V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
CRUD
V2EX  ›  Docker

docker 容器无法创建 socket: Permission denied

  •  1
     
  •   CRUD · 2020-04-14 18:23:00 +08:00 · 3899 次点击
    这是一个创建于 1688 天前的主题,其中的信息可能已经有所发展或是发生改变。

    起因是使用 docker 运行 jenkins,始终启动不起来,运行命令:

    docker run --name jenkins -p 8180:8080 jenkins/jenkins
    

    错误信息:

    java.lang.Throwable: reason
    	at hudson.WebAppMain.contextDestroyed(WebAppMain.java:388)
    	at org.eclipse.jetty.server.handler.ContextHandler.callContextDestroyed(ContextHandler.java:940)
    	at org.eclipse.jetty.servlet.ServletContextHandler.callContextDestroyed(ServletContextHandler.java:565)
    	at org.eclipse.jetty.server.handler.ContextHandler.stopContext(ContextHandler.java:908)
    	at org.eclipse.jetty.servlet.ServletContextHandler.stopContext(ServletContextHandler.java:367)
    	at org.eclipse.jetty.webapp.WebAppContext.stopWebapp(WebAppContext.java:1450)
    	at org.eclipse.jetty.webapp.WebAppContext.stopContext(WebAppContext.java:1415)
    	at org.eclipse.jetty.server.handler.ContextHandler.doStop(ContextHandler.java:983)
    	at org.eclipse.jetty.servlet.ServletContextHandler.doStop(ServletContextHandler.java:284)
    	at org.eclipse.jetty.webapp.WebAppContext.doStop(WebAppContext.java:547)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:93)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:180)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:201)
    	at org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:108)
    	at org.eclipse.jetty.server.Server.doStop(Server.java:454)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:93)
    	at winstone.Launcher.shutdown(Launcher.java:304)
    	at winstone.Launcher.<init>(Launcher.java:195)
    	at winstone.Launcher.main(Launcher.java:355)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:498)
    	at Main._main(Main.java:375)
    	at Main.main(Main.java:151)
    2020-04-14 10:13:10.097+0000 [id=1]	INFO	o.e.j.s.handler.ContextHandler#doStop: Stopped w.@1095f122{Jenkins v2.230,/,null,UNAVAILABLE}{/var/jenkins_home/war}
    Exception in thread "Jenkins initialization thread" 2020-04-14 10:13:10.098+0000 [id=1]	INFO	winstone.Logger#logInternal: Jetty shutdown successfully
    java.lang.NoClassDefFoundError: hudson/util/HudsonFailedToLoad
    	at hudson.WebAppMain$3.run(WebAppMain.java:247)
    Caused by: java.lang.ClassNotFoundException: hudson.util.HudsonFailedToLoad
    	at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
    	at java.lang.ClassLoader.loadClass(ClassLoader.java:419)
    	at java.lang.ClassLoader.loadClass(ClassLoader.java:352)
    	at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:543)
    	at java.lang.ClassLoader.loadClass(ClassLoader.java:352)
    	... 1 more
    java.io.IOException: Failed to start Jetty
    	at winstone.Launcher.<init>(Launcher.java:184)
    	at winstone.Launcher.main(Launcher.java:355)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:498)
    	at Main._main(Main.java:375)
    	at Main.main(Main.java:151)
    Caused by: java.net.SocketException: Permission denied
    	at sun.nio.ch.Net.socket0(Native Method)
    	at sun.nio.ch.Net.serverSocket(Net.java:415)
    	at sun.nio.ch.ServerSocketChannelImpl.<init>(ServerSocketChannelImpl.java:85)
    	at sun.nio.ch.SelectorProviderImpl.openServerSocketChannel(SelectorProviderImpl.java:56)
    	at java.nio.channels.ServerSocketChannel.open(ServerSocketChannel.java:108)
    	at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:336)
    	at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:307)
    	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80)
    	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    	at org.eclipse.jetty.server.Server.doStart(Server.java:385)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    	at winstone.Launcher.<init>(Launcher.java:182)
    	... 7 more
    2020-04-14 10:13:10.099+0000 [id=1]	SEVERE	winstone.Logger#logInternal: Container startup failed
    java.net.SocketException: Permission denied
    	at sun.nio.ch.Net.socket0(Native Method)
    	at sun.nio.ch.Net.serverSocket(Net.java:415)
    	at sun.nio.ch.ServerSocketChannelImpl.<init>(ServerSocketChannelImpl.java:85)
    	at sun.nio.ch.SelectorProviderImpl.openServerSocketChannel(SelectorProviderImpl.java:56)
    	at java.nio.channels.ServerSocketChannel.open(ServerSocketChannel.java:108)
    	at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:336)
    	at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:307)
    	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80)
    	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    	at org.eclipse.jetty.server.Server.doStart(Server.java:385)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    	at winstone.Launcher.<init>(Launcher.java:182)
    Caused: java.io.IOException: Failed to start Jetty
    	at winstone.Launcher.<init>(Launcher.java:184)
    	at winstone.Launcher.main(Launcher.java:355)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:498)
    	at Main._main(Main.java:375)
    	at Main.main(Main.java:151)
    

