docker-slim version 1.25.0 fails running in gitlab

[khassel]

Using docker-slim within gitlab ci was no problem with version 1.24.2. With 1.25.0 running docker-slim version fails with no error message (and no output).

Running with gitlab-runner 11.10.0-rc2 (10efa505)
  on docker-auto-scale fa6cab46
Using Docker executor with image docker:stable ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image sha256:0efc0b6c950098541b41bf0b4b12b127f90cd398d1dbc331701dc8f9b24f3e4a for docker:dind ...
Waiting for services to be up and running...
Pulling docker image docker:stable ...
Using docker image sha256:c76999e4396ca5adc504e83069b6d24ac2b4b08a48c76123664ab6218250cd4b for docker:stable ...
Running on runner-fa6cab46-project-11304709-concurrent-0 via runner-fa6cab46-srm-1556481828-f94778db...
Initialized empty Git repository in /builds/khassel/docker-test/.git/
Fetching changes with git depth set to 1...
Created fresh repository.
From https://gitlab.com/khassel/docker-test
 * [new branch]      master     -> origin/master
Checking out 362031bf as master...

Skipping Git submodules setup
$ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 18.09.5
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.19.23-coreos-r1
Operating System: Alpine Linux v3.9 (containerized)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 3.608GiB
Name: 68cd566877fd
ID: LS3R:JZWZ:PKYU:6Z6Y:FCTF:D2HV:KD4D:4NLR:3QKN:QK6A:2CY4:P7V7
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
$ apk add --no-cache py-pip curl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/16) Installing nghttp2-libs (1.35.1-r0)
(2/16) Installing libssh2 (1.8.2-r0)
(3/16) Installing libcurl (7.64.0-r1)
(4/16) Installing curl (7.64.0-r1)
(5/16) Installing libbz2 (1.0.6-r6)
(6/16) Installing expat (2.2.6-r0)
(7/16) Installing libffi (3.2.1-r6)
(8/16) Installing gdbm (1.13-r1)
(9/16) Installing ncurses-terminfo-base (6.1_p20190105-r0)
(10/16) Installing ncurses-terminfo (6.1_p20190105-r0)
(11/16) Installing ncurses-libs (6.1_p20190105-r0)
(12/16) Installing readline (7.0.003-r1)
(13/16) Installing sqlite-libs (3.26.0-r3)
(14/16) Installing python2 (2.7.15-r3)
(15/16) Installing py-setuptools (40.6.3-r0)
(16/16) Installing py2-pip (18.1-r0)
Executing busybox-1.29.3-r10.trigger
OK: 67 MiB in 31 packages
$ curl -L -O https://github.com/docker-slim/docker-slim/releases/latest/download/dist_linux.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   151    0   151    0     0   1217      0 --:--:-- --:--:-- --:--:--  1217

100   607    0   607    0     0   2709      0 --:--:-- --:--:-- --:--:--  2709

100 4640k  100 4640k    0     0  9375k      0 --:--:-- --:--:-- --:--:-- 9375k
$ tar -zxvf dist_linux.tar.gz
dist_linux/
dist_linux/docker-slim
dist_linux/docker-slim-sensor
$ ./dist_linux/docker-slim version
ERROR: Job failed: exit code 1

[kcq]

@khassel thank you for reporting the issue! Can you run it with the debug flag ( ./dist_linux/docker-slim --debug version ) to see if there any interesting debug messages? The main difference between 1.24.2 and 1.25 when the version command runs is a check to see if the local version is outdated or not. The --debug flag should give some clues... If not, I'll need to repro it with Gitlab.

[khassel]

no changes with --debug flag

This is my .gitlab-ci.yml content for testing:

image: docker:stable

variables:
  DOCKER_DRIVER: overlay2
  GIT_DEPTH: "1"

services:
- docker:dind

build:
  stage: build
  script:
  - apk add --no-cache curl
  - curl -L -O https://github.com/docker-slim/docker-slim/releases/latest/download/dist_linux.tar.gz
#  - curl -L -O https://github.com/docker-slim/docker-slim/releases/download/1.24.2/dist_linux.tar.gz
  - tar -zxvf dist_linux.tar.gz
  - ./dist_linux/docker-slim --debug version
  tags:
  - docker

Job fails with exit code 1, if you use the version 1.24.2 everything is fine.

[kcq]

Thanks for the config file! It'll help with the repro!

[kcq]

1.25.0 appears to fail when it's trying to access /dev/tty, which 1.24.2 isn't doing...

[khassel]

o.k., thats the problem, gitlab ci does not support tty (you can google "gitlab tty").
Don't know why you need tty, you can

• remove tty access
• provide a flag where tty is not used
• update the docs how to use docker-slim in gitlab ci:

The last option needs the script command (util-linux package):

image: docker:stable

variables:
  DOCKER_DRIVER: overlay2
  GIT_DEPTH: "1"

services:
- docker:dind

build:
  stage: build
  script:
  - apk add --no-cache curl util-linux
  - curl -L -O https://github.com/docker-slim/docker-slim/releases/latest/download/dist_linux.tar.gz
  - tar -zxvf dist_linux.tar.gz
  - script -q -c "./dist_linux/docker-slim --debug version"
  tags:
  - docker

[kcq]

This ended up being pulled in as an indirect dependency for the update download progress bar. It's using github.com/gosuri/uiprogress for it, which pulls in github.com/gosuri/uilive. The uilive library is the reason docker-slim exits because it calls os.Exit when it can't open /dev/tty, which no sane library should ever do... The progress bar was a nice touch, but it's definitely not worth this headache. I'll remove it in the next minor release.

