microsoft
[BUG] Docker run fails. Throws InteractiveBrowserCredential in docker
Describe the bug
Similar error as some other issues: When I am trying to run Azure MCP via docker, I am getting permission denied errors.
Platform: WSL Ubuntu 22.04 Command used: docker run -i --rm --env-file .env mcr.microsoft.com/azure-sdk/azure-mcp:latest
Error: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "./azmcp": permission denied: unknown.
Content of .env file : AZURE_TENANT_ID=xxxxx-xxxxx-xxxxx-xxxxx AZURE_CLIENT_ID=xxxxx-xxxxx-xxxxx-xxxxx (of an owned application under App Registrations) AZURE_CLIENT_SECRET=xxxxx-xxxxx-xxxxx-xxxxx ( of an owned application under App Registrations)
I tried to do backup solution like this in mcp.json :
{ "mcpServers": { "azure-mcp-server": { "command": "docker", "args": [ "run", "-i", "--rm", "--env-file", "/mcp/servers/Azure.Mcp.Server/.env", "--entrypoint", "sh", "mcr.microsoft.com/azure-sdk/azure-mcp:latest", "-c", "chmod +x ./azmcp && ./azmcp server start" ], "disabled": false, "alwaysAllow": [] } } }
I am using ROO code for MCP in VSCode. On doing the following changes, the server becomes active and shows tasks available.
When I give a task like "List subscriptions It gives an "Authentication Failed" :
`Roo wants to use a tool on the azure-mcp-server MCP server azure-mcp-server
subscription Azure subscription operations - Commands for listing and managing Azure subscriptions accessible to your account.This tool is a hierarchical MCP command router. Sub commands are routed to MCP servers that require specific fields inside the "parameters" object. To invoke a command, set "command" and wrap its args in "parameters". Set "learn=true" to discover available sub commands. { "intent": "list available subscriptions", "command": "list", "parameters": {} }
Roo wants to use a tool on the azure-mcp-server MCP server azure-mcp-server
subscription Azure subscription operations - Commands for listing and managing Azure subscriptions accessible to your account.This tool is a hierarchical MCP command router. Sub commands are routed to MCP servers that require specific fields inside the "parameters" object. To invoke a command, set "command" and wrap its args in "parameters". Set "learn=true" to discover available sub commands. { "intent": "list available subscriptions", "command": "subscription_list", "parameters": {} }
Roo has a question Authentication failed. Would you like to attempt signing in to Azure?`
Is the docker workaround messing up the authentication?
Expected behavior
On executing docker run -i --rm --env-file .env mcr.microsoft.com/azure-sdk/azure-mcp:latest , it should run fine.
Actual behavior
docker run -i --rm --env-file .env mcr.microsoft.com/azure-sdk/azure-mcp:latest fails with error:
Error: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "./azmcp": permission denied: unknown.
Reproduction Steps
{ "mcpServers": { "azure-mcp-server": { "command": "docker", "args": [ "run", "-i", "--rm", "--env-file", "/mcp/servers/Azure.Mcp.Server/.env", "--entrypoint", "sh", "mcr.microsoft.com/azure-sdk/azure-mcp:latest", "-c", "chmod +x ./azmcp && ./azmcp server start" ], "disabled": false, "alwaysAllow": [] } } }
Environment
No response
Thanks for reporting this issue, @akashyxp. Can you explain what you mean by authentication workaround? What steps are you following exactly?
Thanks for reporting this issue, @akashyxp. Can you explain what you mean by authentication workaround? What steps are you following exactly?
So since original docker command causes issues:
docker run -i --rm --env-file /home/user/mcp/servers/Azure.Mcp.Server/.env mcr.microsoft.com/azure-sdk/azure-mcp:latest
I use this command: docker run -i --rm --env-file /home/user/mcp/servers/Azure.Mcp.Server/.env --entrypoint sh mcr.microsoft.com/azure-sdk/azure-mcp:latest -c "chmod +x ./azmcp && ./azmcp server start"
And I have configured same way in mcp.json as well.
Can this be causing issues as when I give any command like "List subscriptions", it does not return the results
Environment : WSL Ubuntu 22.04
An update here @joshfree @conniey ,
I built image using : ./eng/scripts/Build-Docker.ps1 -ServerName "Azure.Mcp.Server"
I followed this troubleshooting documentation : Microsoft-Entra-ID
I did az login in WSL terminal. I updated my MCP to use --volume as per documentation:
{
"mcpServers": {
"azure-mcp-server": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--volume",
"/home/myuser/.azure:/root/.azure",
"azure-sdk/azure-mcp:0.8.5"
],
"disabled": false,
"alwaysAllow": []
}
}
}
Server shows active with all tasks listed, but when I give list all subscriptions, it throws error. On checking docker logs, this is what I observed:
System.DllNotFoundException: Unable to load shared library 'libX11.so.6' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace. If you're using glibc, consider setting the LD_DEBUG environment variable:
Error loading shared library /azuremcpserver/libX11.so.6: No such file or directory
Error loading shared library libX11.so.6: No such file or directory
Error loading shared library /azuremcpserver/liblibX11.so.6: No such file or directory
Error loading shared library liblibX11.so.6: No such file or directory
Error loading shared library /azuremcpserver/libX11.so.6.so: No such file or directory
Error loading shared library libX11.so.6.so: No such file or directory
Error loading shared library /azuremcpserver/liblibX11.so.6.so: No such file or directory
Error loading shared library liblibX11.so.6.so: No such file or directory
at Azure.Mcp.Core.Services.Azure.Authentication.WindowHandleProvider.<XOpenDisplay>g____PInvoke|2_0(Byte* __display_native)
at Azure.Mcp.Core.Services.Azure.Authentication.WindowHandleProvider.<XOpenDisplay>g____PInvoke|2_0(Byte* __display_native)
at Azure.Mcp.Core.Services.Azure.Authentication.WindowHandleProvider.XOpenDisplay(String display) in /home/myuser/mcp/core/Azure.Mcp.Core/src/obj/Release/net9.0/Microsoft.Interop.LibraryImportGenerator/Microsoft.Interop.LibraryImportGenerator/LibraryImports.g.cs:line 28
at Azure.Mcp.Core.Services.Azure.Authentication.WindowHandleProvider.GetWindowHandle() in /home/myuser/mcp/core/Azure.Mcp.Core/src/Services/Azure/Authentication/WindowHandleProvider.cs:line 28
{"result":{"content":[{"type":"text","text":"{\u0022status\u0022:401,\u0022message\u0022:\u0022Authentication failed. Please run \\u0027az login\\u0027 to sign in to Azure. Details**: The ChainedTokenCredential failed due to an unhandled exception: InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details.** To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azmcp/troubleshooting.\u0022,\u0022results\u0022:{\u0022message\u0022:\u0022The ChainedTokenCredential failed due to an unhandled exception: InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details\u0022,\u0022stackTrace\u0022:null,\u0022type\u0022:\u0022AuthenticationFailedException\u0022},\u0022duration\u0022:0}"}],"isError":true},"id":4,"jsonrpc":"2.0"}
Why is it trying InteractiveBrowserCredential when az login is done and volume is mounted as per documentation?
