failed to map segment from shared object error on start

[gregaumann]

When I run docker-compose --version on a host with noexec set on /tmp I get the following error:
docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted

This is docker-compose version 1.2.0 running on Centos 6

A google search turned up the same error happening with another application and they attributed it to noexec being set on /tmp http://admin-ahead.com/portal/knowledgebase/4/error-while-loading-shared-libraries-libzso1-failed-to-map-segment-from-shared-object-Operation-not-permitted.html

This server has noexec set on /tmp and the error message is the same so I expect that is the cause. Trying to set TMP to another location without noexec didn't work.

[kevana]

Same issue,

Linux devdocker01 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

Client version: 1.5.0
Client API version: 1.17
Go version (client): go1.3.3
Git commit (client): a8a31ef/1.5.0
OS/Arch (client): linux/amd64
Server version: 1.5.0
Server API version: 1.17
Go version (server): go1.3.3
Git commit (server): a8a31ef/1.5.0

Containers: 98
Images: 892
Storage Driver: devicemapper
 Pool Name: docker-8:17-2097153-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: extfs
 Data file: 
 Metadata file: 
 Data Space Used: 49.5 GB
 Data Space Total: 107.4 GB
 Metadata Space Used: 61.08 MB
 Metadata Space Total: 2.147 GB
 Udev Sync Supported: true
 Library Version: 1.02.89-RHEL6 (2014-09-01)
Execution Driver: native-0.2
Kernel Version: 2.6.32-504.16.2.el6.x86_64
Operating System: <unknown>
CPUs: 4
Total Memory: 31.35 GiB
Name: devdocker01
ID: ZXFF:IZ7S:IEWD:76ZV:B5WR:HWHI:G7WX:DD4T:YDYL:FPEG:D6SR:GSFU
Debug mode (server): false
Debug mode (client): true
Fds: 321
Goroutines: 200
EventsListeners: 0
Init SHA1: bd0359e86e0e97527aa6298afba8df863db179c8
Init Path: /usr/libexec/docker/dockerinit
Docker Root Dir: /var/lib/docker

How reproducible:

100%

Steps to Reproduce:

1. download docker-compose 1.2.0
2. $ docker-compose --version

Actual Results:

error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted

Expected Results:

docker-compose 1.2.0

Additional info:

This started when I upgraded to version 1.2.0 on RHEL 6.6 with noexec on /tmp
We got around the issue by setting TMP for 1.1.0, but it doesn't seem to work anymore

#!/bin/bash
TMP=/var/docker-compose-tmp
export TMP
/usr/local/bin/docker-compose-orig "$@"

[kevana]

Well, this is awkward, it turned out to be a permissions issue with /var/docker-compose-tmp. Happy Friday....

[alexzeitgeist]

FWIW this issue is still prevalent in Docker 1.3.0 RC3, requiring /tmp to be exec.

[AndrewSwerlick]

This should probably be called out in documentation somewhere. Just got bit by the fact the this was configured differently on our staging and prod servers, so our new deployment workflow using compose failed in production.

[ChrisRut]

Issue still prevalent in:

$ docker --version
Docker version 1.6.2, build 7c8fca2
$ docker-compose --version
docker-compose version: 1.3.2
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013

@kevana's work around using a wrapper script that exports a different TMP works for me

[KalleDK]

If i manually do the export TMP to a new location it works with 1.4.0 RC3

[ChrisRut]

Just upgraded, issue still prevalent in:

$ docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d
OS/Arch (server): linux/amd64
$ docker-compose version
docker-compose version: 1.4.0
docker-py version: 1.3.1
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013

Still using @kevana's work around

[thjaeckle]

Have the same issue on CentOS 6.7 with both compose version 1.4.2 and 1.5.0rc2 - unfortunately even the workaround doesn't work for me.
Any chances this will be fixed in the near future?

[dnephin]

I'd suggest using the workaround of setting a new temp directory (by setting TMPDIR I believe). There isn't much we can do about this. The installer need a place to extract and exec a file. The default place to do that type of operation on linux is /tmp. So either you set a different tmp, or you can't install using the binary.

Note there are other install options as well: https://github.com/docker/compose/blob/master/docs/install.md#alternative-install-options

[zerr0s]

Hi, same issue with centos 7. The workaround doesn't works. Any suggestion ?
Thanks.

docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted

[dnephin]

You can also remount /tmp to add exec permission I believe.

[sizrar]

sudo mount /tmp -o remount,exec might do the trick, yes.

[RafPe]

Workaround given by @dnephin worked for me on CentOs 7 with SELinux being disabled.

