Docker pull：不允许操作 [英] Docker pull: operation not permitted

问题描述

拉某些docker镜像（但不是全部）时出现此错误：

I'm getting this error when pulling some docker images (but not all):

failed to register layer: Error processing tar file(exit status 1): operation not permitted

例如： docker pull nginx 有效，但 docker pull redis 无效。

我得到相同的结果结果是我以sudo或root身份与 docker 组的用户一起运行命令。

I get the same result wether i run the command with a user that is part of the docker group, using sudo or as root.

如果我以调试模式运行dockerd，我会在日志中看到以下内容：

If i run dockerd in debug mode i see this in the logs:

DEBU[0025] Downloaded 5233d9aed181 to tempfile /var/lib/docker/tmp/GetImageBlob023191751 
DEBU[0025] Applying tar in /var/lib/docker/overlay2/e5290b8c50d601918458c912d937a4f6d4801ecaa90afb3b729a5dc0fc405afc/diff 
DEBU[0027] Applied tar sha256:16ada34affd41b053ca08a51a3ca92a1a63379c1b04e5bbe59ef27c9af98e5c6 to e5290b8c50d601918458c912d937a4f6d4801ecaa90afb3b729a5dc0fc405afc, size: 79185732 
(...)
DEBU[0029] Applying tar in /var/lib/docker/overlay2/c5c0cfb9907a591dc57b1b7ba0e99ae48d0d7309d96d80861d499504af94b21d/diff 
DEBU[0029] Cleaning up layer c5c0cfb9907a591dc57b1b7ba0e99ae48d0d7309d96d80861d499504af94b21d: Error processing tar file(exit status 1): operation not permitted 
INFO[0029] Attempting next endpoint for pull after error: failed to register layer: Error processing tar file(exit status 1): operation not permitted 
INFO[0029] Layer sha256:938f1cd4eae26ed4fc51c37fa2f7b358418b6bd59c906119e0816ff74a934052 cleaned up 
(...)

如果我运行 watch -n 0 sudo ls -lt / var / lib / docker / overlay2 / ，在拖动图像时，我可以看到出现了新文件夹（失败后消失了）以及 / var / lib / docker / overlay2 /上的权限是 root：root：700 ，所以我认为这不是权限问题。

If i run watch -n 0 "sudo ls -lt /var/lib/docker/overlay2/" while the image is pulling, i can see new folders appearing (and disappearing after it fails) and the permissions on /var/lib/docker/overlay2/ are root:root:700 so i don't think it's exactly a permission issue.

以下是有关环境的一些详细信息：

Here are some detail about the environment:

我有一个运行L的proxmox我遇到问题的XC容器。
容器本身正在运行Debian8。
以下是各种版本：

I have a proxmox running the LXC container where i'm having the issue. The container itself is running Debian 8. And here are the various versions:

$> uname -a
Linux [redacted-hostname] 4.10.15-1-pve #1 SMP PVE 4.10.15-15 (Fri, 23 Jun 2017 08:57:55 +0200) x86_64 GNU/Linux

$> docker version
Client:
 Version:      17.06.0-ce
 API version:  1.30
 Go version:   go1.8.3
 Git commit:   02c1d87
 Built:        Fri Jun 23 21:20:04 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.06.0-ce
 API version:  1.30 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   02c1d87
 Built:        Fri Jun 23 21:18:59 2017
 OS/Arch:      linux/amd64
 Experimental: false

$>docker info
Containers: 20
 Running: 0
 Paused: 0
 Stopped: 20
Images: 28
Server Version: 17.06.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: cfb82a876ecc11b5ca0977d1733adbe58599088a
runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4
init version: 949e6fa
Kernel Version: 4.10.15-1-pve
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.906GiB
Name: resumed-dev
ID: EBJ6:AFVS:L3RC:ZEE7:A6ZJ:WDQE:GTIZ:RXHA:P4AQ:QJD7:H6GG:YIQB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 16
 Goroutines: 24
 System Time: 2017-08-17T14:17:07.800849127+02:00
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

推荐答案

编辑：该问题将在2017年12月18日之后通过此合并。完全整合到Docker中后将再次更新。

This will be fixed by any release after December 18, 2017 of Moby via this merge. Will update again when fully incorporated into Docker.

如果您的容器没有特权，这似乎是 overlay2 Docker的存储驱动程序。这似乎不是 overlap 的问题（ GitHub问题）。所以使用 overlay 存储驱动程序代替 overlay2 ，或为您的容器设置特权。

If your container is unprivileged, this appears to be an issue with the overlay2 storage driver for Docker. This does not appear to be an issue with overlay (GitHub issue). So either utilize the overlay storage driver instead of overlay2, or make your container privileged.

这篇关于Docker pull：不允许操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！