The issue is that you built the docker image with -rw-rw-r-- 1 root root 131937098 Oct 3 01:09 azmcp . This doesn`t have executable permission set. You then have as entrypoint "Entrypoint": [ "./azmcp", "server", "start" ], which of course fails. You need either to manually correct the entrypoint or use this as base image for a correct one. The authentication issue is unrelated to this. Please fix the image accordingly
The issue is that you built the docker image with -rw-rw-r-- 1 root root 131937098 Oct 3 01:09 azmcp . This doesn`t have executable permission set. You then have as entrypoint "Entrypoint": [ "./azmcp", "server", "start" ], which of course fails. You need either to manually correct the entrypoint or use this as base image for a correct one. The authentication issue is unrelated to this. Please fix the image accordingly
I built image locally using Dockerfile and build-docker powershell script and then I did not get the permission denied issue. But I get the InteractiveBrowserCredential issue when I try to configure it via mcp.json
Hi @conniey , do you have any idea about https://github.com/microsoft/mcp/issues/710#issuecomment-3374192020 ? Any info would be much appreciated. Thank you.
We should not be trying to use interactive browser credential when running in a docker container because there is no handle to open. This is a bug in our auth flow.
We should not be trying to use interactive browser credential when running in a docker container because there is no handle to open. This is a bug in our auth flow.
Thanks for the prompt response @conniey . I assume it might take a while to fix it. Is there any temporary workaround I can do meanwhile to disable this interactive browser credential? I tried passing AZURE_TOKEN_CREDENTIALS=AzureCliCredential as environment variable but it did not work.
@g2vinay may have some additional insights as he is looking into the auth failure.
Unable to repro this in first pass. Looking at the auth issue, it shows that az cli auth isn't getting picked up from the .azure dir
Curious, why is the .azure dir referred from /home/myuser in your config, that path looks invalid.
{
"mcpServers": {
"azure-mcp-server": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--volume",
"/home/myuser/.azure:/root/.azure",
"azure-sdk/azure-mcp:0.8.5"
],
"disabled": false,
"alwaysAllow": []
}
}
}
Curious, why is the .azure dir referred from /home/myuser in your config, that path looks invalid.
Hi @g2vinay , sorry for the late response. It is referred from that path because thats where it resides. Shown below the path:
`myuser@KR-C-0898U | internet+docker: ok:~/.azure $ ls -al total 276 drwxr-xr-x 6 myuser myuser 4096 Oct 9 12:13 . drwxr-x--- 70 myuser myuser 4096 Oct 11 17:23 .. -rw-r--r-- 1 myuser myuser 5 Oct 6 22:59 az.json -rw-r--r-- 1 myuser myuser 5 Oct 9 12:13 az.sess -rw-r--r-- 1 myuser myuser 67 Oct 6 23:06 az_survey.json -rw-r--r-- 1 myuser myuser 3586 Oct 8 11:54 azureProfile.json -rw-r--r-- 1 myuser myuser 66 Oct 8 11:54 clouds.config -rw-r--r-- 1 myuser myuser 5672 Oct 8 12:08 commandIndex.json drwxr-xr-x 2 myuser myuser 4096 Oct 9 12:13 commands -rw------- 1 myuser myuser 51 Oct 6 22:59 config -rw-r--r-- 1 myuser myuser 187196 Oct 7 00:16 extensionCommandTree.json drwxr-xr-x 2 myuser myuser 4096 Oct 6 22:59 logs drwxr-xr-x 2 myuser myuser 4096 Oct 7 16:46 ms-azuretools.vscode-azureresourcegroups -rw-r--r-- 1 myuser myuser 3940 Oct 9 12:13 msal_http_cache.bin -rw------- 1 myuser myuser 17616 Oct 9 12:13 msal_token_cache.json -rw------- 1 myuser myuser 402 Oct 7 16:19 service_principal_entries.json drwxr-xr-x 2 myuser myuser 4096 Oct 9 12:13 telemetry -rw-r--r-- 1 root root 19 Oct 8 14:00 telemetry.txt -rw-r--r-- 1 myuser myuser 211 Oct 6 22:59 versionCheck.json
myuser@KR-C-0898U | internet+docker: ok:~/.azure $ pwd /home/myuser/.azure`