Support prefixing Docker build and push commands with 'sudo'. #903
Conversation
When building docker images on CentOS, Fedora or RHEL, the permissions on /var/run/docker.socket have restricted access, preventing Docker build and push commands from executing without severely compromising the system. See http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/ Therefore, I've added a new setting which supports prefixing both the Docker build and push commands with 'sudo', which is the recommended method for executing Docker on CentOS, Fedora and RHEL.
There was a problem hiding this comment.
I realized I should have added some further thoughts.
What I don't want to do is run SBT as root - this will cause the working directory, and the ivy cache to become polluted with artifacts that are owned by root. It's best to limit the use of escalated privileges to just those commands that require them to avoid this pollution.
So, to avoid:
sudo sbt docker:publishLocal
sbt clean <=== will fail because "target" is now owned by root
| @@ -1,3 +1,3 @@ | |||
| # Generate the Docker image locally | |||
| > docker:publishLocal | |||
| $ exec bash -c 'docker run docker-test:latest | grep -q "Hello world"' | |||
| $ exec bash -c 'docker run docker-commands:latest | grep -q "Hello world"' | |||
There was a problem hiding this comment.
This was just a bug in the scripted test
|
Not sure why the two JDK tests failed in Travis... looks like a problem with the |
AERGO-1769 AERGO-1816 #comment Support running docker commands as root. AERGO-1769 AERGO-1816 #comment See sbt/sbt-native-packager#903 and http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
This is rather strange. I restarted the jobs. Sometimes travis throws random errors. However tihs looks strange as the same test fails on both JDK8 and 7. |
|
I'm embarrassed to say ii didn't even think of that. Yeah, that's much better. I'll put together another quick PR. |
|
Actually, after further thought, I'm not sure it's so clear cut. Specifically, ALL docker commands need to prefixed with An alternative approach would alter the build command process by adding a new @muuki88 given the above, and that I've already done this work, I'm reopening this PR - if you have an alternative you'd like from me, just say the word. |
|
AFAIK you need to run docker as sudo in all distros to make things work. I have not that much experience building docker images for production. There are a couple of options to workaround this, for example as described in the mentioned blog post alias docker="sudo /usr/bin/docker"Introducing new settings always means maintaining them, even when they get obsolete. That's the reason I'm so sceptical if this is really necessary. CC @fiadliel |
|
Hammer, meet screw. I've been so focused on my build scripts and pipeline that I missed that I was solving the problem the wrong way - sorry for the noise. The solution is to make my pipeline always alias the docker command. |
|
No problem 😉 Happy to help. |
|
Here's the major challenge - when working on a CI server, jobs are frequently run using a non-interactive shell. This means setting an alias is VERY problematic. I've just spent several hours (most of today) trying to push Jenkins around to make my build scripts work WITHOUT issuing the |
|
And after further analysis (and a significant rework of my build pipeline to support aliases, including a custom Jenkins pipeline function) even if the shell which calls SBT contains an alias to |
|
As a matter fact, given what I've found, there are four options here:
I'm not going to just re-open this PR, pending feedback from either @muuki88 or @fiadliel - if the |
|
Oh man :( java's processbuilder doesn't support aliases. I can understand that 2. is not a good option ( even a lot of people may do it this way ). The |
When building docker images on CentOS, Fedora or RHEL, the permissions on /var/run/docker.socket have restricted access, preventing Docker build and push commands from executing without severely compromising the system.
See http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
Therefore, I've added a new setting which supports prefixing both the Docker build and push commands with 'sudo', which is the recommended method for executing Docker on CentOS, Fedora and RHEL.