Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker: Failed to set capabilities on file `/usr/bin/python3.7' (Not supported) #157

Closed
Himura2la opened this issue Oct 28, 2019 · 11 comments
Closed

Docker: Failed to set capabilities on file `/usr/bin/python3.7' (Not supported) #157

Himura2la opened this issue Oct 28, 2019 · 11 comments

Comments

@Himura2la
Copy link

Himura2la commented Oct 28, 2019
edited
Loading 

# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian

# docker --version
Docker version 19.03.1, build 74b1e89

# docker-compose --version
docker-compose version 1.24.1, build 4667896b

# docker-compose up --build
Building mtprotoproxy
Step 1/8 : FROM alpine:3.10
 ---> 965ea09ff2eb
Step 2/8 : RUN adduser tgproxy -u 10000 -D
 ---> Running in 864afa9bba86
Removing intermediate container 864afa9bba86
 ---> 739dbc801cd6
Step 3/8 : RUN apk add --no-cache python3 py3-cryptography ca-certificates libcap
 ---> Running in 1e8e1b194e55
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/19) Installing ca-certificates (20190108-r0)
(2/19) Installing libcap (2.27-r0)
(3/19) Installing libbz2 (1.0.6-r7)
(4/19) Installing expat (2.2.8-r0)
(5/19) Installing libffi (3.2.1-r6)
(6/19) Installing gdbm (1.13-r1)
(7/19) Installing xz-libs (5.2.4-r0)
(8/19) Installing ncurses-terminfo-base (6.1_p20190518-r0)
(9/19) Installing ncurses-terminfo (6.1_p20190518-r0)
(10/19) Installing ncurses-libs (6.1_p20190518-r0)
(11/19) Installing readline (8.0.0-r0)
(12/19) Installing sqlite-libs (3.28.0-r1)
(13/19) Installing python3 (3.7.5-r1)
(14/19) Installing py3-cparser (2.19-r2)
(15/19) Installing py3-cffi (1.11.5-r4)
(16/19) Installing py3-idna (2.8-r1)
(17/19) Installing py3-asn1crypto (0.24.0-r1)
(18/19) Installing py3-six (1.12.0-r1)
(19/19) Installing py3-cryptography (2.6.1-r1)
Executing busybox-1.30.1-r2.trigger
Executing ca-certificates-20190108-r0.trigger
OK: 77 MiB in 33 packages
Removing intermediate container 1e8e1b194e55
 ---> e77305fd7f10
Step 4/8 : RUN chown -R tgproxy:tgproxy /home/tgproxy
 ---> Running in 3ac90a514b91
Removing intermediate container 3ac90a514b91
 ---> cfaed776a9fc
Step 5/8 : RUN setcap cap_net_bind_service=+ep /usr/bin/python3.7
 ---> Running in 6073f3335290
Failed to set capabilities on file `/usr/bin/python3.7' (Not supported)
usage: setcap [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.
ERROR: Service 'mtprotoproxy' failed to build: The command '/bin/sh -c setcap cap_net_bind_service=+ep /usr/bin/python3.7' returned a non-zero code: 1
@Himura2la
Copy link
Author

Himura2la commented Oct 28, 2019
edited
Loading

I workaround this by running a service locally via SystemD instead of docker.

By the way, my hardware is a VPS under a VMware hypervisor

@Himura2la Himura2la reopened this Oct 28, 2019
@seriyps
Copy link

seriyps commented Oct 28, 2019

I workaround this by running a service locally via SystemD instead of docker.

Don't forget to install crypto library! Otherwise it will be slow

@alexbers
Copy link
Owner

Hello, which docker-compose version are you use? If you use the version from snap, please, try to install the usual version using these instructions: https://docs.docker.com/install/linux/docker-ce/debian/

Here is a full command sequence for Debian 9:

apt update
apt install git apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
apt-key fingerprint 0EBFCD88
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt update
apt install docker-ce docker-compose
git clone -b stable https://github.com/alexbers/mtprotoproxy.git
cd mtprotoproxy
docker-compose up

@Himura2la
Copy link
Author

Himura2la commented Oct 28, 2019
edited
Loading

@alexbers I showed the docker-compose version in the console log. It's 1.24.1. And yes, I install docker using their official instructions. By the way, the official way to install docker-compose is downloading a binary from GitHub Releases beside package manager, like this:

sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

@seriyps thanks for your advice. Looks like it was already bundled or I installed it for some other tool:

