I have a flask app running under uWSGI behind nginx.
*1 readv() failed (13: Permission denied) while reading upstream, client: 10.0.3.1, server: , request: "GET /some/path/constants.js HTTP/1.1", upstream: "uwsgi://unix:/var/uwsgi.sock:", host: "dev.myhost.com"
The permissions on the socket are okay (666, and set to the same user as nginx), in fact, even when I run nginx as root I still get this error.
The flask app/uwsgi is sending the request properly. But it's just not being read by Nginx. This is on Ubuntu Utopic Unicorn.
Any idea where the permission might be getting denied if the nginx process has full access to the socket?
As a complicating factor this server is running in a container that has Ubuntu 14.04 installed in it. And this setup used to work... but I recently upgraded the host to 14.10... I can fully understand that this could be the cause of the problem. But before I downgrade the host or upgrade the container I want to understand why.
When I run strace on a worker that's generating this error I see the call it's making is something like this:
readv(14, 0x7fffb3d16a80, 1) = -1 EACCES (Permission denied)
14 seems to be the file descriptor created by this system call
socket(PF_LOCAL, SOCK_STREAM, 0) = 14
So it can't read from a local socket that it has just created?
Okay! So the problem was, I think, related to this bug. It seems that even though apparmor wasn't configured to prevent access to sockets inside the containers it was actually doing something to prevent reading from them (though not creation...) so turning off apparmor for the container (following these instructions) worked to fix it.
The two relevant lines were:
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/
and adding
lxc.aa_profile = unconfined
To the containers config file.
NB: These errors were not recorded in any apparmor logs.
This problem was probably introduced in kernel 3.16, because it does not reproduce on 14.04 with 3.13 kernel. Strange apparmor bug was indeed responsible for that.
Unfortunately #aychedee's solution didn't work for me. In my case I had to add the following parameter to docker run command to get rid of the issue:
docker run --security-opt apparmor:unconfined ...
If someone's aware what is the current state of the issue, please consider adding comment under this answer :)
Related
So, I have access to a server by ssh with some gpus where I can run some python code. I need to do that using a docker container, however if I try to do anything with docker in the server i get permission denied as I dont have root access (and I am not in the list of sudoers). What am I missing here?
Btw, I am totally new to Docker (and quite new to linux itself) so it might be that I am not getting some fundamental.
I solved my problem. Turns out I simply had to ask the server administrator to add me to a group and everything worked.
I am getting this error:
An error occurred initializing the application server: Failed to locate pgAdmin4.py, terminating server thread.
As it fails it will prompt to adjust the python and application path but I read an answer on Stack Overflow where the person said he deleted the path it worked for him and did so but it still gave me the same error and I don't see the prompt again.
So I went to pgAdmin official site only to see that if it fails I must enter python and application path. How can I configure the paths for the pgAmin. I am using Fedora 27.
Try to just delete the config file. You may have an old one from a previous install.
rm ~/.config/pgadmin/pgadmin4.conf
As it fails it will prompt to adjust the python and application path but read an answer on stackoverflow where the person said he deleted the path it worked for him and did so but it still gave me the same error and i don't see the prompt again
Probably your first error was actually
An error occurred initialising the application server:
Failed to launch the application server, server thread exiting.
Most likely you missing some dep like python3-flask-babelex
e.g on fedora install
sudo dnf install python3-flask-babelex
You see following error (one you mentioned) when you have misconfigured user config file. Which was created after you edited default values from prompt
An error occurred initializing the application server:
Failed to locate pgAdmin4.py, terminating server thread.
This error can be solved by either fixing your config or deleting it to use default values:
e.g. on Fedora checking that your user config is correct
vi ~/.config/pgadmin/pgadmin4.conf
Primarily check that path variables in [General] section are ok.
# example
[General]
ApplicationPath=/usr/lib/python3.6/site-packages/pgadmin4-web/
PythonPath=/usr/lib/python3.6/site-packages:/usr/lib64/python3.6/site-packages
For me, the solution was to sudo dnf remove pgadmin4* then sudo find / -iname "*pgadmin4*" and delete any scraps lying around, then sudo dnf install pgadmin4* - everything is now working fine.
