Bug 1224066

Summary: DistroBox does not start; after fresh install on SUSE TumbleWeed [ISSUE]
Product: [openSUSE] openSUSE Tumbleweed Reporter: Martin von Reichenberg <martin.von.reichenberg>
Component: ContainersAssignee: Alexandre Vicenzi <alexandre.vicenzi>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Minor    
Priority: P5 - None CC: alexandre.vicenzi, asarai, containers-bugowner, dfaggioli, michal.vyskocil
Version: Current   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: A screenshot of my desktop

Description Martin von Reichenberg 2024-05-08 18:43:17 UTC 
Created attachment 874772 [details]
A screenshot of my desktop

martin@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE ~> uname -a
Linux LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE 6.8.8-1-default #1 SMP PREEMPT_DYNAMIC Mon Apr 29 05:24:46 UTC 2024 (5cd3298) x86_64 x86_64 x86_64 GNU/Linux

martin@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE ~> whoami
martin

martin@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE ~> distrobox list
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.45/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission denied

martin@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE ~ [1]> sudo distrobox-list --root
Running distrobox-list via SUDO/DOAS is not supported. Instead, please try running:
  distrobox-list --root --root
  
martin@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE ~ [1]> systemctl status docker.service
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: disabled)
     Active: active (running) since Mon 2024-05-06 11:25:38 CEST; 25min ago
TriggeredBy: ● docker.socket
       Docs: http://docs.docker.com
   Main PID: 23788 (dockerd)
      Tasks: 36
        CPU: 6.458s
     CGroup: /system.slice/docker.service
             ├─23788 /usr/bin/dockerd --add-runtime oci=/usr/sbin/runc
             └─23804 containerd --config /var/run/docker/containerd/containerd.toml --log-level warn
             
martin@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE ~> systemctl status docker.socket 
● docker.socket - Docker Socket for the API
     Loaded: loaded (/usr/lib/systemd/system/docker.socket; enabled; preset: disabled)
     Active: active (running) since Mon 2024-05-06 11:25:37 CEST; 26min ago
   Triggers: ● docker.service
     Listen: /run/docker.sock (Stream)
      Tasks: 0 (limit: 4915)
        CPU: 488us
     CGroup: /system.slice/docker.socket
     
martin@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE ~> zypper info distrobox 
Information for package distrobox:
----------------------------------
Repository     : Main Repository (OSS)
Name           : distrobox
Version        : 1.7.1-1.2
Arch           : noarch
Vendor         : openSUSE
Installed Size : 500,8 KiB
Installed      : Yes
Status         : up-to-date
Source package : distrobox-1.7.1-1.2.src
Upstream URL   : https://github.com/89luca89/distrobox
Summary        : Use any linux distribution inside your terminal
Description    : 
    Use any Linux distribution inside your terminal.
    Distrobox uses podman or docker to create containers using the Linux distribution of your choice.
    The created container will be tightly integrated with the host,
    allowing sharing of the HOME directory of the user, external storage,
    external USB devices and graphical apps (X11/Wayland), and audio.
    
    

SYSTEM INFORMATION:

root@LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE /# inxi -F
System:
  Host: LENOVO-ThinkCentre-M75q-Gen-2--SUSE-TumbleWeed-KDE Kernel: 6.8.8-1-default arch: x86_64
    bits: 64
  Console: pty pts/2 Distro: openSUSE Tumbleweed 20240503
Machine:
  Type: Mini-pc System: LENOVO product: 11JN000GCK v: ThinkCentre M75q Gen 2 serial: PC2F95D9
  Mobo: LENOVO model: 32E4 v: SDK0T76538 WIN 3556288344599 serial: N/A UEFI: LENOVO v: M47KT34A
    date: 01/04/2024
CPU:
  Info: 6-core model: AMD Ryzen 5 PRO 5650GE with Radeon Graphics bits: 64 type: MT MCP cache:
    L2: 3 MiB
  Speed (MHz): avg: 2349 min/max: 400/4480 cores: 1: 2969 2: 400 3: 3063 4: 2998 5: 3000 6: 2964
    7: 3096 8: 400 9: 2999 10: 3001 11: 400 12: 2907
Graphics:
  Device-1: AMD Cezanne [Radeon Vega Series / Radeon Mobile Series] driver: amdgpu v: kernel
  Display: server: X.org v: 1.21.1.12 with: Xwayland v: 23.2.6 driver: X: loaded: modesetting
    unloaded: fbdev,vesa dri: radeonsi gpu: amdgpu tty: 203x54 resolution: 1920x1080
  API: EGL v: 1.5 drivers: radeonsi,swrast platforms: surfaceless,device
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: mesa v: 24.0.5 note: console (EGL sourced)
    renderer: AMD Radeon Graphics (radeonsi renoir LLVM 18.1.4 DRM 3.57 6.8.8-1-default), llvmpipe
    (LLVM 18.1.4 256 bits)
  API: Vulkan v: 1.3.280 drivers: N/A surfaces: N/A
Audio:
  Device-1: AMD Renoir Radeon High Definition Audio driver: snd_hda_intel
  Device-2: AMD ACP/ACP3X/ACP6x Audio Coprocessor driver: N/A
  Device-3: AMD Family 17h/19h HD Audio driver: snd_hda_intel
  API: ALSA v: k6.8.8-1-default status: kernel-api
Network:
  Device-1: Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet driver: r8169
  IF: enp2s0f1 state: up speed: 1000 Mbps duplex: full mac: 04:7b:cb:49:1b:bd
  IF-ID-1: docker0 state: down mac: 02:42:12:5d:41:59
Bluetooth:
  Device-1: Realtek Bluetooth Radio driver: btusb type: USB
  Report: btmgmt ID: hci0 rfk-id: 0 state: down bt-service: enabled,running rfk-block:
    hardware: no software: yes address: 3C:55:76:44:92:C8 bt-v: 5.1
Drives:
  Local Storage: total: 1.14 TiB used: 20.53 GiB (1.8%)
  ID-1: /dev/nvme0n1 vendor: Western Digital model: WD PC SN740 SDDQNQD-256G-1001
    size: 238.47 GiB
  ID-2: /dev/sda vendor: Samsung model: SSD 870 QVO 1TB size: 931.51 GiB
Partition:
  ID-1: / size: 230.22 GiB used: 16.74 GiB (7.3%) fs: btrfs dev: /dev/nvme0n1p2
  ID-2: /boot/efi size: 252 MiB used: 330 KiB (0.1%) fs: vfat dev: /dev/nvme0n1p1
  ID-3: /home size: 931.51 GiB used: 3.78 GiB (0.4%) fs: btrfs dev: /dev/sda1
  ID-4: /opt size: 230.22 GiB used: 16.74 GiB (7.3%) fs: btrfs dev: /dev/nvme0n1p2
  ID-5: /var size: 230.22 GiB used: 16.74 GiB (7.3%) fs: btrfs dev: /dev/nvme0n1p2
Swap:
  ID-1: swap-1 type: partition size: 8 GiB used: 15.2 MiB (0.2%) dev: /dev/nvme0n1p3
Sensors:
  System Temperatures: cpu: 39.4 C mobo: N/A gpu: amdgpu temp: 34.0 C
  Fan Speeds (rpm): N/A
Info:
  Memory: total: 8 GiB note: est. available: 6.64 GiB used: 4.73 GiB (71.2%)
  Processes: 359 Uptime: 0h 56m Init: systemd Shell: fish inxi: 3.3.34
Comment 1 Michal Vyskocil 2024-05-09 10:39:44 UTC 
> distrobox list
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.45/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission denied


Docker socket in openSUSE has a following permissions

$ stat /run/docker.sock 
  File: /run/docker.sock
  Size: 0         	Blocks: 0          IO Block: 4096   socket
Device: 0,26	Inode: 1914        Links: 1
Access: (0666/srw-rw-rw-)  Uid: (    0/    root)   Gid: (  471/  docker)

So it can be accessed by users in a docker group. You can check the list of a groups via id command or userctl user $login.
Comment 2 Martin von Reichenberg 2024-05-21 09:04:11 UTC 
So the point is that there is no mention (the one similar to VirtualBox) about the current user  is supposed to be part of the Docker group which could easily be set in %post / %posttrans script as: `usermod -aG $USER docker` (or equivalent...).


I shall give it a try again later and change the status quota of the issue here . .  


Thanks for the reply.
Comment 3 Alexandre Vicenzi 2024-05-21 10:06:22 UTC 
There is official documentation that describes manual steps post-install on Linux, see https://docs.docker.com/engine/install/linux-postinstall/.

I don't classify this as a bug, but rather well-known behavior. Changes to the Docker package would be a feature request.

