Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Che sync fails with permissions errors on ubuntu #4084

Closed
roshanail opened this issue Feb 9, 2017 · 22 comments
Closed

Che sync fails with permissions errors on ubuntu #4084

roshanail opened this issue Feb 9, 2017 · 22 comments
Assignees
@benoitf
Labels
kind/bug Outline of a bug - must adhere to the bug report template.
Milestone
5.6.0

Comments

@roshanail
Copy link

This is the command I run

docker run -it --rm -e CHE_CONTAINER=arc -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/chedata:/data -v $HOME/chedata/sync:/sync eclipse/che sync workspacename --debug

I added myself to the root group and the fuse group.
I changed the group of /dev/fuse to be "fuse" instead of root.

I get this error now when I run it.

WARN: Bound 'eclipse/che' to 'eclipse/che:5.2.2'
WARNING: No swap limit support
WARN: Debugging activated without ':/repo' mount - using binaries inside Docker image
INFO: (che cli): 5.2.2 - using docker 1.13.1 / native
INFO: (che mount): Starting sync process to /home/roshan/chedata/sync
mkdir: can't create directory '/root/.ssh': File exists
INFO: INFO: (che mount): Mounting root@10.20.3.102:/projects with SSHFS
fuse: mount failed: Permission denied

!!!
!!! ERROR: Fatal error occurred (1)
!!!

It wants to run as root. Can you provide more instructions on how to setup sync on ubuntu.
I am running ubuntu gnome 16.04
@TylerJewell TylerJewell added the kind/question Questions that haven't been identified as being feature requests or bugs. label Feb 9, 2017
@TylerJewell
Copy link

@benoitf - can you take a look.

@benoitf
Copy link
Contributor

benoitf commented Feb 10, 2017
edited
Loading

@roshanail
could you try

docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse
            -v \${HOME}/.ssh:\${HOME}/.ssh
            -v /etc/group:/etc/group:ro 
            -v /etc/passwd:/etc/passwd:ro 
            -u \$(id -u \${USER})
            -v $HOME/chedata/sync:/mnthost eclipse/che-mount workspace-name --unison-verbose

Sync command is launched from a docker container, so there is no access to /etc/group or your user from the cli container

@roshanail
Copy link
Author

roshanail commented Feb 10, 2017
edited by TylerJewell
Loading

I ran it. I had to take out the backslashes as it gave me this error
I had to take out the backslashes as it was giving me this error
bash: syntax error near unexpected token `('

Now when I run it. It gives me this.

roshan@ARC-T540p:~/src/chetest$ 
docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse 
-v ${HOME}/.ssh:${HOME}/.ssh 
-v /etc/group:/etc/group:ro 
-v /etc/passwd:/etc/passwd:ro 
-u $(id -u ${USER}) 
-v $HOME/chedata/sync:/sync 
eclipse/che-mount arc --unison-verbose
mkdir: can't create directory '/home/roshan/.unison': Permission denied
/bin/entrypoint.sh: line 113: CHE_VERSION: parameter not set

@TylerJewell
Copy link

I think you used the wrong syntax. With this particular container, you should mount it to :/mnthost, and in your sample you mounted it to :/sync. Can you update please?

@roshanail
Copy link
Author

Same Error

roshan@ARC-T540p:~/src/chetest$ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse -v ${HOME}/.ssh:${HOME}/.ssh -v /etc/group:/etc/group:ro -v /etc/passwd:/etc/passwd:ro -u $(id -u ${USER}) -v $HOME/chedata/sync:/mnthost eclipse/che-mount arc --unison-verbose
mkdir: can't create directory '/home/roshan/.unison': Permission denied
/bin/entrypoint.sh: line 113: CHE_VERSION: parameter not set

@TylerJewell
Copy link

Really confused, as the entrypoint for this container doesn't ever reference CHE_VERSION! So this error should never appear. Makes me think that maybe you don't have a current image. Same error if you use eclipse/che-mount:nightly?