It has been almost a month since I got this problem, and I really appreciate your help. While trying to login in my Django Web App, i encounter OSError at /accounts/login/.I am able to login in 127.0.0.1:8000/admin, but not in the /accounts/login which produces the Error Code:
OSError at /accounts/login/
[WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions
Request Method: POST
Request URL: http://127.0.0.1:8000/accounts/login/
Django Version: 1.11.1
Exception Type: OSError
Exception Value:
[WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions
Exception Location: C:\Python35-32\lib\socket.py in create_connection, line 702
Python Executable: C:\Python35-32\myvenv_python3\Scripts\python.exe
Python Version: 3.5.2
Python Path:
['C:\\Users\\Kaleab\\Desktop\\ecomstore',
'C:\\Python35-32\\lib\\site-packages\\sqlalchemy-1.1.7-py3.5-win32.egg',
'C:\\Python27',
'C:\\Python35-32\\myvenv_python3\\Lib\\site-packages',
'C:\\Python35-32',
'C:\\Users\\Kaleab\\Desktop\\ecomstore',
'C:\\Python35-32\\myvenv_python3\\Scripts\\python35.zip',
'C:\\Python35-32\\DLLs',
'C:\\Python35-32\\lib',
'C:\\Python35-32\\myvenv_python3\\Scripts',
'C:\\Python35-32\\lib\\site-packages',
'C:\\Python35-32\\lib\\site-packages\\win32',
'C:\\Python35-32\\lib\\site-packages\\win32\\lib',
'C:\\Python35-32\\lib\\site-packages\\Pythonwin']
Possible Causes and Solutions
Cause: Socket access needs administrative privilege.
Attempted Solution: • Granted Administrator access to python.exe by navigating to the virtual environment. • Navigate to CMD.exe , right click , properties, grant administrator privilege.
Cause: Port can be already used by another program. Attempted Solution: Checked the ports using TCPView windows program and see that the port 8000 is not used by another program.
Cause: Socket access blocked by Firewall and Antivirus. Attempted Solution: When I tried disabling Firewall and Antivirus, I get another error ConnectionRefusedError at accounts/login/ [WinError 10061] No connection could be made because the target machine actively refused it.
Cause: Winsock has malfunctioned. Attempted Solution: Tried and successfully reset winsock, but this did not solve it either.
I will take running the server with different port as the answer, although I am not able to see port 8000 is used in stackoverflow suggested commands. Use: python manage.py runserver 8080.
Changing the port worked for me, I was trying to run the django server.
Its not a firewall issue just type port in front of your command
python manage.py runserver 7000
Since changing the port worked for #Kaleab, the problem may have been another process using that port.
I just found a Firefox process with a loopback connection from port 5000 to port 5000 (strange?). Once I closed Firefox, I was able to start my Flask server without that error.
To find out which process is using the port, see here.
run the command with port number 8080 as follows
python manage.py runserver 8080
Just restart your computer and run
python manage.py runserver
or
python manage.py runserver PORT_NUMBER
or
python manage.py runserver 8000
or
python manage.py runserver 8080
It is possible that you have another process running that is using the port. Finding and killing the process will enable you to use the 8000 port.
I got the Error Message due to my Antivirus App (Kaspersky). All i had to do was to assign manage.py in Kasperky < manage programms to trustworthy. I have a foreign version so trustworthy is a literal translation, maybe in the english version it is named different.
I solved this using a different port:
python manage.py runserver 9999
9999 Worked for me
I'm following the docker tutorial and am on the part where I have to build the app using:
docker build -t friendlyhello .
It reaches up to step 4, where after a pause I get this error:
Step 4/7 : RUN pip install -r requirements.txt
---> Running in 7f4635a7510a
Collecting Flask (from -r requirements.txt (line 1))
Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after
connection broken by
'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection
object at 0x7fe3984d9b10>: Failed to establish a new connection:
[Errno -3] Temporary failure in name resolution',)': /simple/flask/
I'm not quite sure what this error means and how I can go about solving it.
Thanks for your help!
I just did sudo service docker restart and it worked after. Definitely worth a shot before jumping in to modify your configurations.
I got the same problem with Ubuntu 16.04 and Docker version 17.09.0-ce.
I don't think disabling dnsmasq is the right solution.
Here is how I solved it:
For Ubuntu
Edit /etc/default/docker and add your DNS server to the following line:
Example
DOCKER_OPTS="--dns 8.8.8.8 --dns 10.252.252.252"
Reference:
Network calls fail during image build on corporate network
bkasap's answer changes a system's feature I would say is exaggerated. Further because there are options in docker to do that. The new way to do that is
$ sudo vi /etc/docker/daemon.json
and add following content
{
"dns": ["8.8.8.8", "8.8.4.4"]
}
Don't forget to
sudo service docker restart
It's silly, but I had a VPN connected when I got this error.
After disconnecting the VPN, PIP started working again.
On fedora 32 it was problem with firewall. Following command resolved issue:
$firewall-cmd --permanent --zone=trusted --add-interface=docker0
$firewall-cmd --reload
this post worked for me too!
