docker拉:操作不允许
当我拖拉一些docker图像时(但不是全部),我得到这个错误:
failed to register layer: Error processing tar file(exit status 1): operation not permitted 例如: docker pull nginx工作,但不是docker pull redis 。
我得到了相同的结果,我运行命令与一个用户,是docker组的一部分,使用sudo或作为根。
如果我在debugging模式下运行dockerd,我在日志中看到这个:
DEBU[0025] Downloaded 5233d9aed181 to tempfile /var/lib/docker/tmp/GetImageBlob023191751 DEBU[0025] Applying tar in /var/lib/docker/overlay2/e5290b8c50d601918458c912d937a4f6d4801ecaa90afb3b729a5dc0fc405afc/diff DEBU[0027] Applied tar sha256:16ada34affd41b053ca08a51a3ca92a1a63379c1b04e5bbe59ef27c9af98e5c6 to e5290b8c50d601918458c912d937a4f6d4801ecaa90afb3b729a5dc0fc405afc, size: 79185732 (...) DEBU[0029] Applying tar in /var/lib/docker/overlay2/c5c0cfb9907a591dc57b1b7ba0e99ae48d0d7309d96d80861d499504af94b21d/diff DEBU[0029] Cleaning up layer c5c0cfb9907a591dc57b1b7ba0e99ae48d0d7309d96d80861d499504af94b21d: Error processing tar file(exit status 1): operation not permitted INFO[0029] Attempting next endpoint for pull after error: failed to register layer: Error processing tar file(exit status 1): operation not permitted INFO[0029] Layer sha256:938f1cd4eae26ed4fc51c37fa2f7b358418b6bd59c906119e0816ff74a934052 cleaned up (...)
如果我在运行的时候运行watch -n 0 "sudo ls -lt /var/lib/docker/overlay2/" ,我可以看到新的文件夹出现(失败后消失)和/var/lib/docker/overlay2/是root:root:700所以我不认为这是一个权限问题。
这里有一些关于环境的细节:
我有一个proxmox运行LXC容器,我有问题。 容器本身正在运行Debian 8.这里有各种版本:
$> uname -a Linux [redacted-hostname] 4.10.15-1-pve #1 SMP PVE 4.10.15-15 (Fri, 23 Jun 2017 08:57:55 +0200) x86_64 GNU/Linux $> docker version Client: Version: 17.06.0-ce API version: 1.30 Go version: go1.8.3 Git commit: 02c1d87 Built: Fri Jun 23 21:20:04 2017 OS/Arch: linux/amd64 Server: Version: 17.06.0-ce API version: 1.30 (minimum version 1.12) Go version: go1.8.3 Git commit: 02c1d87 Built: Fri Jun 23 21:18:59 2017 OS/Arch: linux/amd64 Experimental: false $>docker info Containers: 20 Running: 0 Paused: 0 Stopped: 20 Images: 28 Server Version: 17.06.0-ce Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: false Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: cfb82a876ecc11b5ca0977d1733adbe58599088a runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4 init version: 949e6fa Kernel Version: 4.10.15-1-pve Operating System: Debian GNU/Linux 8 (jessie) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 7.906GiB Name: resumed-dev ID: EBJ6:AFVS:L3RC:ZEE7:A6ZJ:WDQE:GTIZ:RXHA:P4AQ:QJD7:H6GG:YIQB Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): true File Descriptors: 16 Goroutines: 24 System Time: 2017-08-17T14:17:07.800849127+02:00 EventsListeners: 0 Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled
如果您的容器是未授权的,这似乎是Docker的overlay2存储驱动程序的问题。 这似乎不是overlay 问题 ( GitHub问题 )。 因此,要么使用overlay存储驱动程序而不是overlay2 ,要么使您的容器具有特权。
我和你有几乎相同的环境,遇到同样的问题。 一些图像完美(高山),而一些图像无法清理(Ubuntu的)。
strace -f dockerd -D然后strace -f dockerd -D docker pull或strace -f dockerd -D docker load给出原因:
mknodat(AT_FDCWD, "/dev/agpgart", S_IFCHR|0660, makedev(10, 175)) = -1 EPERM (Operation not permitted)
非特权容器禁止devisemknod。 如果你坚持在lxc中嵌套Docker,你将不得不select特权容器。 (请注意,由于uid / gid映射,现有的非特权容器不能直接转换为特权容器)