Stenographer in a docker and MmapRing Error
TOoSmOotH opened this issue · 3 comments
Trying to get stenographer working in a docker container and I have run into an issue. When I try and launch inside the container I get the following:
2018-02-23T15:43:09.438507Z T:2eb067 [stenotype.cc:549] Starting, page size is 4096
2018-02-23T15:43:09.438963Z T:2eb067 [stenotype.cc:576] Setting up AF_PACKET sockets for packet reading
2018-02-23T15:43:09.973369Z T:2eb067 [stenotype.cc:588] CHECK(SUCCEEDED(__check_success_error__)) builder.SetUp(socktype, options): Resource temporarily unavailable <- MMapRing
ABORTABORTABORT
/usr/bin/stenotype() [0x4082d8]
/usr/bin/stenotype() [0x42cb89]
/lib64/libc.so.6(__libc_start_main+0xf5) [0x7f812d06ec05]
/usr/bin/stenotype() [0x4041b0]
2018/02/23 15:43:09 Stenotype stopped after 562.241633ms: stenotype wait failed: signal: aborted (core dumped)
2018/02/23 15:43:09 Stenotype ran for too little time, crashing to avoid stenotype crash loop```
If I reapply the setcap that error goes away and I get:
```[root@testsensor1 bin]# /usr/bin/stenographer -syslog=false
2018/02/23 16:04:47 Stenotype stopped after 2.020742ms: cannot start stenotype: fork/exec /usr/bin/stenotype: permission denied
2018/02/23 16:04:47 Stenotype ran for too little time, crashing to avoid stenotype crash loop```
@TOoSmOotH I've had the same issue with starting stenographer in a centos based docker container. What solved it for me was adding the NET_ADMIN and IPC_LOCK capabilities when you start the container, i.e. "docker run --cap-add IPC_LOCK --cap-add NET_ADMIN stenographer"
I've also seen some containers using the NET_RAW capabilities as well, but I've gotten it to work without it.
Hope it helps!
I just built a new package off the new commit so I will give that a try and see if that fixes my problem. Thanks for the suggestion!
Did you get this resolved @TOoSmOotH?
E: Nevermind, I fixed it on my side by forcing seccomp off and to run directly as root, since we're inside a container.
, "Flags": ["--seccomp=none", "--uid=root", "--gid=root"]