I am trying to create a container calling to docker API but I always get the same message:
{"message":"authorization denied by plugin pipelines: Command not supported."}
However, if I execute directly the docker command to create a container then, It works.
this is the pipelines config file.
Should I be able to start and create Docker containers through the API? Notice that I can query execute other endpoints like listing or starting containers through the API.
Thanks
I created this issue, feel free to vote: https://bitbucket.org/site/master/issues/15844/bug-in-authorization-plugin
I want to share with you some good news about this. In the end, I could run the docker container calling to docker listener through the API.
This command works! (added content type headers) but ...
curl -X POST http://localhost:2375/containers/create -d '{"image":"hello-world", "name":"hello_2"}' -H 'Content-Type:application/json'
but only after downloading the image explicitly.
So, in case you got
{"message":"No such image: hello-world:latest"}
download the image before using it!.
docker pull hello-world
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Sander Verhagen I created a PR to Spotify/docker-client in order to be able to fix the issue. Maybe you are still interested.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have the same problem and try to setup testcontainers through Docker API, but with no success. I think they have disabled the function to create containers through the API with a special Access authorization plugin (https://docs.docker.com/engine/extend/plugins_authorization/#basic-principles)
I´m using .NET Client for Docker Remote API (https://github.com/Microsoft/Docker.DotNet) to setup my containers. On local development machines and internal bamboo build-server this works, but not on bitbucket-pipeline.
Specifying required api version makes no diffrence.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I did several tests and my conclusion is that the authorization plugin sends an error if the request does not have a valid content-length header.
docker documentation: https://docs.docker.com/engine/api/v1.24/
Content-Length
header should be present in POST
requests to endpoints that expect a body.I removed ApacheConnectorProvider from JerseyDockerCmdExecFactory and now it works like a charm.
NOTE: JerseyDockerCmdExecFactory belongs to github docker-java which is used by testcontainers as docker client.
in this pipeline you can see that only the curl without content-length (because it is chuncked) call fails.
this could be also interesting for @Sander Verhagen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As a very ugly workaround, very, very ugly...:
Please note that I'm using the Spotify Docker Client:
This is a very ugly solution, that I hope is temporarily (like no one before me ever said), until this issue gets addressed. I strongly recommend no one use this for production code, but setting up test code, like I do, I can live with it (for now). But it works (both locally as in Pipelines).
Depending on your integration point, you may as well inherit a custom class (with the overridden "createContainer" method) from the "DefaultDockerClient" class, and instantiate that, this was just not an option for me, since my "DefaultDockerClient" instance gets created somewhere out of my control.
Also note that my "createContainer" implementation does only just enough for my needs (environment variables, publish all). You may have other needs.
Similarly, you may run into other commands than just "create" that don't work, based on your use case. But obviously the call to "createContainer" is part of a series of calls, such as "startContainer" ("docker start"), which were not a problem for my usage.
@Override
public ContainerCreation createContainer(ContainerConfig config) throws DockerException, InterruptedException {
List<String> command = new ArrayList<>();
command.add("docker");
command.add("create");
for (String env : config.env()) {
command.add("-e");
command.add(env);
}
command.add("--publish-all");
command.add(config.image());
String responseLine = runCommand(command);
return new ContainerCreation(responseLine);
}
private String runCommand(List<String> command) throws InterruptedException {
ProcessBuilder pb = new ProcessBuilder(command);
Process process;
try {
process = pb.start();
} catch (IOException exception) {
throw new RuntimeException("problem running docker", exception);
}
int response = process.waitFor();
Assert.state(response == 0, "docker command returned unexpected response: " + response);
try (InputStream inputStream = process.getInputStream()) {
List<String> lines = IOUtils.readLines(inputStream, Charset.defaultCharset());
Assert.state(lines.size() == 1, "unexpected output: " + lines);
return lines.get(0);
} catch (IOException exception) {
throw new RuntimeException("problem reading docker output", exception);
}
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The editor was giving me grief, so I posted the same answer more than once. This is the leftover of a removed copy.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No resolution, yet, but hopefully this is useful.
Just as a side-note, and maybe this is just an "improvement" (progression/regression) of the format, but that line in the "bitbucket-pipelines.yml" should probably be as follows (JSON should not take single quotes, so it didn't):
script:
...