    之后更换了几个 jenkins 镜像,发现似乎并不是 jenkins 镜像的问题。 于是尝试运行 mysql 镜像:

    docker run -p 3307:3306 -e MYSQL_RANDOM_ROOT_PASSWORD=123456 --name mysql mysql
    

    日志信息:

    2020-04-14 10:06:16+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.19-1debian10 started.
    2020-04-14 10:06:16+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
    2020-04-14 10:06:16+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.19-1debian10 started.
    2020-04-14 10:06:16+00:00 [Note] [Entrypoint]: Initializing database files
    2020-04-14T10:06:16.760050Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
    2020-04-14T10:06:16.760113Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.19) initializing of server in progress as process 43
    2020-04-14T10:06:40.030275Z 5 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
    2020-04-14 10:07:06+00:00 [Note] [Entrypoint]: Database files initialized
    2020-04-14 10:07:06+00:00 [Note] [Entrypoint]: Starting temporary server
    2020-04-14T10:07:06.757900Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
    2020-04-14T10:07:06.757988Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.19) starting as process 93
    2020-04-14T10:07:09.103182Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
    2020-04-14T10:07:09.151379Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
    2020-04-14T10:07:09.168210Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.19'  socket: '/var/run/mysqld/mysqld.sock'  port: 0  MySQL Community Server - GPL.
    2020-04-14 10:07:09+00:00 [Note] [Entrypoint]: Temporary server started.
    2020-04-14T10:07:09.381709Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock'
    Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
    Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
    Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
    Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
    2020-04-14 10:07:13+00:00 [Note] [Entrypoint]: GENERATED ROOT PASSWORD: Eifai1coadoh5IeKee6Ziequoh6no2oo
    
    2020-04-14 10:07:13+00:00 [Note] [Entrypoint]: Stopping temporary server
    2020-04-14T10:07:13.889165Z 10 [System] [MY-013172] [Server] Received SHUTDOWN from user root. Shutting down mysqld (Version: 8.0.19).
    2020-04-14T10:07:16.234409Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.19)  MySQL Community Server - GPL.
    2020-04-14 10:07:16+00:00 [Note] [Entrypoint]: Temporary server stopped
    
    2020-04-14 10:07:16+00:00 [Note] [Entrypoint]: MySQL init process done. Ready for start up.
    
    2020-04-14T10:07:17.138424Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
    2020-04-14T10:07:17.138513Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.19) starting as process 1
    2020-04-14T10:07:19.222285Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
    2020-04-14T10:07:19.223207Z 0 [ERROR] [MY-010250] [Server] Failed to create a socket for IPv4 '0.0.0.0': errno: 13.
    2020-04-14T10:07:19.223318Z 0 [ERROR] [MY-010255] [Server] Can't create IP socket: Permission denied
    2020-04-14T10:07:19.223587Z 0 [ERROR] [MY-010119] [Server] Aborting
    2020-04-14T10:07:20.361212Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.19)  MySQL Community Server - GPL.
    
