slim icon indicating copy to clipboard operation
slim copied to clipboard
verified publisher icon slimtoolkit

I'm trying to build (optimise) local image but: insufficient permissions

Open razorree opened this issue 7 months ago • 7 comments

I run: slim build --publish-port 3001:80 --target tyr-f

to optimise tyr-f image, i've added 3001 as exposed port, as i thought that could be an issue with permissions, but it didn't help.

Ubuntu 24.10, Docker version 26.1.3, build b72abbb

cmd=slim info=param.http.probe message='using default probe' 
cmd=slim state=started
cmd=slim info=cmd.input.params target.type='image' target.image='tyr-f' continue.mode='probe' rt.as.user='true' keep.perms='true' tags='' image-build-engine='internal' 
cmd=slim state=image.inspection.start
cmd=slim info=image size.human='49 MB' id='sha256:ab3af0df655ca585c745465f1bdfc266801b77ba56db3399c06859faf93fbcf3' size.bytes='48585079' 
cmd=slim info=image.stack index='0' name='tyr-f:latest' id='sha256:ab3af0df655ca585c745465f1bdfc266801b77ba56db3399c06859faf93fbcf3' 
cmd=slim info=image.exposed_ports list='80/tcp,80/tcp' 
cmd=slim state=image.inspection.done
cmd=slim state=container.inspection.start
cmd=slim info=sensor volume='mint-sensor.x.1.42.2' location='/usr/local/bin/mint-sensor' filemode='-rwxr-xr-x' version='linux/amd64|ALP|x.1.42.2|29e62e7836de7b1004607c51c502537ffe1969f0|2025-01-16_07:48:54AM|x' 
cmd=slim info=container status='created' name='mintk_204936_20250506132402' id='68f16ee1428a0b261a4a17252977d4c699600fd061a7317e94390d1c64e57297' 
cmd=slim info=container status='running' name='mintk_204936_20250506132402' id='68f16ee1428a0b261a4a17252977d4c699600fd061a7317e94390d1c64e57297' 
cmd=slim info=container ip='172.17.0.3' message='obtained IP address' 
cmd=slim info=cmd.startmonitor status='sent' 
cmd=slim info=event.startmonitor.done status='received.unexpected' data='{"name":"event.monitor.start.failed","data":{"component":"monitor.runner","state":"/","errors":["insufficient permissions"]}}
' 
mint: container stdout:
mint: container stderr:
time="2025-05-06T13:24:02Z" level=error msg="sensor: composite monitor - FAN failed to start running"
time="2025-05-06T13:24:02Z" level=error msg="sensor: failed to start composite monitor" error="insufficient permissions"
time="2025-05-06T13:24:02Z" level=error msg="sensor: run finished with error" error="run sensor without monitor failed: insufficient permissions"