- "curl -X POST http://localhost:2375/containers/create -d '{\"image\":\"hello-world\", \"name\":\"hello_2\"}' -H 'Content-Type: application/json'"
That leads to the following error when you look under the "docker" tab:
2018/03/14 17:45:11 http: panic serving @: runtime error: invalid memory address or nil pointer dereference
goroutine 5 [running]:
net/http.(*conn).serve.func1(0xc42008c8c0)
/usr/local/go/src/net/http/server.go:1697 +0xd0
panic(0x6a5000, 0x880800)
/usr/local/go/src/runtime/panic.go:491 +0x283
bitbucket.com/bitbucketci/docker/pkg/authz/request.(*ContainerCreateBodyAuthorizer).Authz(0xc4200e2300, 0xc420348090, 0x29, 0x2a, 0x1)
/go/src/bitbucket.com/bitbucketci/docker/pkg/authz/request/body_authorizer.go:25 +0xa6
bitbucket.com/bitbucketci/docker/pkg/authz/request.(*Authorizer).Authz(0xc4200e2320, 0x0, 0x0, 0x0, 0x0, 0xc420352028, 0x4, 0xc420350020, 0x12, 0xc420348090, ...)
/go/src/bitbucket.com/bitbucketci/docker/pkg/authz/request/authorizer.go:31 +0xd5
bitbucket.com/bitbucketci/docker/pkg/authz/plugin.(*AuthzPlugin).AuthZReq(0xc4200e3240, 0x0, 0x0, 0x0, 0x0, 0xc420352028, 0x4, 0xc420350020, 0x12, 0xc420348090, ...)
/go/src/bitbucket.com/bitbucketci/docker/pkg/authz/plugin/authz_plugin.go:90 +0x100
bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc420352028, 0x4, 0xc420350020, 0x12, 0xc420348090, 0x29, ...)
/go/src/bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0
bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0x8572c0, 0xc42035a000, 0xc420346000)
/go/src/bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x144
net/http.HandlerFunc.ServeHTTP(0xc420010af0, 0x8572c0, 0xc42035a000, 0xc420346000)
/usr/local/go/src/net/http/server.go:1918 +0x44
net/http.(*ServeMux).ServeHTTP(0xc42007af30, 0x8572c0, 0xc42035a000, 0xc420346000)
/usr/local/go/src/net/http/server.go:2254 +0x130
net/http.serverHandler.ServeHTTP(0xc420089380, 0x8572c0, 0xc42035a000, 0xc420346000)
/usr/local/go/src/net/http/server.go:2619 +0xb4
net/http.(*conn).serve(0xc42008c8c0, 0x8577c0, 0xc42005c340)
/usr/local/go/src/net/http/server.go:1801 +0x71d
created by net/http.(*Server).Serve
/usr/local/go/src/net/http/server.go:2720 +0x288
time="2018-03-14T17:45:11.730269200Z" level=warning msg="Unable to connect to plugin: /run/docker/plugins/pipelines.sock/AuthZPlugin.AuthZReq: Post http://%2Frun%2Fdocker%2Fplugins%2Fpipelines.sock/AuthZPlugin.AuthZReq: EOF, retrying in 1s"
time="2018-03-14T17:45:12Z" level=info msg="Pipelines plugin request authorization." allowed=false method= plugin=pipelines uri=
time="2018-03-14T17:45:12.731391033Z" level=error msg="AuthZRequest for POST /containers/create returned error: plugin pipelines failed with error: AuthZPlugin.AuthZReq: EOF\n{\"Allow\":false,\"Msg\":\"Command not supported.\"}\n"
time="2018-03-14T17:45:12.731446791Z" level=error msg="Handler for POST /containers/create returned error: plugin pipelines failed with error: AuthZPlugin.AuthZReq: EOF\n{\"Allow\":false,\"Msg\":\"Command not supported.\"}\n"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks!
I updated the format as you suggested and I also removed the beginning and ending double quotes and, in the end, it worked.
curl -X POST http://localhost:2375/containers/create -d '{"image":"hello-world", "name":"hello_2"}' -H 'Content-Type:application/json'
notice than other problems arises ;D
Please, take a look at my last comment below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Time to up your Loom game! The new Loom Essentials Certification is here! Show off your skills, learn pro tips, and get officially recognized. Perfect for taking your video messaging to the next level.
Learn moreOnline forums and learning are now in one easy-to-use experience.
By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.