@TylerJewell
Copy link

Scratch that - I see changes in the nightly. Will you type this please:

docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse 
-v ${HOME}/.ssh:${HOME}/.ssh 
-v /etc/group:/etc/group:ro 
-v /etc/passwd:/etc/passwd:ro 
-u $(id -u ${USER}) 
-v $HOME/chedata/sync:/sync 
-e CHE_VERSION=nightly
eclipse/che-mount arc --unison-verbose

@TylerJewell
Copy link

@benoitf - in the nightly update, it's not clear that when you do the eclipse/che-mount image directly how CHE_VERSION gets set. The existing documentation doesn't use this variable, but the sync command in the CLI does. I am going to add it.

@roshanail
Copy link
Author

Did a little bit more but still errors out

roshan@ARC-T540p:~/src/chetest$ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse -v ${HOME}/.ssh:${HOME}/.ssh -v /etc/group:/etc/group:ro -v /etc/passwd:/etc/passwd:ro -u $(id -u ${USER}) -v $HOME/chedata/sync:/sync -e CHE_VERSION=nightly eclipse/che-mount arc --unison-verbose
mkdir: can't create directory '/home/roshan/.unison': Permission denied
/bin/entrypoint.sh: line 113: can't create /home/roshan/env: Permission denied

!!!
!!! ERROR: Error when trying to get workspace data for workspace named arc
!!!

List of workspaces are:
FATA[0000] Post http:///var/run/docker.sock/v1.18/containers/create: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?

@TylerJewell
Copy link

Some of these errors that are showing up generally shouldn't. So makes me ask some questions:

  1. Are you running this as sudo or not?
  2. Do you have proper rights to the Docker daemon?

That line 113 error is an indication that the container we launched to do the sync - that we cannot write to a file inside that container. Which should just never happen as containers can always write to their own files internally.

Also, what is the output of id -u ${USER}?

@roshanail
Copy link
Author

I am not running it as sudo.
Should I be running as sudo? That isn't documented anwhere.
/home/roshan/ is my home folder on the system.

I didn't start che as sudo.
Sync has to be run as sudo?

@roshanail
Copy link
Author

Didn't make any difference

roshan@ARC-T540p:~/src/chetest$ sudo docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse -v ${HOME}/.ssh:${HOME}/.ssh -v /etc/group:/etc/group:ro -v /etc/passwd:/etc/passwd:ro -u $(id -u ${USER}) -v $HOME/chedata/sync:/sync -e CHE_VERSION=nightly eclipse/che-mount arc --unison-verbose
[sudo] password for roshan:
mkdir: can't create directory '/home/roshan/.unison': Permission denied
/bin/entrypoint.sh: line 113: can't create /home/roshan/env: Permission denied

!!!
!!! ERROR: Error when trying to get workspace data for workspace named arc
!!!

List of workspaces are:
FATA[0000] Post http:///var/run/docker.sock/v1.18/containers/create: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?

@TylerJewell
Copy link

I have one more suspicion. Please try:

docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse 
-v /var/run/docker.sock:/var/run/docker.sock
-v ${HOME}/.ssh:${HOME}/.ssh 
-v /etc/group:/etc/group:ro 
-v /etc/passwd:/etc/passwd:ro 
-u $(id -u ${USER}) 
-v $HOME/chedata/sync:/sync 
-e CHE_VERSION=nightly
eclipse/che-mount arc --unison-verbose

Also - let us know the output of id -u ${USER}.

@roshanail
Copy link
Author

Still no success. Here are the outputs

roshan@ARC-T540p:~/src/chetest$ id -u $USER
1000

roshan@ARC-T540p:~/src/chetest$ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse -v /var/run/docker.sock:/var/run/docker.sock -v ${HOME}/.ssh:${HOME}/.ssh -v /etc/group:/etc/group:ro -v /etc/passwd:/etc/passwd:ro -u $(id -u ${USER}) -v $HOME/chedata/sync:/sync -e CHE_VERSION=nightly eclipse/che-mount arc --unison-verbose
mkdir: can't create directory '/home/roshan/.unison': Permission denied
/bin/entrypoint.sh: line 113: can't create /home/roshan/env: Permission denied

!!!
!!! ERROR: Error when trying to get workspace data for workspace named arc
!!!

