I use kitchen docker (https://github.com/test-kitchen/kitchen-docker) to build and test chef provisioned virtual machines. I use https://github.com/zuazo/kitchen-in-circleci as the basis of my provisioning. Some VMs require the docker container to run in privileged mode to configure things like iptables.
Until recently (1 month ?) this worked fine. However I’ve tried to rebuild an image yesterday and it now fails when test kitchen is configured to start containers in privileged mode. The error is:
Successfully built a39b498b6645
b967bf492de1507352ed140ccbd1f00c20eefba41c75522b17b14be0c98c7c12
Error: No public port '22/tcp' published for b967bf492de1507352ed140ccbd1f00c20eefba41c75522b17b14be0c98c7c12
This happens after the container is built successfully and is being started to apply the chef recipes to the container.
If I change the .kitchen.yml
configuration to specify non-privileged mode, then the container starts fine:
driver:
name: docker
privileged: false
use_sudo: false
I’ve pinned the version of test kitchen to be the same as the version used for the last known good run.
Logging onto the CircleCI box and then dumping the commands run by test kitchen gives:
ubuntu@box3125:~/chef-osmc$ docker run -d -p 22 --privileged 07a4e59890b9 /usr/sbin/sshd -D -o UseDNS=no -o UsePAM=no -o PasswordAuthentication=yes -o UsePrivilegeSeparation=no -o PidFile=/tmp/sshd.pid
b26513489eca433f6da23105c8109a3739d186435fa44f3182293e7493e7ef65
ubuntu@box3125:~/chef-osmc$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ubuntu@box3125:~/chef-osmc$ docker logs b26513489eca433f6da23105c8109a3739d186435fa44f3182293e7493e7ef65
ubuntu@box3125:~/chef-osmc$
ubuntu@box3125:~/chef-osmc$ docker run -d -p 22 07a4e59890b9 /usr/sbin/sshd -D -o UseDNS=no -o UsePAM=no -o PasswordAuthentication=yes -o UsePrivilegeSeparation=no -o PidFile=/tmp/sshd.pid
7542e5f3ea353a3409fda5de8f242c1eea2c071e44660c6bff605cc9bd381120
ubuntu@box3125:~/chef-osmc$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7542e5f3ea35 07a4e59890b9 "/usr/sbin/sshd -D -o" 5 seconds ago Up 2 seconds 0.0.0.0:32773->22/tcp determined_torvalds
ubuntu@box3125:~/chef-osmc$ docker logs 7542e5f3ea353a3409fda5de8f242c1eea2c071e44660c6bff605cc9bd381120
So removing the --privileged
from docker run, allows the container to start correctly.
Has anything changed relating to privileged containers in the CircleCI build system or are there any diagnostics that I could run to try and diagnose why it’s stopped working ?