Solved by dns mask [sic] disable:
sudo vim /etc/NetworkManager/NetworkManager.conf
comment out dns=dnsmasq -> #dns=dnsmasq
sudo service network-manager restart (or reboot VM in this case)
from: https://github.com/moby/moby/issues/26330
Had this just now, on my Ubuntu 20.04. Randomly, it just stopped working!
Tried:
sudo service network-manager restart
Did not work. Then I just did:
sudo systemctl restart docker
and the issue was resolved!
This error means your Docker container is unable to access your network.
Beginning with systemd version 220, the forwarding setting for a given network (net.ipv4.conf..forwarding) defaults to off. This setting prevents IP forwarding. It also conflicts with Docker’s behavior of enabling the net.ipv4.conf.all.forwarding setting within containers.
If your container needs to resolve hosts which are internal to your network, the public nameservers will not be adequate. You have two choices:
You can specify a DNS server for Docker to use, or
You can disable dnsmasq in NetworkManager. If you do this, NetworkManager will add your true DNS nameserver to /etc/resolv.conf, but you will lose the possible benefits of dnsmasq.
You only need to use one of these methods.
you can read about how to perform these steps here
I am having the same issue with Ubuntu 16.04.1 machine for docker-ce 17.
Its got fixed by disable the dns mask in the network.
sudo nano /etc/NetworkManager/NetworkManager.conf
Press Ctrl+O save and Enter the exit Ctrl+X
Restart the network service by running bellow command.
sudo service network-manager restart
After this if you run the docker build command everything will work fine.
I had this problem on Windows 10 Pro and I solved it by right clicking on the docker icon in the tray and choosing "Restart...". It took a few mins and then the network was running fine again.
for me rebooting host machine resolved the issue
Docker build: "Temporary failure in name resolution"
I also got the "temporary failure in name resolution" too. My solution was to specify the network on the docker build command:
s001# docker network create example_net
s001# docker build --network example_net -t example_image example_image
^^^^^^^^^^^^^^^^^^^
I also configured the dns on docker config on my development notebook:
s001# nano /etc/docker/daemon.json
{
"dns": ["8.8.8.8"]
}
s001# systemctl restart docker
I changed the default DNS server in /etc/resolv.conf and it worked for me.
FROM:
nameserver 127.0.0.53
options edns0 trust-ad
TO:
nameserver 8.8.8.8
#nameserver 127.0.0.53
options edns0 trust-ad
I just added the DNS server of Google and commented out the default DNS server.
My case was tricky and related to environmental conditions, but is worth mentioning.
I was under a firewall with bandwidth limitations based on its own hierarchy-based logic (critical, hard, medium traffic, etc...).
Every time I was starting huge docker pull, everything on my host started misbehaving (https browser navigation based upon DNS, ping based upon DNS, ... and Docker, ofc.
Removing those limits fixed my problem, so check your network, too.
If you are facing it on windows machine,you can configure the way docker containers interact with network and set dns manually.
Settings=>Resources=>Network=>Manual DNS Configuration
Here is how it is configured
Don't forget to check your internet connection especially if you are using a virtual machine in cloud (for example EC2).
I had no internet connection when I tried to run a container in the EC2. I was connected by bastion host to the VM. I didn't have internet connection for the virtual machine.
I wasted too much time. I hope this answer helps the people like me.
I am having trouble accessing docker daemon from a client using docker-py in Python. I started a docker daemon by the command
sudo docker -d & and the output was [1] 4894. Then I tried to access the daemon from python using the code that I got from here as root
from docker import Client
cli = Client(base_url='unix://var/run/docker.sock')
cli.containers()
This gave me the error:
requests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
I also tried
cli = Client(base_url='tcp://127.0.0.1:4894')
but it gave me the same error.
This seems that the /var/run/docker.sock file has the incorrect permissions. As the docker daemon is started as root the permissions are probably to restrictive.
If you change the permissions to allow other users to access it you should have more success (e.g. o=rwx).
The issue is indeed that /var/run/docker.sock has the incorrect permissions.
To fix it, you need to give the current user access to this file.
However, on Linux, giving o=rwx rights to /var/run/docker.sock is very dangerous as it allows any user and service on the system to run commands as root. Indeed access to /var/run/docker.sock implies full root access to the machine. See https://docs.docker.com/engine/security/#docker-daemon-attack-surface
A less dangerous approach consists in creating the group docker and adding the current user to this group. See https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
However, this approach is still potentially dangerous as it gives the current user full root access without the protections that sudo offers (i.e., asking the user password from time to time and logging sudo calls.
See also What is the Docker security risk of /var/run/docker.sock?
(I unfortunately cannot comment hence I write my comment as an answer.)