[kcq]

@khassel can you try this 'temporary' release package to see if it works for you https://github.com/docker-slim/docker-slim/releases/download/1.25.0/dist_linux_1.25.1.tar.gz (the version command worked in my test gitlab setup, but i'm curious if it works well for your actual project).

[khassel]

works with my test-setup 👍

Running with gitlab-runner 11.10.1 (1f513601)
  on docker-auto-scale fa6cab46
Using Docker executor with image docker:stable ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image sha256:0efc0b6c950098541b41bf0b4b12b127f90cd398d1dbc331701dc8f9b24f3e4a for docker:dind ...
Waiting for services to be up and running...
Pulling docker image docker:stable ...
Using docker image sha256:c76999e4396ca5adc504e83069b6d24ac2b4b08a48c76123664ab6218250cd4b for docker:stable ...
Running on runner-fa6cab46-project-11304709-concurrent-0 via runner-fa6cab46-srm-1557089139-9357480c...
Initialized empty Git repository in /builds/khassel/docker-test/.git/
Fetching changes with git depth set to 1...
Created fresh repository.
From https://gitlab.com/khassel/docker-test
 * [new branch]      test       -> origin/test
Checking out feda9fb4 as test...

Skipping Git submodules setup
$ apk add --no-cache curl util-linux
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/14) Installing nghttp2-libs (1.35.1-r0)
(2/14) Installing libssh2 (1.8.2-r0)
(3/14) Installing libcurl (7.64.0-r1)
(4/14) Installing curl (7.64.0-r1)
(5/14) Installing libuuid (2.33-r0)
(6/14) Installing libblkid (2.33-r0)
(7/14) Installing libmount (2.33-r0)
(8/14) Installing libsmartcols (2.33-r0)
(9/14) Installing findmnt (2.33-r0)
(10/14) Installing libfdisk (2.33-r0)
(11/14) Installing ncurses-terminfo-base (6.1_p20190105-r0)
(12/14) Installing ncurses-terminfo (6.1_p20190105-r0)
(13/14) Installing ncurses-libs (6.1_p20190105-r0)
(14/14) Installing util-linux (2.33-r0)
Executing busybox-1.29.3-r10.trigger
OK: 20 MiB in 29 packages
$ curl -L https://github.com/docker-slim/docker-slim/releases/download/1.25.0/dist_linux_1.25.1.tar.gz -o dist_linux.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   614    0   614    0     0   3837      0 --:--:-- --:--:-- --:--:--  3837

100 4640k  100 4640k    0     0  10.7M      0 --:--:-- --:--:-- --:--:-- 10.7M
$ tar -zxvf dist_linux.tar.gz
dist_linux/
dist_linux/docker-slim
dist_linux/docker-slim-sensor
$ ./dist_linux/docker-slim --debug version
time="2019-05-05T20:46:55Z" level=debug msg="sysinfo => system.SystemInfo{Sysname:"Linux", Nodename:"runner-fa6cab46-project-11304709-concurrent-0", Release:"4.19.23-coreos-r1", Version:"#1 SMP Mon Feb 25 23:40:01 -00 2019", Machine:"x86_64", Domainname:"(none)", OsName:"Alpine Linux 3.9.3", OsBuild:""}" 
time="2019-05-05T20:46:55Z" level=debug msg="docker-slim: new Docker client (env) [5]" 
docker-slim[version]: linux|Transformer|1.25.0|4d304c9adf0d2315ec8d4ca197070f040500cc68|2019-05-05_08:08:22PM (go1.11.1)
host:
OsName=Alpine Linux 3.9.3
OsBuild=
Version=#1 SMP Mon Feb 25 23:40:01 -00 2019
Release=4.19.23-coreos-r1
Sysname=Linux
docker:
Name=a2f693e4bcbb
KernelVersion=4.19.23-coreos-r1
OperatingSystem=Alpine Linux v3.9 (containerized)
OSType=linux
ServerVersion=18.09.5
Architecture=x86_64
ApiVersion=1.39
MinAPIVersion=1.12
BuildTime=2019-04-11T04:50:00.000000000+00:00
GitCommit=e8ff056dbc
Job succeeded

[kcq]

@khassel good to hear that :) I'm curious about your use cases... Is smaller docker images the main value you are looking for? Are you interested in the seccomp profiles too? Is there anything else you would like to do with your containers using this tool or possibly something else?

[khassel]

o.k., here one of the real use cases: https://gitlab.com/khassel/alexa_sdk_docker/blob/master/.gitlab-ci.yml

[kcq]

@khassel thanks for the reference! I assume you don't have an http service running there and if it's the case you don't need the http-probe parameter in you gitlab-ci file.

[jishminor]

@kcq Can we also get the arm release of 1.25.1? I have encountered the exact same issue in my pipelines.

[kcq]

Definitely @jishminor Will do an official 1.25.2 with a few other wrapped up enhancements in the next couple of days. 1.26 is taking a bit longer than expected.

[khassel]

solved by 1.25.2.