    

    也是一样因为没有权限无法创建 socket 而退出,目前尝试过的方式是容器内外的用户均切换到 root 用户运行,以及对/var/run/docker.sock文件进行权限修改、删除重新生成等,Google 未找到一样的情况,大多是单独运行 mysql 或者单独运行 jenkins 时出现这种错误的处理,单独运行 jenkins 我是没问题的,无奈只能来求助了。

    第 1 条附言  ·  2020-04-15 17:38:59 +08:00

    问题已经得到了解决,是 apparmor 引发的问题,我的系统是 deepin 15.11,自带 apparmor ,先说找到的解决方式:

    • 直接卸载 apparmor (太过粗暴)
    • 安装 2.12-4 版本的apparmor (对我无效)
    • docker运行时通过命令选项禁用 apparmor

    升级 2.12-4 的方式:添加 deb http://br.archive.ubuntu.com/ubuntu bionic main/etc/apt/sources.list 中,然后执行:

    sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 3B4FE6ACC0B21F32
    sudo apt update
    sudo apt install apparmor=2.12-4ubuntu5
    

    升级 apparmor 版本的方式对我也没效果,所以最后我使用的是在 docker run 的时候用 --security-opt apparmor=unconfined 选项指定禁用 apparmor

    docker run --security-opt apparmor=unconfined -p 3307:3306 -e MYSQL_RANDOM_ROOT_PASSWORD=123456 --name mysql mysql
    

    附上线索链接:docker 18.03.1-ce network not working on Deepin 15.7 - socket permission denied

    8 条回复    2020-07-20 18:31:37 +08:00
    wellsc
        1
    wellsc  
       2020-04-14 18:38:07 +08:00
    将容器外部的 socket 描述符映射到容器内试试
    CRUD
        2
    CRUD  
    OP
       2020-04-14 21:33:48 +08:00
    @wellsc #1 通过 `-v /var/run/docker.sock:/var/run/docker.sock` 命令进行映射也是一样的结果,没效果
    DCCooper
        3
    DCCooper  
       2020-04-14 23:53:16 +08:00 via iPhone
    试着用 user=root 来创建容器
    DCCooper
        4
    DCCooper  
       2020-04-14 23:56:32 +08:00 via iPhone
    而且,这个 Jenkins 没有映射本地持久化目录保存吗? Jenkins 的 dockerfile 里面写了有一个默认用户是 jenkins,你-v 挂载本地目录,然后 chown 试试看
    Trim21
        5
    Trim21  
       2020-04-14 23:56:44 +08:00 via Android
    @CRUD 这个映射的是 docker cli 和 daemon 之间的 socket,不是 docker 应用用的那个 socket
    CRUD
        6
    CRUD  
    OP
       2020-04-15 09:53:12 +08:00
    @DCCooper #4 有试过用 `-u root`或是`-u 0`来指定使用 root 用户运行,不过也是不行,挂载`jenkins_home`目录也有试过,感觉不是这个问题为了尽可能精简命令上面就没列出来了。

    至于你上面说的-v 挂载本地目录,然后 chown,我试了一下,步骤是创建容器:
    `docker run --rm --name jenkins -u root -p 8100:8080 -p 50000:50000 -v /home/jenkins:/var/jenkins_home jenkins/jenkins`
    然后 chown /home/jenkins 目录给 root 或是 jenkins,都不行
    CRUD
        7
    CRUD  
    OP
       2020-04-15 09:55:56 +08:00
    @Trim21 #5 好吧,我只知道只有这个 socket 描述符了,docker 应用的 socket 该如何映射呢?
    总觉得跟容器内环境可能没太大关系,问题更像是 docker 应用出了问题,不过没什么 docker 的经验,找不出来在哪..
    HHDDLL
        8
    HHDDLL  
       2020-07-20 18:31:37 +08:00
    把 selinux 关了试试?
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5484 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 07:06 · PVG 15:06 · LAX 23:06 · JFK 02:06
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.