slim icon indicating copy to clipboard operation
slim copied to clipboard

Published 20 hours ago verified publisher icon slimtoolkit

Error trying to run (any) shell command

Open AnthonyWC opened this issue 6 years ago • 11 comments

Looks like you cannot run any terminal/shell based command (and any application that relies on one)?

docker run --rm -it ansible/nocache.slim:latest ls

docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"ls\": executable file not found in $PATH": unknown.

AnthonyWC avatar Feb 28 '19 19:02 AnthonyWC

I was getting issue,

docker pull ruby:2.6.1
docker-slim build -p -r ruby
# -p is the flag for http-probe
# -r is the command for remove-artifact files

I was able to load into IRB but not shell

docker run -it ruby.slim:latest                                                                                                                                                                                          
irb(main):001:0>

docker run -it ruby.slim:latest sh
# => docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: \"sh\": executable file not found in $PATH": unknown.

I began to look at a lot of the code and docs. (I could be wrong on this) But it appears that docker-slim not only strips away layers of the container to slim the images, but it also removes a lot the binary files and system links. Mind you this absolutely does slim the images down BIG TIME!!!

After looking at the docs, it appears you can has slim include certain folders in the new slimmed image.

docker-slim build -p -r --include-path="/bin" ruby:2.6.1
# When running this container you'll be able to start it with shell. But you won't be able to issue any shell commands such as - ls
docker run -it ruby.slim:latest sh 
# => ls: error while loading shared libraries: libselinux.so.1: cannot open shared object file: No such file or directory

You may have to take this a few steps farther and see exactly what fat you need to keep from trimming from the image

docker-slim build -p -r --include-path="/bin" --include-path="/sbin" --include-path="/lib" ruby:2.6.1

docker run -it ruby.slim:latest sh
$ ls
# => bin  dev  etc  lib  lib64  proc  sbin  sys  usr

Note: This is based on working with a Debian build.

tarellel avatar Mar 03 '19 02:03 tarellel

I am having issues getting a shell to work on red hat (comparable to centos). While I wish I wouldn't, I need a shell environment to execute two commands (one for generating config files, the other for the actual program) and substitute some environment variables.

Currently, I am still unable to initiate a shell sh (returning standard_init_linux.go:207: exec user process caused "no such file or directory").

My command: docker-slim build --http-probe --include-path="/bin" --include-path="/lib" --include-path="/sbin" <image>

My CMD:

CMD [ "/bin/sh", "-c", "/app/confd -onetime -backend env -confdir /app/conf/ -config-file /app/conf/conf.d/confd.toml && nginx -g 'error_log /dev/stderr;' -p /app -c /app/tmp/nginx.conf" ]

hazcod avatar Mar 06 '19 10:03 hazcod

@HazCod This might or might not be shell related... It's great that your CMD instruction calls the shell binary. That's a good start. Have you tried wrapping your command to run confd into a shell script and then invoking the shell in the CMD instruction?

Either way, sounds like you'd benefit from a shortcut command to keep your shell :-) By the way, the latest release (1.24) includes a new flag to load the includes from a file (--include-path-file).

kcq avatar Mar 13 '19 02:03 kcq

@tarellel Yes, it does remove a lot of binary files. It will remove everything your application doesn't need, so it works better if you already have an application :-) If you have a generic ruby image it won't know what it needs to keep. The --include-path and --include-path-file flags can help you keep extra resources in your images. It's usually recommended to use a sidecar container when you need to do something that's not included in your minified container. Here's an example: docker run --rm -it --pid=container:your_container_name_or_id --net=container:your_container_name_or_id --cap-add sys_admin alpine sh. This docker command will start a container attaching it to your minified container, so you can explore the target container and run shell commands from the sidecar.

Adding a shortcut to include the shell binaries is potential future option.

kcq avatar Mar 13 '19 02:03 kcq

@AnthonyWC Can you tell me more about what you are trying to do with your container and your expectations. What is this ansible/nocache exactly? I cound't find it on DockerHub for some reason.

kcq avatar Mar 13 '19 03:03 kcq

@HazCod version 1.25 adds a few new flags to make it easier to have a shell in the minified containers (--include-shell, --include-exe and --include-bin).

kcq avatar Apr 29 '19 01:04 kcq

Thank you @kcq ! What was the reason for having both --include-exe and --include-bin?

hazcod avatar Apr 29 '19 07:04 hazcod

@HazCod with --include-exe you are including an executable app located in a directory included in the PATH env variable, so you can use the app name without providing its full path (e.g., --include-exe uname). With --include-bin you need to provide the entire path. The --include-bin also works for shared objects (it doesn't have to be an executable app).

kcq avatar Apr 29 '19 14:04 kcq