Docker-compose: exec /usr/local/bin/python: operation not permitted

[henricook]

Describe the bug
After creating a config.json using the api_token param and substituting in my subdomain (one subdomain only) and zone_id I did docker-compose up and saw these errors:

~/containers/cloudflare-ddns$ docker-compose up
/snap/docker/2746/lib/python3.6/site-packages/paramiko/transport.py:32: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography (40.0) will be the last to support Python 3.6.
  from cryptography.hazmat.backends import default_backend
cloudflare-ddns is up-to-date
Attaching to cloudflare-ddns
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted
cloudflare-ddns    | exec /usr/local/bin/python: operation not permitted

To Reproduce
Create a config.json using the api_token param and substituting in my subdomain (one subdomain only) and zone_id I did docker-compose up

Expected behavior
The container should start without error

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Ubuntu 22.04.2 LTS server

Additional context

docker-compose.yml

version: '3.9'
services:
  cloudflare-ddns:
    image: timothyjmiller/cloudflare-ddns:latest
    container_name: cloudflare-ddns
    security_opt:
      - no-new-privileges:true
    network_mode: 'host'
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - /home/henri/containers/cloudflare-ddns/config.json:/config.json
    restart: unless-stopped

It's not really related at all to debugging this docker issue, but when I run this as a bare metal script after installing python dependencies, it works fine

[antoinetielbeke]

To add to this:
@timothymiller Please provide old tags and not just the latest tag. I prefer to pin my container versions anyway. I'm having the same problem and want to test if it's a problem caused by this version only, so I want to switch to an older version to test this theory. I cannot do this because there is only one tag, `latest'.

[rasolo]

How did you guys resolve this issue? I can't get it to work.

[cosmicflame]

Still not working for me with the latest Docker image.

It's worth noting that I'm running this on a Raspberry Pi 4B (8GB), and thus this is the arm64 image.

[rasolo]

My laptop has x64 cpu and also doesn't work with 16gb ram

[timothymiller]

It appears that this issue is impacting a significant number of individuals. Therefore, it is crucial to conduct a thorough investigation to gain a better understanding of the situation.

[rohit267]

meh, still not resolved

[MediJaster]

It appears that this issue is impacting a significant number of individuals. Therefore, it is crucial to conduct a thorough investigation to gain a better understanding of the situation.

I am not completely sure about this but it appears as if the snap version of docker might be the cause of this.

I also had this issue when running Ubuntu Server 22.04 LTS just like @henricook (i was on 22.04.3 though) with docker installed from the ubuntu server installation media menu (which I learned ultimately uses snap).
One day I tried reinstalling docker using the official guide, and it just worked. I'm not sure what exactly is in the snap version of docker that makes this container not work, every other container I wanted to run worked fine.

I solved this issue a while ago and I'm very sorry that it took me so long to contribute my solution here, you can thank @rohit267 for making github send me an email haha.

[kR1StYaN]

I am having the same issue with docker-compose. A fix would be very nice.
My installation was also done with snap

[rohit267]

I am having the same issue with docker-compose. A fix would be very nice. My installation was also done with snap

I made one with node js, easy pheasy https://github.com/rohit267/cloudflare-dns-updater

[cosmicflame]

Sigh.... here's the fix. I have confirmed that the following Docker Compose file works on macOS (M1 Max - ARM CPU) and Ubuntu 22.04 on Raspberry Pi 4b 8GB (also an ARM CPU):

version: '3.9'
services:
  cloudflare-ddns:
    image: timothyjmiller/cloudflare-ddns:latest
    container_name: cloudflare-ddns
    network_mode: 'host'
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - './config.json:/config.json'
    restart: unless-stopped

What's the difference between this and the official Docker Compose file? I removed the following:

security_opt:
      - no-new-privileges:true

This setting prevents the program from elevating permissions within the container, which I assume it needs to do. For reasons I haven't investigated this wasn't necessary on macOS - no-new-privileges was only failing on the Ubuntu Pi. And yes, for legacy reasons I am using the Snap install of Docker on the Pi.

Recommendations to maintainers:

• Is no-new-privileges required or recommended to be set? If not, maybe we should remove it from the readme. If it is required, then possibly additional user, group, and permissions setup is required in the Dockerfile.
• If no-new-privileges is required and no permissions setup could be added to the Dockerfile, and if other users can confirm that the issue only occurs in the Ubuntu Snap install of Docker, maybe we should add something in the readme explicitly stating that the Snap install is not compatible with this software.

We all love Snap, don't we? 😩