Docker and volumes hell

Kris Buytaert — Sat, 28 May 2016 11:16:45 +0000

We're increasingly using Docker to build packages, a fresh chroot in which we prepare a number of packages, builds typically for ruby (rvm) , or python (virtualenv) or node stuf where the language ecosystem fails on us ... and fpm the whole tree as a working artifact.

An example of such a build is my work on packaging Dashing. https://github.com/KrisBuytaert/build-dashing

Now part of that build is running the actual build script in docker with a local volume mounted inside the container This is your typical -v=/home/src/dashing-docker/package-scripts:/scripts param.

Earlier this week however I was stuck on a box where that combo did not want to work as expected. Docker clearly mounted the local volume, as it could execute the script in the directory, but for some reason it didn't want to write in the mounted volume.

docker run -v=/home/src/dashing-docker/package-scripts:/scripts dashing/rvm /scripts/packagervm
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
corefines: Your Ruby doesn't support refinements, so I'll fake them using plain monkey-patching (not scoped!).
/usr/local/share/gems/gems/corefines-1.9.0/lib/corefines/support/fake_refinements.rb:26: warning: Refinements are experimental, and the behavior may change in future versions of Ruby!
/usr/share/ruby/fileutils.rb:1381:in `initialize': Permission denied - rvm-1.27.0-1.x86_64.rpm (Errno::EACCES)

So what was I doing wrong, did the Docker params change, did I invert the order of the params, did I mistype them ? I added debugging to the script, (ls , chmod, etc..) and I couldn't seem to read or modify the directory. So I asked a coworker to be my wobbling duck.

He did more .. he wondered if this wasn't selinux.

And he was right..

Apr 23 21:47:00 mine23.inuits.eu audit[9570]: AVC avc: denied { write } for pid=9570 comm="fpm" name="package-scripts" dev="dm-2" ino=368957 scontext=system_u:system_r:svirt_lxc_net_t:s0:c47,c929 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Apr 23 21:47:02 mine23.inuits.eu python3[9597]: SELinux is preventing fpm from write access on the directory /home/src/dashing-docker/package-scripts.

So while I was looking for errors in docker, it was just my selinux set to enforce acting up and me not noticing it.

The quick way to verify obvisously was to setenforce 0 and trigger the build again that however is not a long term fix so I changed the

semanage fcontext -a -t cgroup_t '/home/src/dashing-docker/package-scripts'
restorecon -v '/home/src/dashing-docker/package-scripts'

That solves the problem

Ruby Gems Yum Repo

Kris Buytaert — Wed, 08 Aug 2012 20:28:18 +0000

For those of you that are looking for my old build-gems Github repo, given that lots of other Inuits collegues are using it too I've transferred ownership of that repo to the Inuits group.

It can now be found on https://github.com/Inuits/build-gems/ (Yes directory indexes are disabled on purpose..)

The build result has also been moved. We've replaced our static repo.inuits.be with a Pulp powered yum repo.

The new location of the rubygems rpm repo now is at http://pulp.inuits.eu/pulp/repos/rubygems/

Which can be used as

[rubygems]
name=RubyGems at Inuits
baseurl=http://pulp.inuits.eu/pulp/repos/rubygems
gpgcheck=0

or even

yumrepo { 'rubygems':
    baseurl  => 'http://pulp.inuits.eu/pulp/repos/rubygems',
    descr    => 'RubyGems at Inuits',
    gpgcheck => '0',
      }

More repos are moving .. I`ll be updating Vagrant trees as I go ..

Everything is a Freaking DNS problem - fpm

Docker and volumes hell

Ruby Gems Yum Repo