Why Docker Build Fails in Docker in Docker Jenkins Build: ‘/proc/1/map_files’: Operation not permitted

Question

The instruction below is correctly built in MacOS Docker Engine 18.04 while the same instruction fails when built in by a Jenkins Container running Docker (Docker-in-Docker, dind, Inception)... Why is the reason for the error and what's the workaround?

local docker build on MacOS

Step 12/16 : RUN find / -name "spring-cloud-config-server*.jar" 
               ! -name "*sources*" -exec cp -t /tmp {} + && 
               mkdir /runtime &&
               mv /tmp/spring-cloud-config*.jar /runtime/config-service.jar &&
               rm -f /*.jar
 ---> Using cache

Docker-in-Docker Jenkins Build

Step 12/16 : RUN find / -name "spring-cloud-config-server*.jar" 
               ! -name "*sources*" -exec cp -t /tmp {} + && 
               mkdir /runtime &&
               mv /tmp/spring-cloud-config*.jar /runtime/config-service.jar &&
               rm -f /*.jar

 ---> Running in f64908a07aa1
find: ‘/proc/1/map_files’: Operation not permitted
find: ‘/proc/7/map_files’: Operation not permitted

The command '/bin/sh -c find / -name "spring-cloud-config-server*.jar" 
   ! -name "*sources*" -exec cp -t /tmp {} + &&   mkdir /runtime &&   
   mv /tmp/spring-cloud-config*.jar /runtime/config-service.jar &&   
   rm -f /*.jar' returned a non-zero code: 1

script returned exit code 1

Answer 1

Solution

• Avoid using global search find / since it involves other dirs
  • Those additional dirs might have different rw permissions for the running docker user in the docker build instructions,

The above was solved with the following:

RUN mkdir /runtime && \
    find /tmp -name "spring-cloud-config-server*.jar" ! -name "*sources*" -exec cp -t /runtime {} + && \
    mv /runtime/spring-cloud-config*.jar /runtime/config-service.jar && \
    rm -f /tmp/*.jar

Explanation

The answer lies in the the following concepts:

• The docker container, running in dind, is adding processes that are only permitted by the host OS.
• While running the command find /, the command is also scanning the dir /proc, which is owned by the dind process.
• As a consequence, building locally would not cause the issue since docker engine in Mac has permissions and doesn't leak out additional /proc when compared to dind.