Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Permission Denied" error while running the script #3

Closed
olibols opened this issue Sep 4, 2024 · 8 comments
Closed

"Permission Denied" error while running the script #3

olibols opened this issue Sep 4, 2024 · 8 comments

Comments

@olibols
Copy link

olibols commented Sep 4, 2024

Description

Running any of the code execution tools or functions fails with varied permission denied errors. Pasted at the bottom is the complete log when I ran the code manually from inside the container. Additionally, cut off in the chat itself is:
Claude Web Version Sandbox runtime failed: Sandbox failed to start: Command '['/tmp/gvisor/runsc', '--rootless=true', '--directfs=false',

If needs be I think I will just run openwebui on the native machine rather than dockerised

Thanks!

General information

  • Open WebUI version: v0.3.16
  • Tool/function version: 0.3.0 and 0.3.0
  • Open WebUI setup:
    • Kernel information: Linux olivps 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
    • Runtime: Docker
    • If running in Docker:
      • Docker version: Docker version 26.1.4, build 5650f9b
      • docker run command: docker run -d -p 3000:8080 -v open-webui:/app/backend/data --name open-webui --restart always --security-opt=seccomp=unconfined ghcr.io/open-webui/open-webui:main
      • Docker container info: https://gist.github.com/olibols/688338ca49d2e85451287960f5c3daf4

Debug logs

chat-export-1725440372552.json

Additional context

Full error log as copied from the console:
root@2db3359a4f55:/app/backend/data/tools# echo 'import datetime; print(datetime.datetime.now())' | python3 run_code.py --debug
Emitting status event: {'status': 'in_progress', 'description': 'Checking if environment supports sandboxing...', 'done': False}
Event: {'type': 'status', 'data': {'status': 'in_progress', 'description': 'Checking if environment supports sandboxing...', 'done': False}}
Emitting status event: {'status': 'in_progress', 'description': 'Initializing sandbox configuration...', 'done': False}
Event: {'type': 'status', 'data': {'status': 'in_progress', 'description': 'Initializing sandbox configuration...', 'done': False}}
Emitting status event: {'status': 'in_progress', 'description': 'Setting up sandbox environment...', 'done': False}
Event: {'type': 'status', 'data': {'status': 'in_progress', 'description': 'Setting up sandbox environment...', 'done': False}}
Emitting status event: {'status': 'in_progress', 'description': 'Running Python code in gVisor sandbox...', 'done': False}
Event: {'type': 'status', 'data': {'status': 'in_progress', 'description': 'Running Python code in gVisor sandbox...', 'done': False}}
Emitting status event: {'status': 'error', 'description': "Sandbox runtime failed: Sandbox failed to start: Command '['/tmp/gvisor/runsc', '--rootless=true', '--directfs=false', '--network=host', '--ignore-cgroups=true', '--root=/tmp/sandbox_p27w1bn_/runtime', '--debug=true', '--debug-log=/tmp/sandbox_p27w1bn_/logs/', 'run', '--bundle=/tmp/sandbox_p27w1bn_/bundle', 'sandbox']' returned non-zero exit status 128.; stderr: running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF; logs: defaultdict(<class 'list'>, {'runsc.log.20240904-090541.534274.run.txt': ['W0904 09:05:41.568031 626 util.go:64] FATAL ERROR: running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF', 'W0904 09:05:41.568204 626 main.go:231] Failure to execute command, err: 1'], 'runsc.log.20240904-090541.534274.gofer.txt': ['W0904 09:05:41.561393 1 util.go:64] FATAL ERROR: error converting mounts: permission denied'], 'runsc.log.20240904-090541.534274.boot.txt': ['W0904 09:05:41.566650 636 util.go:64] FATAL ERROR: error setting up chroot: error converting mounts: permission denied']})", 'done': True}
Event: {'type': 'status', 'data': {'status': 'error', 'description': "Sandbox runtime failed: Sandbox failed to start: Command '['/tmp/gvisor/runsc', '--rootless=true', '--directfs=false', '--network=host', '--ignore-cgroups=true', '--root=/tmp/sandbox_p27w1bn_/runtime', '--debug=true', '--debug-log=/tmp/sandbox_p27w1bn_/logs/', 'run', '--bundle=/tmp/sandbox_p27w1bn_/bundle', 'sandbox']' returned non-zero exit status 128.; stderr: running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF; logs: defaultdict(<class 'list'>, {'runsc.log.20240904-090541.534274.run.txt': ['W0904 09:05:41.568031 626 util.go:64] FATAL ERROR: running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF', 'W0904 09:05:41.568204 626 main.go:231] Failure to execute command, err: 1'], 'runsc.log.20240904-090541.534274.gofer.txt': ['W0904 09:05:41.561393 1 util.go:64] FATAL ERROR: error converting mounts: permission denied'], 'runsc.log.20240904-090541.534274.boot.txt': ['W0904 09:05:41.566650 636 util.go:64] FATAL ERROR: error setting up chroot: error converting mounts: permission denied']})", 'done': True}}
{"status": "ERROR", "output": "Sandbox runtime failed: Sandbox failed to start: Command '['/tmp/gvisor/runsc', '--rootless=true', '--directfs=false', '--network=host', '--ignore-cgroups=true', '--root=/tmp/sandbox_p27w1bn_/runtime', '--debug=true', '--debug-log=/tmp/sandbox_p27w1bn_/logs/', 'run', '--bundle=/tmp/sandbox_p27w1bn_/bundle', 'sandbox']' returned non-zero exit status 128.; stderr: running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF; logs: defaultdict(<class 'list'>, {'runsc.log.20240904-090541.534274.run.txt': ['W0904 09:05:41.568031 626 util.go:64] FATAL ERROR: running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF', 'W0904 09:05:41.568204 626 main.go:231] Failure to execute command, err: 1'], 'runsc.log.20240904-090541.534274.gofer.txt': ['W0904 09:05:41.561393 1 util.go:64] FATAL ERROR: error converting mounts: permission denied'], 'runsc.log.20240904-090541.534274.boot.txt': ['W0904 09:05:41.566650 636 util.go:64] FATAL ERROR: error setting up chroot: error converting mounts: permission denied']})"}