List of workspaces are:
FATA[0000] Post http:///var/run/docker.sock/v1.18/containers/create: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?

@benoitf
Copy link
Contributor

benoitf commented Feb 13, 2017

@roshanail could you execute :

docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse -v /var/run/docker.sock:/var/run/docker.sock -v /etc/group:/etc/group:ro -v /etc/passwd:/etc/passwd:ro -u $(id -u ${USER}) alpine:3.5 ls -la /var/run

and

ls -la /var/run/docker.sock

@roshanail
Copy link
Author

roshan@ARC-T540p:/src/chetest$ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse -v /var/run/docker.sock:/var/run/docker.sock -v /etc/group:/etc/group:ro -v /etc/passwd:/etc/passwd:ro -u $(id -u ${USER}) alpine:3.5 ls -la /var/run
Unable to find image 'alpine:3.5' locally
3.5: Pulling from library/alpine
0a8490d0dfd3: Pull complete
Digest: sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
Status: Downloaded newer image for alpine:3.5
total 8
drwxr-xr-x 2 root root 4096 Feb 13 18:54 .
drwxr-xr-x 13 root root 4096 Feb 13 18:54 ..
srw-rw---- 1 root docker 0 Feb 13 17:36 docker.sock
roshan@ARC-T540p:/src/chetest$ ls -la /var/run/docker.sock
srw-rw---- 1 root docker 0 Feb 13 09:36 /var/run/docker.sock

@benoitf
Copy link
Contributor

benoitf commented Feb 13, 2017

@roshanail : and what are groups of your user ? As docker socket is only available to docker group users

@roshanail
Copy link
Author

roshan@ARC-T540p:~/src/chetest$ groups
roshan root adm cdrom sudo dip plugdev fuse lpadmin sambashare docker

@ghost
Copy link

ghost commented Feb 20, 2017

@roshanail can you try mounting into an existing directory created by your user?

@ghost
Copy link

ghost commented Mar 4, 2017

@benoitf I have got the same result when mounting on Ubuntu 16 as a root user.

@benoitf
Copy link
Contributor

benoitf commented Mar 5, 2017

@eivantsov could you add --security-opt apparmor:unconfined between --cap-add SYS_ADMIN --device /dev/fuse

docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse -e CHE_VERSION=5.3.1 --security-opt apparmor:unconfined -v /var/run/docker.sock:/var/run/docker.sock ...

@ghost
Copy link

ghost commented Mar 6, 2017
edited by ghost
Loading

@benoitf Yes, that worked.

Should we change docs? Or some scripts changes are required?

@benoitf benoitf added kind/bug Outline of a bug - must adhere to the bug report template. and removed kind/question Questions that haven't been identified as being feature requests or bugs. labels Mar 6, 2017
benoitf added a commit that referenced this issue Mar 17, 2017
@benoitf
Fix #4084 by adding option to allow /dev/fuse usage on ubuntu
d36b6fb 
Change-Id: I6e461b1d98fc361366db9caecd658c9f1c2dea1e
Signed-off-by: Florent BENOIT <fbenoit@codenvy.com>
@benoitf benoitf mentioned this issue Mar 17, 2017
Merged
@benoitf benoitf added this to the 5.6.0 milestone Mar 17, 2017
@benoitf benoitf added the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Mar 17, 2017
@benoitf benoitf removed the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Mar 18, 2017
JPinkney pushed a commit to JPinkney/che that referenced this issue Aug 17, 2017
@benoitf
Fix eclipse-che#4084 by adding option to allow /dev/fuse usage on ubuntu
5fc0249 
Change-Id: I6e461b1d98fc361366db9caecd658c9f1c2dea1e
Signed-off-by: Florent BENOIT <fbenoit@codenvy.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benoitf benoitf

Labels
kind/bug Outline of a bug - must adhere to the bug report template.
Projects
None yet
Milestone
5.6.0
Development

No branches or pull requests
3 participants
@TylerJewell @benoitf @roshanail