create container: authorization denied by plugin pipelines: Command not supported.

I created this issue, feel free to vote: https://bitbucket.org/site/master/issues/15844/bug-in-authorization-plugin

I want to share with you some good news about this. In the end, I could run the docker container calling to docker listener through the API.

This command works! (added content type headers)  but ...

curl -X POST http://localhost:2375/containers/create -d '{"image":"hello-world", "name":"hello_2"}' -H 'Content-Type:application/json'

but only after downloading the image explicitly.

So, in case you got

{"message":"No such image: hello-world:latest"}

download the image before using it!.

docker pull hello-world

@Sander Verhagen I created a PR to Spotify/docker-client in order to be able to fix the issue. Maybe you are still interested.

https://github.com/spotify/docker-client/pull/1021

I have the same problem and try to setup testcontainers through Docker API, but with no success. I think they have disabled the function to create containers through the API with a special Access authorization plugin (https://docs.docker.com/engine/extend/plugins_authorization/#basic-principles)

I´m using .NET Client for Docker Remote API (https://github.com/Microsoft/Docker.DotNet) to setup my containers. On local development machines and internal bamboo build-server this works, but not on bitbucket-pipeline.

Specifying required api version makes no diffrence.

As a very ugly workaround, very, very ugly...:

Please note that I'm using the Spotify Docker Client:

• Get the existing client object (it's a "DefaultDockerClient" instance)
• Create a dynamic proxy, that mostly delegates to the existing client object, except for calls to the "createContainer" method
• Delegate calls to the "createContainer" method to a new object of the class "CustomPartialDockerClient" (mine)
• "CustomPartialDockerClient" implements the "DockerClient" interface, but only really implements the "createContainer" method. This implementation of the method runs "docker create -e ... <image> ..." on the command-line (using Java's "ProcessBuilder" and friends), source code below

This is a very ugly solution, that I hope is temporarily (like no one before me ever said), until this issue gets addressed. I strongly recommend no one use this for production code, but setting up test code, like I do, I can live with it (for now). But it works (both locally as in Pipelines).

Depending on your integration point, you may as well inherit a custom class (with the overridden "createContainer" method) from the "DefaultDockerClient" class, and instantiate that, this was just not an option for me, since my "DefaultDockerClient" instance gets created somewhere out of my control.

Also note that my "createContainer" implementation does only just enough for my needs (environment variables, publish all). You may have other needs.

Similarly, you may run into other commands than just "create" that don't work, based on your use case. But obviously the call to "createContainer" is part of a series of calls, such as "startContainer" ("docker start"), which were not a problem for my usage.

@Override
public ContainerCreation createContainer(ContainerConfig config) throws DockerException, InterruptedException {
    List<String> command = new ArrayList<>();
    command.add("docker");
    command.add("create");
    for (String env : config.env()) {
        command.add("-e");
        command.add(env);
    }
    command.add("--publish-all");
    command.add(config.image());

    String responseLine = runCommand(command);
    return new ContainerCreation(responseLine);
}

private String runCommand(List<String> command) throws InterruptedException {
    ProcessBuilder pb = new ProcessBuilder(command);
    Process process;
    try {
        process = pb.start();
    } catch (IOException exception) {
        throw new RuntimeException("problem running docker", exception);
    }

    int response = process.waitFor();
    Assert.state(response == 0, "docker command returned unexpected response: " + response);

    try (InputStream inputStream = process.getInputStream()) {
        List<String> lines = IOUtils.readLines(inputStream, Charset.defaultCharset());
        Assert.state(lines.size() == 1, "unexpected output: " + lines);
        return lines.get(0);
    } catch (IOException exception) {
        throw new RuntimeException("problem reading docker output", exception);
    }
}

The editor was giving me grief, so I posted the same answer more than once. This is the leftover of a removed copy.

No resolution, yet, but hopefully this is useful.