time="2025-05-06T13:24:02Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65501: use of closed network connection"
time="2025-05-06T13:24:02Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65502: use of closed network connection"
mint: end of container logs =============
cmd=slim info=report file='slim.report.json' 
time="2025-05-06T15:24:03+02:00" level=error msg=terminating error="unexpected event type" stack="goroutine 1 [running]:\nruntime/debug.Stack()\n\truntime/debug/stack.go:26 +0x5e\ngithub.com/mintoolkit/mint/pkg/app.(*ExecutionContext).FailOn(0xc0006ed440, {0x2f99040, 0x46b8970})\n\tgithub.com/mintoolkit/mint/pkg/app/execontext.go:65 +0x58\ngithub.com/mintoolkit/mint/pkg/app/master/command/build.OnCommand(_, _, {_, _}, _, {_, _}, {_, _}, {0x0, ...}, ...)\n\tgithub.com/mintoolkit/mint/pkg/app/master/command/build/handler.go:1183 +0x46a5\ngithub.com/mintoolkit/mint/pkg/app/master/command/build.init.func1(0xc000659940)\n\tgithub.com/mintoolkit/mint/pkg/app/master/command/build/cli.go:774 +0x561a\ngithub.com/urfave/cli/v2.(*Command).Run(0x46f5e20, 0xc000659940, {0xc00061d720, 0x5, 0x5})\n\tgithub.com/urfave/cli/[email protected]/command.go:279 +0x7e2\ngithub.com/urfave/cli/v2.(*Command).Run(0xc00062ba20, 0xc000659280, {0xc000152120, 0x6, 0x6})\n\tgithub.com/urfave/cli/[email protected]/command.go:272 +0xa65\ngithub.com/urfave/cli/v2.(*App).RunContext(0xc000304a00, {0x2fc3bf8, 0x4776a20}, {0xc000152120, 0x6, 0x6})\n\tgithub.com/urfave/cli/[email protected]/app.go:337 +0x58b\ngithub.com/urfave/cli/v2.(*App).Run(...)\n\tgithub.com/urfave/cli/[email protected]/app.go:311\ngithub.com/mintoolkit/mint/pkg/app/master.Run()\n\tgithub.com/mintoolkit/mint/pkg/app/master/app.go:15 +0x45\nmain.main()\n\tgithub.com/mintoolkit/mint/cmd/mint/main.go:15 +0x187\n"
cmd=slim info=fail.on version='linux/amd64|ALP|x.1.42.2|29e62e7836de7b1004607c51c502537ffe1969f0|2025-01-16_07:48:54AM|x' 
cmd=slim info=exit code='-1' version='linux/amd64|ALP|x.1.42.2|29e62e7836de7b1004607c51c502537ffe1969f0|2025-01-16_07:48:54AM|x' location='/usr/local/bin' 
app='mint' message='GitHub Discussions' info='https://github.com/mintoolkit/mint/discussions'
app='mint' message='Join the CNCF Slack channel to ask questions or to share your feedback' info='https://cloud-native.slack.com/archives/C059QP1RH1S'
app='mint' message='Join the Discord server to ask questions or to share your feedback' info='https://discord.gg/fAvq4ruKsG'

I've just installed Slim by script, so it should be newest ? but I saw messages about updating it cmd=xray info=version status='OUTDATED' local='x.1.42.2' current='1.41.7' , however slim update doesn't work

   ~  slim update                                                                                                                                                                                                                                            ✔  base   15:27:40  
>>> 
>>> 
     exit               Exit app    
...

what should I do ?

razorree avatar May 06 '25 13:05 razorree

Same here, downloaded slim today to try it for the first time on 24.04 (docker + buildx) and it failed with same message. Tried ./slim --verbose --log-level debug build but the extra information didn't contain anything giving more information about why that happened (that I could understand).

kinow avatar Sep 22 '25 06:09 kinow

Or maybe these help?

time="2025-09-22T07:00:38Z" level=info msg=call app=sensor com=fanmon op=Start
time="2025-09-22T07:00:38Z" level=info msg=exit app=sensor com=fanmon op=Start
time="2025-09-22T07:00:38Z" level=debug msg="sensor: composite monitor - FAN error" error="SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=operation not permitted,Line:131,File:github.com/mintoolkit/mint/pkg/app/sensor/monitor/fanotify/monitor.go}}"
time="2025-09-22T07:00:38Z" level=error msg="sensor: composite monitor - FAN failed to start running"
time="2025-09-22T07:00:38Z" level=error msg="sensor: failed to start composite monitor" error="insufficient permissions"
time="2025-09-22T07:00:38Z" level=debug msg="ipc.Server.TryPublishEvt(&{Name:event.monitor.start.failed Data:0xc0017478c0})"
time="2025-09-22T07:00:38Z" level=debug msg="channel.Broadcast.Write: 10.88.0.8:45806 -> 10.88.0.8:65502 - conn.Write wc=206 err=<nil>"
time="2025-09-22T07:00:38Z" level=debug msg="ipc.Server.TryPublishEvt(&{Name:event.error Data:run sensor without monitor failed: insufficient permissions})"
time="2025-09-22T07:00:38Z" level=debug msg="channel.Broadcast.Write: 10.88.0.8:45806 -> 10.88.0.8:65502 - conn.Write wc=172 err=<nil>"
time="2025-09-22T07:00:38Z" level=debug msg="ipc.Server.TryPublishEvt(&{Name:event.sensor.shutdown.done Data:<nil>})"
time="2025-09-22T07:00:38Z" level=debug msg="channel.Broadcast.Write: 10.88.0.8:45806 -> 10.88.0.8:65502 - conn.Write wc=118 err=<nil>"
time="2025-09-22T07:00:38Z" level=error msg="sensor: run finished with error" error="run sensor without monitor failed: insufficient permissions"
time="2025-09-22T07:00:38Z" level=info msg="sensor: Instrumented containers require root and ALL capabilities enabled. Example: `docker run --user root --cap-add ALL app:v1-instrumented`"
time="2025-09-22T07:00:38Z" level=debug msg="channel.Server.Start.loop.Accept - new connection... [time=1758524438789977602]"
time="2025-09-22T07:00:38Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65501: use of closed network connection"
time="2025-09-22T07:00:38Z" level=debug msg="channel.Server.Start.loop.Accept - new connection... [time=1758524438789992490]"
time="2025-09-22T07:00:38Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65502: use of closed network connection"
time="2025-09-22T07:00:38Z" level=info msg="sensor: exiting..."

kinow avatar Sep 22 '25 07:09 kinow

I run: slim build --publish-port 3001:80 --target tyr-f

to optimise tyr-f image, i've added 3001 as exposed port, as i thought that could be an issue with permissions, but it didn't help.

Ubuntu 24.10, Docker version 26.1.3, build b72abbb

cmd=slim info=param.http.probe message='using default probe' 
cmd=slim state=started
cmd=slim info=cmd.input.params target.type='image' target.image='tyr-f' continue.mode='probe' rt.as.user='true' keep.perms='true' tags='' image-build-engine='internal' 
cmd=slim state=image.inspection.start
cmd=slim info=image size.human='49 MB' id='sha256:ab3af0df655ca585c745465f1bdfc266801b77ba56db3399c06859faf93fbcf3' size.bytes='48585079' 
cmd=slim info=image.stack index='0' name='tyr-f:latest' id='sha256:ab3af0df655ca585c745465f1bdfc266801b77ba56db3399c06859faf93fbcf3' 
cmd=slim info=image.exposed_ports list='80/tcp,80/tcp' 
cmd=slim state=image.inspection.done
cmd=slim state=container.inspection.start
cmd=slim info=sensor volume='mint-sensor.x.1.42.2' location='/usr/local/bin/mint-sensor' filemode='-rwxr-xr-x' version='linux/amd64|ALP|x.1.42.2|29e62e7836de7b1004607c51c502537ffe1969f0|2025-01-16_07:48:54AM|x' 
cmd=slim info=container status='created' name='mintk_204936_20250506132402' id='68f16ee1428a0b261a4a17252977d4c699600fd061a7317e94390d1c64e57297' 
cmd=slim info=container status='running' name='mintk_204936_20250506132402' id='68f16ee1428a0b261a4a17252977d4c699600fd061a7317e94390d1c64e57297' 
cmd=slim info=container ip='172.17.0.3' message='obtained IP address' 
cmd=slim info=cmd.startmonitor status='sent' 
cmd=slim info=event.startmonitor.done status='received.unexpected' data='{"name":"event.monitor.start.failed","data":{"component":"monitor.runner","state":"/","errors":["insufficient permissions"]}}
' 
mint: container stdout:
mint: container stderr:
time="2025-05-06T13:24:02Z" level=error msg="sensor: composite monitor - FAN failed to start running"
time="2025-05-06T13:24:02Z" level=error msg="sensor: failed to start composite monitor" error="insufficient permissions"
time="2025-05-06T13:24:02Z" level=error msg="sensor: run finished with error" error="run sensor without monitor failed: insufficient permissions"
time="2025-05-06T13:24:02Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65501: use of closed network connection"
time="2025-05-06T13:24:02Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65502: use of closed network connection"
mint: end of container logs =============
cmd=slim info=report file='slim.report.json' 
time="2025-05-06T15:24:03+02:00" level=error msg=terminating error="unexpected event type" stack="goroutine 1 [running]:\nruntime/debug.Stack()\n\truntime/debug/stack.go:26 +0x5e\ngithub.com/mintoolkit/mint/pkg/app.(*ExecutionContext).FailOn(0xc0006ed440, {0x2f99040, 0x46b8970})\n\tgithub.com/mintoolkit/mint/pkg/app/execontext.go:65 +0x58\ngithub.com/mintoolkit/mint/pkg/app/master/command/build.OnCommand(_, _, {_, _}, _, {_, _}, {_, _}, {0x0, ...}, ...)\n\tgithub.com/mintoolkit/mint/pkg/app/master/command/build/handler.go:1183 +0x46a5\ngithub.com/mintoolkit/mint/pkg/app/master/command/build.init.func1(0xc000659940)\n\tgithub.com/mintoolkit/mint/pkg/app/master/command/build/cli.go:774 +0x561a\ngithub.com/urfave/cli/v2.(*Command).Run(0x46f5e20, 0xc000659940, {0xc00061d720, 0x5, 0x5})\n\tgithub.com/urfave/cli/[email protected]/command.go:279 +0x7e2\ngithub.com/urfave/cli/v2.(*Command).Run(0xc00062ba20, 0xc000659280, {0xc000152120, 0x6, 0x6})\n\tgithub.com/urfave/cli/[email protected]/command.go:272 +0xa65\ngithub.com/urfave/cli/v2.(*App).RunContext(0xc000304a00, {0x2fc3bf8, 0x4776a20}, {0xc000152120, 0x6, 0x6})\n\tgithub.com/urfave/cli/[email protected]/app.go:337 +0x58b\ngithub.com/urfave/cli/v2.(*App).Run(...)\n\tgithub.com/urfave/cli/[email protected]/app.go:311\ngithub.com/mintoolkit/mint/pkg/app/master.Run()\n\tgithub.com/mintoolkit/mint/pkg/app/master/app.go:15 +0x45\nmain.main()\n\tgithub.com/mintoolkit/mint/cmd/mint/main.go:15 +0x187\n"
cmd=slim info=fail.on version='linux/amd64|ALP|x.1.42.2|29e62e7836de7b1004607c51c502537ffe1969f0|2025-01-16_07:48:54AM|x' 
cmd=slim info=exit code='-1' version='linux/amd64|ALP|x.1.42.2|29e62e7836de7b1004607c51c502537ffe1969f0|2025-01-16_07:48:54AM|x' location='/usr/local/bin' 
app='mint' message='GitHub Discussions' info='https://github.com/mintoolkit/mint/discussions'
app='mint' message='Join the CNCF Slack channel to ask questions or to share your feedback' info='https://cloud-native.slack.com/archives/C059QP1RH1S'
app='mint' message='Join the Discord server to ask questions or to share your feedback' info='https://discord.gg/fAvq4ruKsG'

I've just installed Slim by script, so it should be newest ? but I saw messages about updating it cmd=xray info=version status='OUTDATED' local='x.1.42.2' current='1.41.7' , however slim update doesn't work

   ~  slim update                                                                                                                                                                                                                                            ✔  base   15:27:40  
>>> 
>>> 
     exit               Exit app    
...

what should I do ?

Something unusual is going on there. According to the error message the FA Notify interface used for monitoring couldn't initialize because there wasn't enough permissions. Do you have a rootless Docker setup or is there any other Docker config that would limit Docker permissions on your system?

kcq avatar Sep 23 '25 04:09 kcq

Or maybe these help?

time="2025-09-22T07:00:38Z" level=info msg=call app=sensor com=fanmon op=Start time="2025-09-22T07:00:38Z" level=info msg=exit app=sensor com=fanmon op=Start time="2025-09-22T07:00:38Z" level=debug msg="sensor: composite monitor - FAN error" error="SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=operation not permitted,Line:131,File:github.com/mintoolkit/mint/pkg/app/sensor/monitor/fanotify/monitor.go}}" time="2025-09-22T07:00:38Z" level=error msg="sensor: composite monitor - FAN failed to start running" time="2025-09-22T07:00:38Z" level=error msg="sensor: failed to start composite monitor" error="insufficient permissions" time="2025-09-22T07:00:38Z" level=debug msg="ipc.Server.TryPublishEvt(&{Name:event.monitor.start.failed Data:0xc0017478c0})" time="2025-09-22T07:00:38Z" level=debug msg="channel.Broadcast.Write: 10.88.0.8:45806 -> 10.88.0.8:65502 - conn.Write wc=206 err=" time="2025-09-22T07:00:38Z" level=debug msg="ipc.Server.TryPublishEvt(&{Name:event.error Data:run sensor without monitor failed: insufficient permissions})" time="2025-09-22T07:00:38Z" level=debug msg="channel.Broadcast.Write: 10.88.0.8:45806 -> 10.88.0.8:65502 - conn.Write wc=172 err=" time="2025-09-22T07:00:38Z" level=debug msg="ipc.Server.TryPublishEvt(&{Name:event.sensor.shutdown.done Data:})" time="2025-09-22T07:00:38Z" level=debug msg="channel.Broadcast.Write: 10.88.0.8:45806 -> 10.88.0.8:65502 - conn.Write wc=118 err=" time="2025-09-22T07:00:38Z" level=error msg="sensor: run finished with error" error="run sensor without monitor failed: insufficient permissions" time="2025-09-22T07:00:38Z" level=info msg="sensor: Instrumented containers require root and ALL capabilities enabled. Example: docker run --user root --cap-add ALL app:v1-instrumented" time="2025-09-22T07:00:38Z" level=debug msg="channel.Server.Start.loop.Accept - new connection... [time=1758524438789977602]" time="2025-09-22T07:00:38Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65501: use of closed network connection" time="2025-09-22T07:00:38Z" level=debug msg="channel.Server.Start.loop.Accept - new connection... [time=1758524438789992490]" time="2025-09-22T07:00:38Z" level=error msg="channel.Server.Start() - loop.Accept error = accept tcp [::]:65502: use of closed network connection" time="2025-09-22T07:00:38Z" level=info msg="sensor: exiting..."

Same unusual FA Notify initialization error here due to insufficient permissions... How did you install Docker? Are there any special configurations to restrict its permissions?

kcq avatar Sep 23 '25 04:09 kcq

I used their linux instructions to install, and the post install (adding my user to docker group). I also switched to buildx.

kinow avatar Sep 23 '25 05:09 kinow

I used their linux instructions to install, and the post install (adding my user to docker group). I also switched to buildx.

Do you mind running these commands to check if there's anything rootless related in the setup:

docker info | grep -i rootless

ps aux | grep dockerd

ps aux | grep rootlesskit

kcq avatar Sep 28 '25 18:09 kcq

Sure, not a problem.

$ docker info | grep -i rootless
  rootless
$ ps aux | grep dockerd
root        3828  0.0  0.2 2868860 75660 ?       Ssl  10:52   0:04 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
kinow     343784  0.0  0.0 233304  2268 pts/1    S+   21:14   0:00 grep --color=auto dockerd
$ ps aux | grep rootlesskit
kinow     343802  0.0  0.0 233436  2380 pts/1    S+   21:14   0:00 grep --color=auto rootlesskit

kinow avatar Sep 28 '25 19:09 kinow