@EtiennePerot
Copy link
Owner

EtiennePerot commented Sep 4, 2024

Thanks for the thorough bug report. I'm working on a version that has yet even more debug logs, as I'm not completely certain as to what is causing this yet from these logs alone. Won't have this done today, but in the meantime, can you try the following (not mutually exclusive):

  • Try adding --cap-add=SYS_CHROOT
  • Try adding --cap-add=SYS_ADMIN
  • Try adding --security-opt=label=type:container_engine_t
  • Try adding --privileged=true

Also see issue #2 in which another Docker user reported having to use this hack to work around cgroupfs issues. I don't think you're running into this, but you may run into it as the next error after getting past this current one.

If needs be I think I will just run openwebui on the native machine rather than dockerised

That would probably solve the problem too, but if you have the time to try out the above, this will help others who may run into the same issue.

@olibols
Copy link
Author

olibols commented Sep 4, 2024

After re-running the command with the above flags, I got the same cgroup error as the other fella. Running the script he linked then allowed it to work 🫡. Many thanks :D

@EtiennePerot
Copy link
Owner

Can you please check which of the flags was actually necessary to make it work? I want to edit the Docker setup instructions and would like to add the minimal set of flags (while avoiding --privileged=true which trumps all other security flags).

So can you try just --cap-add=SYS_CHROOT --cap-add=SYS_ADMIN --security-opt=label=type:container_engine_t (no --privileged), and if it still works, then try removing each flag one at a time and see if it breaks?

@olibols
Copy link
Author

olibols commented Sep 4, 2024

Will do in a couple hours when I'm back at my pc 🫡

@olibols
Copy link
Author

olibols commented Sep 5, 2024

I ran the same command, without the privileged, and got the same error as original. Could it be due to the permissions of the external filesystem that is mounted inside docker?

@EtiennePerot
Copy link
Owner

Thanks for re-running. I'm still working on a new version that adds more debugging information in order to better diagnose this and will poke this bug again once it's available.

In the meantime, I've updated the container runtime setup instructions to mention the --privileged flag.

@EtiennePerot
Copy link
Owner

Hello again,

I uploaded a new version of the code runner tool and function that includes a lot more debug logging, and should remove the need to do the whole cgroup dance because it will do that automatically. It also has more a elaborate self-test mode.

The tool is available here and the function is available here.

In order to debug your issue, I'd recommend creating a new container identical to the OpenWebUI one (without --privileged=true or --cgroupns=host; please post the docker run command-line you're using), then run the tool's self-test mode in that container, and post the output in this issue.

python3 path/to/tools/run_code.py --self_test

If it fails, also add --debug to the above command-line, and it should generate more debug info.

EtiennePerot added a commit that referenced this issue Sep 23, 2024
This fixes self-re-execution thanks to Open WebUI having merged
open-webui/open-webui#5511.

It also works around more permission issues due to procfs mounts.
Docs updated.

Fixes #11
Fixes #12
Updates #2
Updates #3
@EtiennePerot
Copy link
Owner

I believe this is now fully fixed as of release 0.6.0, as long as the new setup instructions are followed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants