Kitchen Docker Builds Fail when using Privileged Containers

rjlee · April 17, 2017, 9:14am

I use kitchen docker (https://github.com/test-kitchen/kitchen-docker) to build and test chef provisioned virtual machines. I use https://github.com/zuazo/kitchen-in-circleci as the basis of my provisioning. Some VMs require the docker container to run in privileged mode to configure things like iptables.

Until recently (1 month ?) this worked fine. However I’ve tried to rebuild an image yesterday and it now fails when test kitchen is configured to start containers in privileged mode. The error is:

Successfully built a39b498b6645
       b967bf492de1507352ed140ccbd1f00c20eefba41c75522b17b14be0c98c7c12
       Error: No public port '22/tcp' published for b967bf492de1507352ed140ccbd1f00c20eefba41c75522b17b14be0c98c7c12

This happens after the container is built successfully and is being started to apply the chef recipes to the container.

If I change the .kitchen.yml configuration to specify non-privileged mode, then the container starts fine:

driver:
  name: docker
  privileged: false
  use_sudo: false

I’ve pinned the version of test kitchen to be the same as the version used for the last known good run.

Logging onto the CircleCI box and then dumping the commands run by test kitchen gives:

ubuntu@box3125:~/chef-osmc$ docker run -d -p 22 --privileged 07a4e59890b9 /usr/sbin/sshd -D -o UseDNS=no -o UsePAM=no -o PasswordAuthentication=yes -o UsePrivilegeSeparation=no -o PidFile=/tmp/sshd.pid
b26513489eca433f6da23105c8109a3739d186435fa44f3182293e7493e7ef65
ubuntu@box3125:~/chef-osmc$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
ubuntu@box3125:~/chef-osmc$ docker logs b26513489eca433f6da23105c8109a3739d186435fa44f3182293e7493e7ef65
ubuntu@box3125:~/chef-osmc$
ubuntu@box3125:~/chef-osmc$ docker run -d -p 22 07a4e59890b9 /usr/sbin/sshd -D -o UseDNS=no -o UsePAM=no -o PasswordAuthentication=yes -o UsePrivilegeSeparation=no -o PidFile=/tmp/sshd.pid
7542e5f3ea353a3409fda5de8f242c1eea2c071e44660c6bff605cc9bd381120
ubuntu@box3125:~/chef-osmc$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
7542e5f3ea35        07a4e59890b9        "/usr/sbin/sshd -D -o"   5 seconds ago       Up 2 seconds        0.0.0.0:32773->22/tcp   determined_torvalds
ubuntu@box3125:~/chef-osmc$ docker logs 7542e5f3ea353a3409fda5de8f242c1eea2c071e44660c6bff605cc9bd381120

So removing the --privileged from docker run, allows the container to start correctly.

Has anything changed relating to privileged containers in the CircleCI build system or are there any diagnostics that I could run to try and diagnose why it’s stopped working ?

udbhav · May 15, 2017, 9:17pm

+1, seeing the same issue here, and would love some help on how to be able to use docker with --privileged on Circle CI 1.0

tom · May 18, 2017, 10:46am

It’s not possible to use privileged Docker features on CircleCI 1.0 for security reasons. On CircleCI 2.0 you can try the ‘machine executor’: https://circleci.com/docs/2.0/executor-types/#machine-executor

Topic		Replies	Views
Can't get Docker containers linking/working Build Environment docker	2	4324	April 11, 2019
Option to run docker with --privileged on circle 2.0? Build Environment docker	2	2143	June 18, 2018
Setting up Docker in Docker with custom build container Build Environment	2	1829	March 10, 2019
Setup_remote_docker failure with 'circleci local execute' Build Environment	1	1322	March 19, 2019
Cannot connect to Docker container in build environment Build Environment docker	5	2613	June 18, 2018

Kitchen Docker Builds Fail when using Privileged Containers

Related Topics