Using Docker in a Snap

Dustin Kirkland kirkland at canonical.com
Fri Jul 17 13:51:15 UTC 2015 

On Fri, Jul 17, 2015 at 8:21 AM, Jamie Strandboge <jamie at canonical.com> wrote:
> On 07/16/2015 11:52 PM, Dustin Kirkland wrote:
>> On Thu, Jul 16, 2015 at 11:38 PM, Dustin Kirkland
>> <kirkland at canonical.com> wrote:
>>> Okay, so there was a whitespace problem in my package.yaml.  Needed to
>>> indent caps under services.
>>>
>>> Now I'm past the "Operation not permitted" problem.  But I'm getting a
>>> "Bad system call" error now:
>>>
>>> Jul 17 04:34:16 localhost kernel: [ 8477.690420] audit: type=1400
>>> audit(1437107656.948:21): apparmor="STATUS" operation="profile_load"
>>> profile="unconfined" name="mprime.sideload_mprime_28.5-7" pid=3116
>>> comm="apparmor_parser"
>>> Jul 17 04:34:17 localhost systemd[1]: Reloading.
>>> Jul 17 04:34:17 localhost systemd[1]: Started Search for Mersenne Prime Numbers.
>>> Jul 17 04:34:17 localhost systemd[1]: Starting Search for Mersenne
>>> Prime Numbers...
>>> Jul 17 04:34:17 localhost ubuntu-core-launcher[3132]: +
>>> /apps/docker/current/bin/docker run -d kirkland/mprime
>>> Jul 17 04:34:17 localhost ubuntu-core-launcher[3132]: Bad system call
>>> Jul 17 04:34:17 localhost kernel: [ 8477.912720] audit: type=1326
>>> audit(1437107657.172:22): auid=4294967295 uid=0 gid=0 ses=4294967295
>>> pid=3134 comm="docker" exe="/bin/bash" sig=31 arch=c000003e syscall=42
>>> compat=0 ip=0x7f67ec32dc40 code=0x0
>>> Jul 17 04:34:17 localhost systemd[1]: mprime_mprime_28.5-7.service:
>>> main process exited, code=exited, status=159/n/a
>>> Jul 17 04:34:17 localhost systemd[1]: Unit
>>> mprime_mprime_28.5-7.service entered failed state.
>>> Jul 17 04:34:17 localhost systemd[1]: mprime_mprime_28.5-7.service failed.
>>> Jul 17 04:34:24 localhost ubuntu-core-launcher[725]:
>>> time="2015-07-17T04:34:24Z" level=info msg="GET
>>> /v1.18/containers/json"
>>> Jul 17 04:34:24 localhost ubuntu-core-launcher[725]:
>>> time="2015-07-17T04:34:24Z" level=info msg="+job containers()"
>>> Jul 17 04:34:24 localhost ubuntu-core-launcher[725]:
>>> time="2015-07-17T04:34:24Z" level=info msg="-job containers() = OK
>>> (0)"
>>>
>>> Ideas?  Is this a seccomp problem?
>>
>> Okay.  Fixed that by adding the network cap.  (Syscall 42 in Linux is connect())
>>
> Note that the syscall number is architecture dependent.
>
>> But now, it looks like the /apps/docker/current/bin/docker wrapper
>> script is just broken?
>>
>
> Possibly (at least it could perhaps be made easier to use). I noticed that the
> owncloud snap has:
>
> DOCKER_PATH="/apps/docker/current/bin/"
> PATH=$PATH:$DOCKER_PATH
> DOCKER_CMD="docker"
>
> Maybe you need something similar? (you might look at the script for how it sets
> and uses other env variables).

Okay, I got it working.  I tried to copy (but minimize) what the
owncloud script was doing.  Possibly it was the docker wait that I
needed?

For the record, my working wrapper script is:

#!/bin/sh
DOCKER_PATH="/apps/docker/current/bin/"
PATH=$PATH:$DOCKER_PATH
DOCKER_CMD="docker"
$DOCKER_CMD rm -v -f mprime
$DOCKER_CMD run --name mprime -d kirkland/mprime
$DOCKER_CMD wait mprime

More information about the snappy-app-devel mailing list