[Kostanos]

got error by trying Workaround by @dnephin @sizrar

root@fd24f6b228c7:~/app# mount /tmp -o remount,exec
mount: permission denied

[patakijv]

@Kostanos It appears you are inside a container (from the root@fd24f6b228c7 prompt). The suggested command in this issue sudo mount /tmp -o remount,exec is for the host not inside a container.

[helmo]

Wouldn't it be possible to add a check early in the code to see if tmp is mounted with the exec option? A useful error message would save time ;)

[sunilposhala]

Thank you so much , this worked for me.
$mount /tmp -o remount,exec

[ronnicek]

But mounting /tmp with exec is not so good for security :) (for example CIS need to have noexec on /tmp folder). And case was closed just.. like that without any word @shin- ?

[shin-]

If executing inside the temp folder is not an option for you, you can always use the python package.

[ronnicek]

But I think that error message could be better ;-)

[dnephin]

Unfortunately the error is not from docker-compose. It comes from pyinstaller which is used to package it for the "single binary install" option, so the fix for the error message would need to be in pyinstaller.

To summarize the workarounds (for anyone else who hits this issue):

• use the environment variable TMPDIR to point at a directory that has permission to execute files
• remount /tmp with exec (sudo mount /tmp -o remount,exec)
• use a different install option: https://docs.docker.com/compose/install/#install-compose

[vishalvsh1]

Thanks @dnephin
we were in such environment where we do not have root access.
use the environment variable TMPDIR to point at a directory that has permission to execute files
worked for me.

[frederikbosch]

1. Move /usr/local/bin/docker-compose to /usr/local/bin/docker-compose-with-tmp
2. Create /usr/local/bin/docker-compose with contents below.
3. Execute chmod +x /usr/local/bin/docker-compose.
4. Create a folder /srv/compose-tmp (or to your own choice, then also change below) and give it execute rights.

#!/bin/bash
export TMPDIR=/srv/compose-tmp
/usr/local/bin/docker-compose-with-tmp "$@"

Basically it is a proxy.

[JOduMonT]

if noexec on /tmp
docker-compose throw this error

Docker 17.06.0-ce
Docker-compose 1.23.2

[Dennyss]

The following command works for me (Centos 7):
sudo mount /tmp -o remount,exec

[lolmaus]

I've been having a failed to map segment from shared object coming out of a binary dependency of a Node (npm) package.

I've been running Docker with docker-compose and mounting a tmp folder to a RAM disk with tmpfs.

None of the solutions mentioned above helped, but I've managed to overcome the problem by adding :exec to my docker-compose.yml config like this:

    tmpfs:
      - /myapp/tmp:exec,mode=1777

[chris03]

Other workaround not already mentioned:

Add the following line to ~/.bashrc or ~/.bash_aliases

alias docker-compose='TMPDIR=/var/tmp/ docker-compose'

[mk-pmb]

@dnephin wrote:

the fix for the error message would need to be in pyinstaller.

Does it mean there's no way for docker-compose to provide a more helpful error message?

Edit: Sorry for the dumb question. I didn't see the word "message" on first read.
Edit 2: request for better error message in pyinstaller

[laurianops]

to install docker-compose in CentOS 7 only pip.

[imthenachoman]

Is there any plan to add some kind of config file to specify where docker-compose uses for tmp? The hack fixes above work but I'm thinking its better suited as a config option or something, no?

[mk-pmb]

I now use a dockerized version of docker-compose. With that, you can mount /tmp whereever you want, if it's still needed.

[imthenachoman]

@mk-pmb How are you doing that?

[mk-pmb]

docker run …options… docker/compose:latest …command…

[imthenachoman]

Oh. Ha. I didn't get what you meant at first. That is kinda funny. Docker to run Compose to run Docker. Dockception. :D

[shreeraj04]

Its really crazy, I don't get this error in one RHEL server, but I get on the another which is under client's network and security. Both the server's are RHEL 8. What is the root cause for this ? Can anyone pls tell me?

[mk-pmb]

@shreeraj04 What are the mount options for /tmp on each? Probably the failing server has the "noexec" option set for /tmp.

[shreeraj04]

@mk-pmb Yes, your guess was right. Running the below command to set exec option for /tmp solved the issue.

sudo mount /tmp -o remount,exec

[simeononsecurity]

There are many reasons why you wouldn't want to use /tmp with exec permissions. One of which is DoD STIGs, which regulate on linux systems that the /tmp directory must be mounted with noexec. We need a fix for this.

[mk-pmb]

Someone who must follow STIG probably has some money and/or pogrammer work hours to spare, so maybe they can boost the fixing effort here: pyinstaller/pyinstaller#4548