-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"/bin/bash: .command.run: Permission denied" with SELinux enabled #74
Comments
Seeing the It looks the error happens on the different part.
The image is downloaded on local.
As my experience to test to run
|
Hi @junaruga ! Apologies for the late response. It appears I wasn't watching this repo for some reason. Did you mange to fix the issue above? |
Closing this but feel free to re-open if the issue persists in version 1.1.0. |
@drpatelh Sorry for the late reply. Could you reproduce the error I reported, on your environment? Then did you confirm the issue was fixed o the version 1.1.0? |
Hopefully I will check the issue this Friday. |
Thanks @junaruga. Unfortunately, I don't use Docker but could you maybe try deleting the image and re-running? Sorry, I closed the issue hoping it would be magically fixed. If you do still observe the same issue then please re-open and we can try and debug further. I have a strong suspicion its down to the Docker set-up. @apeltzer @ewels any ideas why you would get the error message below:
|
I still observe the issue today. You can see the log for detail. I do not have the permission to reopen the ticket. Could you reopen it? It might depends on the Docker setup on Fedora 32 or the Docker version. I did setup it seeing this comment by person from Docker. docker/for-linux#955 (comment) . |
Re-opened the issue @junaruga and invited you to become a member of the nf-core organisation. Hopefully, this means you will be able to re-open issues in the future as well as other perks for being a member. I am afraid I still have no idea why you are experiencing this issue and as you suggested may be related to the OS. The pipeline definitely works with Docker because all of our CI tests are run via Github Actions use Docker. |
Could be worth asking on the nf-core Slack on the #help channel. |
Thanks for that. Yes. I saw the CI tests passing. I might ask it on Slack. |
Here is the result log by the following command with podman. Same error happened.
@drpatelh Do you know if the nextflow or nf-core/nanoseq is using the container's volume mount internally? |
In my environment, the SELinux is enabled with the mode: enforcing. I remember Ubuntu disables SELinux as a default setting.
|
I disabled the SELinux on my environment to check if it works on the SELinux disabled environment. Change
The error message And now I see a new error Do you know what's the reason? |
Nice!! I think this will have to be queried on the Nextflow end. Someone may have come up against something similar or it could just be the wonderfulness of SELinux 🤦 Ok. We are finally getting somewhere though. Can you run This will pull and run the latest version of the pipeline locally. We have updated the format of the input samplesheets to the pipeline which is why I suspect it is failing. |
OK. I will try to ask on the Nextflow end.
Sure. let me check it. |
I got the help on the Slack help channel.
|
Sweet! So you have it working now? Be great if you can post the additional options you needed to use here too. |
I have not tried the options on SELinux enabled environment yet. I will share it after trying it. |
I tested it on the SELinux enabled enviornment. But here are the the definitions of the https://docs.docker.com/engine/reference/commandline/run/
Here is the result.
|
I find this issue related to a file permission under the mounted directory. You can see containers/podman#2379 . In the page, when root owned file existed, the error On my local environment, the result is like this. The error happens when mounting my home directory.
The error does not happen when mounting a sub directory.
When checking the following command, I had some file that the owner is not my user account (jaruga) for. I changed the owner to jaruga.
But after that, the error happens on Why does this nanoseq or nextflow need to mount the home directory |
If someone is interested in this issue, and you have Debian or Ubuntu (groovy) latest stable version, you can install the distribution podman package and SELinux. |
In case of rnaseq
|
Running the pipeline with the `-profile podman` option has always failed due to a '.command.sh: permission denied' error. As referenced in an nf-core issue at nf-core/nanoseq#74, this is likely an SELinux problem on Fedora, and should be able to be worked around by using the 'z' mounting flag. While that didn't work for the OP of that issue, it works on my machine, so add 'z' mount flags to the working directories and the Kraken2 database. Signed-off-by: Thomas A. Christensen II <[email protected]>
Dear,
The pipeline is on a shared server with non-root privilleges. I'm calling the pipeline from a dir down from my home. Does anyone know how should I proceed? Attached is my nextflow log. ------------------------ Update 1 ------------------------ ------------------------ Update 2 ------------------------ What I've tried so far : I'm using only a custom nextflow.conf (via -C) with any of the following changes in the docker settings.
I'm using the following to run the pipeline (online): Thank you |
There are a couple big issues with docker/podman, selinux and nextflow. The first and biggest is using selinux context labels: Ideally if you're running SELinux you're on RHEL8 (or equivalent) and you can choose podman instead of docker and do this rootlessly. It shouldnt need a mountFlags directive in your config at all if you're doing this. Understandably you dont want docker content breaking out into your home directory, so this is disallowed. Here's the workaround: restorecon -R -v -F /podman_analysis/
chcon -Rt container_file_t /podman_analysis/ It's stupid, but just doing your analysis in a dedicated directory fixes the relabeling problems The second big problem is that modern kernels support resource limits via cgroups v2, and it will give a weird 'acccess denied' usually with some cryptic hint about 'not being allowed to set a memory limit.' dnf install crun
cp /usr/share/containers/containers.conf /etc/containers/
nano /etc/containers/containers.conf
> cgroups="disabled"
> runtime="crun" |
Hi I faced the following "/bin/bash: .command.run: Permission denied" when running nf-core/nanoseq with with profile test,docker.
Is there any idea to find the reason? And is there a good way to debug?
Thank you.
My environment.
nextflow
is the latest version I installed last week.The docker is installed by
sudo dnf install moby-engine
on Fedora 32.On master:
b88e1c9a77083e90dd0bc5e900e9bcff84814559
.Here is the log file.
The
.command.out
is empty.The text was updated successfully, but these errors were encountered: