Containers need --privileged on some Docker installations

[lassik]

$ docker run --rm -it silex/emacs:24.5
Unable to find image 'silex/emacs:24.5' locally
24.5: Pulling from silex/emacs
e756f3fdd6a3: Pull complete
65b984538131: Pull complete
c33245f416b6: Pull complete
Digest: sha256:696df85f4e3fcf6c5eb443adf82590e3f4b81fe24e6c06a9390f20fc54c21961
Status: Downloaded newer image for silex/emacs:24.5
Warning: arch-dependent data dir `/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/libexec/emacs/24.5/x86_64-unknown-linux-gnu/': Operation not permitted
Warning: arch-independent data dir `/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc/': Operation not permitted
Warning: Lisp directory `/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/lisp': Operation not permitted
Error: charsets directory not found:
/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc/charsets
Emacs will not function correctly without the character map files.
Please check your installation!
$

[Silex]

Works by me... What is your OS?

Also do you confirm the image SHA1 is 917694e5834d ?

philippe@stvs-pv-laptop-01:~$ docker images | grep silex
silex/emacs                    24.5              917694e5834d   11 days ago     408MB

[lassik]

Debian GNU/Linux 10 (buster).

# uname -srm
Linux 4.19.0-18-amd64 x86_64

SHA matches.

Using docker run --rm -it silex/emacs:24.5 bash I can get to a bash prompt, but typing emacs in it gives the above errors.

# emacs
Warning: arch-dependent data dir `/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/libexec/emacs/24.5/x86_64-unknown-linux-gnu/': Operation not permitted
Warning: arch-independent data dir `/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc/': Operation not permitted
Warning: Lisp directory `/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/lisp': Operation not permitted
Error: charsets directory not found:
/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc/charsets
Emacs will not function correctly without the character map files.
Please check your installation!

[lassik]

$ docker --version
Docker version 18.09.1, build 4c52b90

[Silex]

Can you paste the output of docker inspect silex/emacs:24.5 here?

[lassik]

Sure.

[
    {
        "Id": "sha256:917694e5834d0eaa3b617e4393bb36fcbc27c32586ec32d827c69251e08cf4fa",
        "RepoTags": [
            "silex/emacs:24",
            "silex/emacs:24.5"
        ],
        "RepoDigests": [
            "silex/emacs@sha256:696df85f4e3fcf6c5eb443adf82590e3f4b81fe24e6c06a9390f20fc54c21961"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2022-05-29T02:01:37.148900429Z",
        "Container": "",
        "ContainerConfig": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": null,
            "Cmd": null,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": null
        },
        "DockerVersion": "",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/nix/store/emacs/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "emacs"
            ],
            "ArgsEscaped": true,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": null
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 408144520,
        "VirtualSize": 408144520,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/77b56c67ba0082f53f59f129eac0a07cc29cece8e222cf67955842d07f0f7444/diff:/var/lib/docker/overlay2/6268880bbdea1e5fcec403d77924090198dc3f7528034b0c0521b7bb7db4de82/diff",
                "MergedDir": "/var/lib/docker/overlay2/833b5c2dee4911049022bc365284b71abdaf56b1da74c8916bfaedfc257f2f58/merged",
                "UpperDir": "/var/lib/docker/overlay2/833b5c2dee4911049022bc365284b71abdaf56b1da74c8916bfaedfc257f2f58/diff",
                "WorkDir": "/var/lib/docker/overlay2/833b5c2dee4911049022bc365284b71abdaf56b1da74c8916bfaedfc257f2f58/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:e7597c345c2eb11bce09b055d7c167c526077d7c65f69a7f3c6150ffe3f557ea",
                "sha256:4b25f673d7497e5ce7c760597fc1a6b117f939a148f2a8922c3698239ee1f92d",
                "sha256:25770475ed36fc4d89b69841dbf5458601de948fce4e0970f23f9420209efad2"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

[lassik]

Btw, the same problem occurs with:

docker run --rm -it silex/emacs:24
docker run --rm -it silex/emacs:25
docker run --rm -it silex/emacs:26
docker run --rm -it silex/emacs:27

emacs:28 outputs nothing and exits immediately. I can go into bash in that container and type emacs; that gives a segfault.

[APIPLM]

I used to install the latest version of silex/emacs image, which is 27.2. it works.

Linux Linux 3.10.0-1160.el7.x86_64 x86_64

Docker version Docker version 1.13.1, build 7d71120/1.13.1

[Silex]

@lassik: does docker run --rm -it --privileged silex/emacs:24 works?

I have no clue what your problem is, but Warning: Lisp directory '/nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/lisp': Operation not permitted points me to permission issues.

Can you also try this:

docker run --rm -it silex/emacs:24 bash
apt update && apt install vim
vim

And confirm vim works?

[lassik]

With --privileged all the containers work normally.

Installing and running vim or emacs from APT works even without --privileged.

[lassik]

Notably, and strangely, --privileged also solves the segfault with emacs:28.

[Silex]

Interesting.

The thing is my setup is way more recent that yours:

silex@silex-laptop:~$ docker --version
Docker version 20.10.17, build 100c701
silex@silex-laptop:~$ uname -srm
Linux 5.4.0-117-generic x86_64

I kinda expect most people's setup to be that way.

Can you docker run --rm -it silex/emacs:24 bash and try to figure out why /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/lisp has permission issues? Please confirm you are root in the container.

Maybe it's simply some permissions to set, or maybe your docker 18.09 refuses to let unprivileged containers access /nix but that sounds idiotic.

[lassik]

There doesn't seem to be anything weird about it:

$ docker run --rm -it silex/emacs:24.5 bash

root@15d6e219d5ae:/# id
uid=0(root) gid=0(root) groups=0(root)

root@15d6e219d5ae:/# ls -alFd /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/libexec/emacs/24.5/x86_64-unknown-linux-gnu
dr-xr-xr-x 2 root root 4096 Jan  1  1970 /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/libexec/emacs/24.5/x86_64-unknown-linux-gnu/

root@15d6e219d5ae:/# ls -alFd /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/lisp
dr-xr-xr-x 26 root root 20480 Jan  1  1970 /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/lisp/

root@15d6e219d5ae:/# ls -alFd /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc
dr-xr-xr-x 14 root root 4096 Jan  1  1970 /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc/

root@15d6e219d5ae:/# ls -alFd /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc/charsets
dr-xr-xr-x 2 root root 4096 Jan  1  1970 /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/etc/charsets/

[lassik]

But nix could be running some setup under a non-root user?

[Silex]

Can you try to rename /nix/store/4c69jxk9df88k2x60bdgv2fv7h1cj9pc-emacs-24.5/share/emacs/24.5/lisp and basically try to modify files in there to see if it lets you?

If you can, can you check with what user "emacs" is ran?

It's really hard for me to debug this while not being able to reproduce :sweat_smile:

[lassik]

It runs as root (at least at first).

Moving, chmod'ing, editing files and directories works.

Getting strace to work in a container (for tracing system calls made by the Emacs process) is not easy.

[Silex]

Getting strace to work in a container (for tracing system calls made by the Emacs process) is not easy.

Yeah you need to be privileged for that I think, which defeats the purpose.

Maybe I can install a VM with your OS and try. How did you install docker on that OS?

[lassik]

That would be great!

From Debian packages: apt install docker.io

It may be that the Docker version is just too old. Though the problem is still weird. Does Emacs rummage through the charmaps and other files the first time it's started?

[Silex]

From Debian packages: apt install docker.io

Ah right, yeah that's not recommended AFAIK.

Can you try installing docker the recommended way? https://docs.docker.com/desktop/linux/install/debian

I'm not too keen on spending time debugging something that is fixed already :wink:

[APIPLM]

What is the issue? I have not got it yet. It is about the docker or linux distribution?

[Silex]

@lassik: any updates?

[Silex]

No news, closing.