[BUG] Docker snap fails to run bash container

[elreydetoda]

for some reason when I try to use the snap version of docker and try to execute the bash container it fails to execute the and get the following error message:

$ docker container run --rm -it bash
bash: /usr/local/bin/docker-entrypoint.sh: Permission denied

doing a quick journalctl -f this was in the logs

[lawlz]

Try this out. Go to this folder:
/var/lib/snapd/apparmor
and look for that snap.docker.dockerd file of some sort. At the bottom of that file (there must be a better, more automated way than editing this file, but this is what I did..), before the end curly bracket }, place this there:

/usr/local/bin/docker-entrypoint.sh                   r,

The r at the end is literally read perms. I think that should work, but the hardest time may be finding that stinking config file. Hope that helps...

[elreydetoda]

thanks bud, I will definitely check that out. the weird things is that file is inside the docker container...so I don't know why it is stopping the docker container from reading a file inside itself...since that is the entrypoint: https://github.com/tianon/docker-bash/blob/a4642024da1b528b2631bfa31d6997f89dbc054a/5.0/Dockerfile#L121

[lawlz]

From my understanding of what this ENTRYPOINT directive does and when it is observed, I believe this is pre-docker image build (or rather during the build I guess), and ran on the host system. I could be wrong.

What says this is the case to me, ENTRYPOINT seems to have two options, exec (their preferred) and shell forms. The shell form has a caveat that states the ENTRYPOINT command will not run as PID 1 on the image, and is then running on the host. This somewhat backs up the idea of AppArmor blocking us, since I don't think it would be present in the Docker image itself nor logged to the host's log facility. Here is the snippet found in the docs:

The shell form prevents any CMD or run command line arguments from being used, but has the disadvantage that your ENTRYPOINT will be started as a subcommand of /bin/sh -c, which does not pass signals. This means that the executable will not be the container’s PID 1 - and will not receive Unix signals - so your executable will not receive a SIGTERM from

Link to this: https://docs.docker.com/engine/reference/builder/#entrypoint

What I would do is change the location of this file since it is on the host system and put in a location that you allow your Docker process to see, and add that location to AppArmor as a directive for Docker's access. I believe it should be in that /usr/lib/snap area, but there is also some config options in the /etc/apparmor and /etc/apparmor.d directories as well. The apparmor_status command will show all the profiles, and is what I used to find the config I needed to change.

Good times and build rhymes. I hope that helps brother.