Just as a side-note, and maybe this is just an "improvement" (progression/regression) of the format, but that line in the "bitbucket-pipelines.yml" should probably be as follows (JSON should not take single quotes, so it didn't):

script:
  ...
  - "curl -X POST http://localhost:2375/containers/create -d '{\"image\":\"hello-world\", \"name\":\"hello_2\"}' -H 'Content-Type: application/json'"

That leads to the following error when you look under the "docker" tab:

2018/03/14 17:45:11 http: panic serving @: runtime error: invalid memory address or nil pointer dereference
goroutine 5 [running]:
net/http.(*conn).serve.func1(0xc42008c8c0)
    /usr/local/go/src/net/http/server.go:1697 +0xd0
panic(0x6a5000, 0x880800)
    /usr/local/go/src/runtime/panic.go:491 +0x283
bitbucket.com/bitbucketci/docker/pkg/authz/request.(*ContainerCreateBodyAuthorizer).Authz(0xc4200e2300, 0xc420348090, 0x29, 0x2a, 0x1)
    /go/src/bitbucket.com/bitbucketci/docker/pkg/authz/request/body_authorizer.go:25 +0xa6
bitbucket.com/bitbucketci/docker/pkg/authz/request.(*Authorizer).Authz(0xc4200e2320, 0x0, 0x0, 0x0, 0x0, 0xc420352028, 0x4, 0xc420350020, 0x12, 0xc420348090, ...)
    /go/src/bitbucket.com/bitbucketci/docker/pkg/authz/request/authorizer.go:31 +0xd5
bitbucket.com/bitbucketci/docker/pkg/authz/plugin.(*AuthzPlugin).AuthZReq(0xc4200e3240, 0x0, 0x0, 0x0, 0x0, 0xc420352028, 0x4, 0xc420350020, 0x12, 0xc420348090, ...)
    /go/src/bitbucket.com/bitbucketci/docker/pkg/authz/plugin/authz_plugin.go:90 +0x100
bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc420352028, 0x4, 0xc420350020, 0x12, 0xc420348090, 0x29, ...)
    /go/src/bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0
bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0x8572c0, 0xc42035a000, 0xc420346000)
    /go/src/bitbucket.com/bitbucketci/docker/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x144
net/http.HandlerFunc.ServeHTTP(0xc420010af0, 0x8572c0, 0xc42035a000, 0xc420346000)
    /usr/local/go/src/net/http/server.go:1918 +0x44
net/http.(*ServeMux).ServeHTTP(0xc42007af30, 0x8572c0, 0xc42035a000, 0xc420346000)
    /usr/local/go/src/net/http/server.go:2254 +0x130
net/http.serverHandler.ServeHTTP(0xc420089380, 0x8572c0, 0xc42035a000, 0xc420346000)
    /usr/local/go/src/net/http/server.go:2619 +0xb4
net/http.(*conn).serve(0xc42008c8c0, 0x8577c0, 0xc42005c340)
    /usr/local/go/src/net/http/server.go:1801 +0x71d
created by net/http.(*Server).Serve
    /usr/local/go/src/net/http/server.go:2720 +0x288
time="2018-03-14T17:45:11.730269200Z" level=warning msg="Unable to connect to plugin: /run/docker/plugins/pipelines.sock/AuthZPlugin.AuthZReq: Post http://%2Frun%2Fdocker%2Fplugins%2Fpipelines.sock/AuthZPlugin.AuthZReq: EOF, retrying in 1s"
time="2018-03-14T17:45:12Z" level=info msg="Pipelines plugin request authorization." allowed=false method= plugin=pipelines uri=
time="2018-03-14T17:45:12.731391033Z" level=error msg="AuthZRequest for POST /containers/create returned error: plugin pipelines failed with error: AuthZPlugin.AuthZReq: EOF\n{\"Allow\":false,\"Msg\":\"Command not supported.\"}\n"
time="2018-03-14T17:45:12.731446791Z" level=error msg="Handler for POST /containers/create returned error: plugin pipelines failed with error: AuthZPlugin.AuthZReq: EOF\n{\"Allow\":false,\"Msg\":\"Command not supported.\"}\n"