# pip3 install cryptography
Requirement already satisfied: cryptography in /usr/lib/python3/dist-packages

It's hard to miss with the logging like this :)

mtprotoproxy/mtprotoproxy.py

Lines 307 to 308 in c010543

msg = "To make the program a *lot* faster, please install cryptography module: "
msg += "pip install cryptography\n"

@alexbers
Copy link
Owner

What about the docker installation method. It it from snap? This can be checked with which docker command. If it returns /snap/bin/docker then it is from snap

@Himura2la
Copy link
Author

Himura2la commented Oct 29, 2019
edited
Loading

Snap is not an official way to install docker, but I use the official ones (from docker's apt repo). It's not from dnap, there's even no snap or flatpak preinstalled on Debians (for good).

# which docker
/usr/bin/docker

@alexbers
Copy link
Owner

I trying to reproduce the problem, but haven't managed yet.

I think the problem can be bypassed by removing these strings from the Dockerfile:

RUN setcap cap_net_bind_service=+ep /usr/bin/python3.7
USER tgproxy

But the full command sequence to reproduce the behavior from just installed Debian 9 would be helpful.

@Himura2la
Copy link
Author

Himura2la commented Oct 29, 2019
edited
Loading

It builds without the RUN setcap line. I tried to research the setcap problem:

# docker run --rm -it alpine:3.10
/ # apk add --no-cache python3 py3-cryptography ca-certificates libcap
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/19) Installing ca-certificates (20190108-r0)
(2/19) Installing libcap (2.27-r0)
(3/19) Installing libbz2 (1.0.6-r7)
(4/19) Installing expat (2.2.8-r0)
(5/19) Installing libffi (3.2.1-r6)
(6/19) Installing gdbm (1.13-r1)
(7/19) Installing xz-libs (5.2.4-r0)
(8/19) Installing ncurses-terminfo-base (6.1_p20190518-r0)
(9/19) Installing ncurses-terminfo (6.1_p20190518-r0)
(10/19) Installing ncurses-libs (6.1_p20190518-r0)
(11/19) Installing readline (8.0.0-r0)
(12/19) Installing sqlite-libs (3.28.0-r1)
(13/19) Installing python3 (3.7.5-r1)
(14/19) Installing py3-cparser (2.19-r2)
(15/19) Installing py3-cffi (1.11.5-r4)
(16/19) Installing py3-idna (2.8-r1)
(17/19) Installing py3-asn1crypto (0.24.0-r1)
(18/19) Installing py3-six (1.12.0-r1)
(19/19) Installing py3-cryptography (2.6.1-r1)
Executing busybox-1.30.1-r2.trigger
Executing ca-certificates-20190108-r0.trigger
OK: 77 MiB in 33 packages
/ # setcap cap_net_bind_service=+ep /usr/bin/python3.7
Failed to set capabilities on file `/usr/bin/python3.7' (Not supported)
usage: setcap [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.
/ # getcap /usr/bin/python3.7
Failed to get capabilities of file `/usr/bin/python3.7' (Not supported)
/ #

I'm afraid a normal bare-metal debian will be OK, if you can't reproduce this... Maybe it will reproduce on another VPS from my provider (aruba cloud)

Additional research on another image:

# docker run --rm -it python bash
root@6ace3bd51690:/# setcap cap_net_bind_service=+ep /usr/local/bin/python3.8
Failed to set capabilities on file `/usr/local/bin/python3.8' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file

@Himura2la
Copy link
Author

I found the issue!

# docker info
...
 Storage Driver: aufs
...

AUFS does not support setcap. No idea why my docker uses AUFS, will try to chagne this. Thanks for participating

@Himura2la
Copy link
Author

Himura2la commented Oct 29, 2019
edited
Loading

I used this topic to change the backend https://docs.docker.com/v17.09/engine/userguide/storagedriver/overlayfs-driver/
Now everything works!

@alexbers
Copy link
Owner

Nice!

I registered on Aruba and executed these commands:

apt update
apt upgrade
apt install curl
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
apt install git apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
apt-key fingerprint 0EBFCD88
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt update
apt install docker-ce docker-compose
git clone -b stable https://github.com/alexbers/mtprotoproxy.git
cd mtprotoproxy
docker-compose up

The proxy started successfully

@rdwebdesign rdwebdesign mentioned this issue May 5, 2022
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seriyps @alexbers @Himura2la