Aleksa, should we add users to groups in %post/%posttrans scripts?
Comment 4 Martin von Reichenberg 2024-05-21 11:57:26 UTC 
(In reply to Alexandre Vicenzi from comment #3)
> There is official documentation that describes manual steps post-install on
> Linux, see https://docs.docker.com/engine/install/linux-postinstall/.
> 
> I don't classify this as a bug, but rather well-known behavior. Changes to
> the Docker package would be a feature request.
> 
> Aleksa, should we add users to groups in %post/%posttrans scripts?



Nope, it is not a BUG indeed.
It is rather my oversight than anything else.

But it is a formerly missing information by those who maintain it - As a post installation step / notification about what needs to be done in order to use the software.
Comment 5 Aleksa Sarai 2024-05-22 21:02:28 UTC 
(In reply to Alexandre Vicenzi from comment #3)
> There is official documentation that describes manual steps post-install on
> Linux, see https://docs.docker.com/engine/install/linux-postinstall/.
> 
> I don't classify this as a bug, but rather well-known behavior. Changes to
> the Docker package would be a feature request.
> 
> Aleksa, should we add users to groups in %post/%posttrans scripts?

Access to the docker group gives you admin privileges to the machine (it is trivial to get root host access using Docker) and so automatically adding users seems like a bad idea in general. We also don't know which users we should add to the group at install time anyway.

(In reply to Martin von Reichenberg from comment #2)
> So the point is that there is no mention (the one similar to VirtualBox)
> about the current user  is supposed to be part of the Docker group which
> could easily be set in %post / %posttrans script as: `usermod -aG $USER
> docker` (or equivalent...).

(In reply to Martin von Reichenberg from comment #4)
> But it is a formerly missing information by those who maintain it - As a
> post installation step / notification about what needs to be done in order
> to use the software.

I don't see anything in the VirtualBox spec file which would tell users about the vboxusers group at install time. If you want, we can add a line in the package documentation about the docker group, but the fact that you need to be part of the docker group to administer Docker is incredibly common knowledge for users of Docker. As mentioned above, this is mentioned already by the upstream documentation.
Comment 6 Martin von Reichenberg 2024-05-22 21:27:37 UTC 
(In reply to Aleksa Sarai from comment #5)
> (In reply to Alexandre Vicenzi from comment #3)
> > There is official documentation that describes manual steps post-install on
> > Linux, see https://docs.docker.com/engine/install/linux-postinstall/.
> > 
> > I don't classify this as a bug, but rather well-known behavior. Changes to
> > the Docker package would be a feature request.
> > 
> > Aleksa, should we add users to groups in %post/%posttrans scripts?
> 
> Access to the docker group gives you admin privileges to the machine (it is
> trivial to get root host access using Docker) and so automatically adding
> users seems like a bad idea in general. We also don't know which users we
> should add to the group at install time anyway.
> 
> (In reply to Martin von Reichenberg from comment #2)
> > So the point is that there is no mention (the one similar to VirtualBox)
> > about the current user  is supposed to be part of the Docker group which
> > could easily be set in %post / %posttrans script as: `usermod -aG $USER
> > docker` (or equivalent...).
> 
> (In reply to Martin von Reichenberg from comment #4)
> > But it is a formerly missing information by those who maintain it - As a
> > post installation step / notification about what needs to be done in order
> > to use the software.
> 
> I don't see anything in the VirtualBox spec file which would tell users
> about the vboxusers group at install time. If you want, we can add a line in
> the package documentation about the docker group, but the fact that you need
> to be part of the docker group to administer Docker is incredibly common
> knowledge for users of Docker. As mentioned above, this is mentioned already
> by the upstream documentation.


VirtualBox shows the notification window at the initial runtime.

In case of DistroBox it is not clear at the very first usage that it's all bound to Docker (- services/groups). 

Probably an echo/printf message could be enough, but it should be told after install or initial startup somehow - more likely a request to upstream.
Comment 7 Alexandre Vicenzi 2024-05-27 13:26:04 UTC 
> In case of DistroBox it is not clear at the very first usage that it's all bound to Docker (- services/groups). 

Distrobox already states in its documentation that it requires rootless podman/docker to work properly and also links to proper instructions.

See: https://distrobox.it/compatibility/#supported-container-managers

> Probably an echo/printf message could be enough, but it should be told after install or initial startup somehow - more likely a request to upstream.

For now, I'm going to close this as there's nothing we can do on our side.

Issues raised upstream with permission denied are often closed as invalid and pointed to the documentation. If there's a reliable way to detect that the system is not in rootless mode, it might be worth implementing it upstream and printing it out to warn the user.