根据官方指南(Install Docker Engine on Ubuntu),我在云服务器上安装 docker 时遇到了问题。我完成了旧版本的卸载、存储库设置和 docker 引擎安装(sudo apt-get install docker-ce docker-ce-cli containerd.io)。但是,运行 hello-world 时出现错误。
wyf@VM1103-Timi:~$ sudo docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"proc\\\" to rootfs \\\"/var/lib/docker/overlay2/e9fedf64e8983aa01e513cee591cdfd7fc60962466a476b51fc1ead682ec8022/merged\\\" at \\\"/proc\\\" caused \\\"permission denied\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled
我尝试重新启动docker和服务器,但问题仍然存在。因此,如果有人可以指导我修复此错误,那就太好了。
如果您对此问题有任何想法,请告诉我。
非常感谢!
附言:
我的系统是 Ubuntu 18.04。因此,我没有 selinux。我检查了 AppArmor 日志,而不是 selinux。
May 19 21:14:55 VM1103-Timi networkd-dispatcher[155]: WARNING:Unknown index 37 seen, reloading interface list
May 19 21:14:55 VM1103-Timi systemd-networkd[126]: veth71cf495: Link UP
May 19 21:14:55 VM1103-Timi containerd[170]: time="2020-05-19T21:14:55.679793295+08:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d/shim.sock" debug=false pid=106265
May 19 21:14:55 VM1103-Timi containerd[170]: time="2020-05-19T21:14:55.767796543+08:00" level=info msg="shim reaped" id=4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.776863367+08:00" level=error msg="stream copy error: reading from a closed fifo"
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.776953910+08:00" level=error msg="stream copy error: reading from a closed fifo"
May 19 21:14:55 VM1103-Timi systemd-networkd[126]: veth71cf495: Link DOWN
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.927805156+08:00" level=error msg="4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d cleanup: failed to delete container from containerd: no such container"
奇怪的是没有permission-denied错误的记录。这是我的 ubuntu 版本、内核版本和 docker 信息:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
5.3.18-3-pve
Client:
Debug Mode: false
Server:
Containers: 8
Running: 0
Paused: 0
Stopped: 8
Images: 1
Server Version: 19.03.8
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.3.18-3-pve
Operating System: Ubuntu 18.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 4GiB
Name: VM1103-Timi
ID: 3G3F:LTVZ:NO25:C7LA:XKQV:ETMB:B6QU:3ZFJ:KBA5:R3KK:QZEA:ZONC
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
AppArmor 配置文件“docker-default”似乎丢失了。 “docker-default”未正确生成。检查如下:root@VM1103-Timi:/etc/apparmor.d# aa-status
apparmor module is loaded.
12 profiles are loaded.
12 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/mysqld
/usr/sbin/tcpdump
docker-default
man_filter
man_groff
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/mysqld (258)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
最佳答案
解决方案可能是打开所需的端口。您的系统可能正在运行 selinux 和(ufw 或 firewalld 或 iptables)?和/或其他?阅读一些关于 linux 防火墙工具的信息,尤其是在你的系统上运行的那些。
对于selinux的情况,需要查看selinux的日志,是不是阻塞访问?使用 selinux 命令添加异常。
https://wiki.centos.org/HowTos/SELinux这些工具非常值得学习,但可能很复杂。禁用 selinux 和 firewalld 的快速测试可以确认这是问题的根源,您可以稍后启用 selinux 和 firewalld 并以安全的方式允许/打开端口。
简单测试:禁用 selinux 和 firewalld,例如在 CentOS 上
systemctl stop firewalld;
setenforcing 0;
如果您可以创建禁用 selinux 的容器,那么您已经确认 selinux 是您的问题。您可以启用防火墙和 selinux,然后根据需要添加异常(exception)和打开端口。
这看起来不错(特定于 ubuntu,但恕我直言),它详细说明了打开端口以允许 docker swarm 工作所需的 ufw 命令、firewalld 命令和 iptables 命令)https://www.digitalocean.com/community/tutorials/how-to-configure-the-linux-firewall-for-docker-swarm-on-ubuntu-16-04
我最初从这里获得了有关打开所需端口的 ufw 命令的有用信息:
Error response from daemon: attaching to network failed, make sure your network options are correct and check manager logs: context deadline exceeded
ufw allow 2376/tcp
ufw allow 2377/tcp
ufw allow 7946/tcp
ufw allow 7946/udp
ufw allow 4789/udp
ufw enable #maybe
ufw reload
systemctl restart docker
这是一个很常见的问题,通常 selinux 不允许访问所需的端口。
例如
https://github.com/google/cadvisor/issues/333
关于docker - docker中的安装权限被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61765263/