dockerfile found in ./

Secondly, passing absolute path give "permission denied" error:

docker build -t hello-es-app `pwd`
2015/01/19 08:37:24 Error checking context is accessible: 'can't stat '/home/ubuntu/weave-demos-master/hello-apps/elasticsearch-js''. Please check permissions and try again.

Clearly it's caused by the current security policy:
Jan 19 08:37:46 localhost.localdomain kernel: audit: type=1400 audit(1421656666.123:11): apparmor="DENIED" operation="open" profile="docker_docker_1.3.3.001" name="/home/ubuntu/weave-demos-master/hello-apps/elasticsearch-js/" pid=4293 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I would be less surprised if the policy did not allow to pass `-v $(pwd):/vol` to `docker run`, but that actually works, which is arguably more of security thread then `docker build $(pwd)`...

If chdir is absolutely required, fixing relative path wouldn't be an elegant one... It would be best to avoid chdir.

Michael Vogt (mvo) wrote :

There is a way to fix this on the way in our docker pacakge.

Changed in snappy-ubuntu:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Kick In (kick-d)
Alexander Sack (asac) wrote :

kick-d: any update?

Kick In (kick-d) wrote :

Yes, it is working now with new docker- uploaded to the store.

Wanted to update it once docker-1.5.0 is out.

For 'docker build .' to work, you need to be in your $HOME/apps/docker directory, as docker will be restricted from reading/loading files outside this directory by apparmor.

Changed in snappy-ubuntu:
status: Confirmed → Fix Released
Michael Terry (mterry) on 2015-05-18
affects: snappy-ubuntu → snappy
Pedro I. Sanchez (pirivan) wrote :

Where is the fix?
I just started with snappy and hit this problem. Here is my system:

$ snappy info
release: ubuntu-core/15.04/stable
architecture: amd64
frameworks: docker, webdm

$ snappy list
Name Date Version Developer
ubuntu-core 2015-09-17 5 ubuntu
docker 2015-09-17 canonical
webdm 2015-09-17 0.9 canonical
generic-amd64 2015-09-17 1.4 canonical

$ cd my-image
$ docker build -t my-image .
FATA[0000] Error checking context is accessible: 'can't stat '.''. Please check permissions and try again.
$ cd ~/apps/docker
$ docker build -t my-image .
FATA[0000] Error checking context is accessible: 'no permission to read from 'Dockerfile''. Please check permissions and try again.

h (hsdch) wrote :

Mr Sanchez - you nearly had it!
On Ubuntu Snappy: I had to copy the dockerfile folder to /home/ubuntu/apps/docker/
Then "cd /home/ubuntu/apps/docker/"
Running "docker build -t my-image ." from here works !

Huygens (huygens-25) wrote :


I think I have a bug which is related.

I've installed Ubuntu Core on a Raspberry Pi 2 and then I have installed Docker using `snap install docker`.

Now I've created a folder under my home directory `mkdir tmux`, and created a Dockerfile under that folder.

Running `sudo docker build -t tmux .` fails:

Error checking context: 'can't stat '/home/huygens-25/tmux''.

Checking the logs, I see that docker is denied access to the folder by AppArmor.

Where are we suppose to create Dockerfile?

How to solve it?

Gary.Wang (gary-wzl77) wrote :

If you remove sudo in your command line, docker build command will be working for you.
Here is the reason

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers