根据官方指南(Install Docker Engine on Ubuntu,我遇到了在云服务器上安装docker的问题。我完成了旧版本的卸载,存储库设置和docker引擎安装(sudo apt-get install docker-ce docker-ce-cli containerd.io)。但是,在运行hello-world时出现错误。
wyf@VM1103-Timi:~$ sudo docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"proc\\\" to rootfs \\\"/var/lib/docker/overlay2/e9fedf64e8983aa01e513cee591cdfd7fc60962466a476b51fc1ead682ec8022/merged\\\" at \\\"/proc\\\" caused \\\"permission denied\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled
我尝试重新启动docker和server,但是问题仍然存在。因此,如果有人可以指导我解决此错误,那就太好了。如果您对此问题有任何想法,请告诉我。非常感谢!
Ps:我的系统是Ubuntu 18.04。因此,我没有selinux。我检查了AppArmor日志,而不是selinux。
May 19 21:14:55 VM1103-Timi networkd-dispatcher[155]: WARNING:Unknown index 37 seen, reloading interface list
May 19 21:14:55 VM1103-Timi systemd-networkd[126]: veth71cf495: Link UP
May 19 21:14:55 VM1103-Timi containerd[170]: time="2020-05-19T21:14:55.679793295+08:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d/shim.sock" debug=false pid=106265
May 19 21:14:55 VM1103-Timi containerd[170]: time="2020-05-19T21:14:55.767796543+08:00" level=info msg="shim reaped" id=4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.776863367+08:00" level=error msg="stream copy error: reading from a closed fifo"
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.776953910+08:00" level=error msg="stream copy error: reading from a closed fifo"
May 19 21:14:55 VM1103-Timi systemd-networkd[126]: veth71cf495: Link DOWN
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.927805156+08:00" level=error msg="4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d cleanup: failed to delete container from containerd: no such container"
奇怪的是,没有允许拒绝的错误记录。
这是我的Ubuntu版本,内核版本和Docker信息:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
5.3.18-3-pve
Client:
Debug Mode: false
Server:
Containers: 8
Running: 0
Paused: 0
Stopped: 8
Images: 1
Server Version: 19.03.8
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.3.18-3-pve
Operating System: Ubuntu 18.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 4GiB
Name: VM1103-Timi
ID: 3G3F:LTVZ:NO25:C7LA:XKQV:ETMB:B6QU:3ZFJ:KBA5:R3KK:QZEA:ZONC
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
解决方案可能是打开所需的端口。您的系统可能正在运行selinux和(或ufw,firewalld或iptables)和/或其他操作系统。阅读一下Linux防火墙工具,特别是系统上运行的工具。
对于selinux情况,您需要检查selinux日志,是否阻止了访问?使用selinux命令添加例外。https://wiki.centos.org/HowTos/SELinux这些工具值得学习,但可能会很复杂。快速测试禁用selinux和firewalld可以确认这是问题的根源,您可以稍后启用selinux和firewalld并以安全的方式允许/打开端口。
简单测试:禁用selinux和firewalld,例如在CentOS上
systemctl stop firewalld;
setenforcing 0;
如果您可以在禁用selinux的情况下创建容器,那么您已经确认selinux是您的问题。您可以启用防火墙和selinux,然后根据需要添加例外并打开端口。
这看起来不错(特定于ubuntu,但足够通用,恕我直言),它详细说明了打开端口以允许docker swarm工作所需的ufw命令,firewalld命令和iptables命令https://www.digitalocean.com/community/tutorials/how-to-configure-the-linux-firewall-for-docker-swarm-on-ubuntu-16-04
我最初获得有关ufw命令的有用信息,可从此处打开所需的端口:Error response from daemon: attaching to network failed, make sure your network options are correct and check manager logs: context deadline exceeded
ufw allow 2376/tcp
ufw allow 2377/tcp
ufw allow 7946/tcp
ufw allow 7946/udp
ufw allow 4789/udp
ufw enable #maybe
ufw reload
systemctl restart docker
这是一个足够普遍的问题,通常selinux不允许访问所需的端口。例如https://github.com/google/cadvisor/issues/333