Failing Tests using Dockers in CI

machadoit · November 25, 2015, 7:46pm

Our tests used to pass but now we get:
WARNING: Your kernel does not support memory swappiness capabilities, memory swappiness discarded.

and errors regarding containers like:
Error response from daemon: Cannot destroy container 0478e4cd1888fc63db7992119a815b022e8a29484ce1966de6723b71a25e762a: Driver btrfs failed to remove root filesystem 0478e4cd1888fc63db7992119a815b022e8a29484ce1966de6723b71a25e762a: Failed to destroy btrfs snapshot: operation not permitted
Error: failed to remove containers: [0478e4cd1888fc63db7992119a815b022e8a29484ce1966de6723b71a25e762a]

For the same commit, we have retried a build that passed a month ago and now fails:
https://circleci.com/gh/codacy/codacy-eslint/17
https://circleci.com/gh/codacy/codacy-eslint/49

At the moment the circle.yml is altered because we were exploring some workarounds, but you can check our usual circle.yml:
circleci.com/gh/codacy/codacy-eslint/17#config

We already tried a lot of ssh debug but we can’t find the issue. Maybe it is related with github.com/bioboxes/command-line-interface/issues/59? It is suppose to be fixed by github.com/bioboxes/command-line-interface/pull/60

levlaz · November 26, 2015, 5:00am

This is a known issue, it is addressed here.

machadoit · November 26, 2015, 10:44am

I have more details about the issue. The docker is being executed with all the security constraints:

docker run --net=none --privileged=false --cap-drop=ALL -t --entrypoint=bash “codacy-eslint:latest”

After some more testing, I found that --cap-drop=ALL might be the problem.
Inside the docker in the dockerfile we created a user with id 2004 and name docker. In the past all these settings were working, but now it’s failing with:

FATA[0000] setup user operation not permitted

Do you guys have any idea how to make this run again?

alexey · November 27, 2015, 12:13pm

I don’t think I have any insight into this right now. Does the same operation succeed if you omit the --cap-drop=ALL part?

machadoit · December 1, 2015, 3:19pm

It works without --cap-drop=ALL, but the whole point to test in circleCI is to make sure it works in the same conditions of our production environment…
Can you have someone look into this?

kimh · December 4, 2015, 4:04am

The behavior that you are seeing seems to be correct for me.

When -cap-drop=ALL is specified, user creation should fail. Although it behaves slightly different, I also get an somewhat error when running the following command locally.

docker run --cap-drop=ALL ubuntu /bin/sh -c "useradd -m -p encryptedPassword foobar;"
useradd: failure while writing changes to /etc/shadow
useradd: /home/foobar was created, but could not be removed

This works perfectly without cap-drop. So, I have a feeling that the our old docker was acting wrong and now it works in the correct way.

How does the line in your Dockerfile to create a user look like? Also, what exec driver are you using in your production?

We are using LXC driver which you are probably not using, so unfortunately the environment of your production and CI are already different at driver level.

Topic		Replies	Views
Permissions error with Docker Feedback & Bug Reports	5	1299	June 18, 2018
Error removing intermediate container during Docker build Build Environment docker	2	4669	June 18, 2018
Docker: setup user operation not permitted Build Environment docker	2	2998	June 18, 2018
Docker Error removing intermediate container Build Environment docker , known-issue	27	33369	June 18, 2018
Docker Builds are failing on CircleCI Feedback & Bug Reports make , nodejs , docker	6	6250	June 18, 2018

Failing Tests using Dockers in CI

Related Topics