56

After installing docker and docker-compose on:

NAME="Red Hat Enterprise Linux Server"
VERSION="7.6 (Maipo)"

When executing:

sudo docker-compose -version

It returns:

Error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted

It should return:

docker-compose version 1.25.0-rc2, build 661ac20e

Installation from docker-compose is this

Kevin
  • 2,234
  • 2
  • 21
  • 26
Roberto Gonçalves
  • 3,186
  • 4
  • 13
  • 27

3 Answers3

145

Got it solved by re-mounting the /tmp to give the volume permission to execute (it was accessible with read-only). So this solved:

sudo mount /tmp -o remount,exec
Roberto Gonçalves
  • 3,186
  • 4
  • 13
  • 27
  • Worked for me as well. – David Schmidlin Apr 16 '20 at 23:15
  • 13
    While this is a valid workaround, it should not be the preferred answer as it is not secure. If the system you are using has been hardened, the `/tmp` mount will be set to `noexec` (and probably `nodev` and `nosuid` as well). Remounting it with `exec` enabled defeats the purpose of securing this mount. See the CIS benchmarks for more details as to why this is done. – Will May 04 '20 at 21:34
  • Worked for me as well – Santosh Garole Dec 28 '20 at 14:02
  • @Will is correct that `exec` in `/tmp` is no longer considered secure. You will want to set up a `TMPDIR` – zerocog Jun 12 '21 at 05:53
51

Configuring a user specific TMPDIR directory solves the problem. The TMPDIR environment variable is POSIX standard, but TMP (and a few others) can be commonly accepted as well.

Other answers address how to configure the global, default temporary directory. Here are two examples if the system's security policy does not allow /tmp to be executable.

First Example Solution

mkdir $HOME/tmp
export TMPDIR=$HOME/tmp
docker-compose --version

For convenience, after the directory has been created, the "export" statement can be placed in the shell's profile configuration (example: ~/.bash_profile or ~/.bashrc).

Second Example Solution

Configure an alias (example files: ~/.bashrc or ~/.bash_alias).

alias docker-compose="TMPDIR=${HOME}/tmp docker-compose"

This is an issue that seems to be a common stumbling point. Some digging shows that it may be related to PyInstaller and not docker-compose specifically.

Veverke
  • 9,208
  • 4
  • 51
  • 95
Kevin
  • 2,234
  • 2
  • 21
  • 26
  • 3
    docker is already running as root so $HOME/tmp simply points to /root/tmp which is the cause of the problem as it doesn't have the exec flag on it, i don't want to mess up with the security of my system. So I did mkdir /root/docker_temp and set export TMPDIR=/root/docker_temp and it worked but I am having second thoughts on how and who will clean all the data in that folder as it doesn't behave like the real tmp. any ideas on it? – OAH Aug 04 '20 at 23:11
  • 1
    @OAH, In my experience doing most anything "normal" as the `root` user is a bad idea. Instead, look for alternatives like `sudo` or in the case of Docker, giving a regular user the `docker` group. For example if my user is `kevin`, then `sudo usermod -a -G docker kevin` would append the `docker` group to my list of groups. It can be verified with `groups kevin`. – Kevin Aug 05 '20 at 02:07
  • 1
    @OAH, at this point we should probably move this to a new question. It seems like you may have lost that the problem here is not docker, but docker-compose and the way it is packaged. docker-compose is a python program that use PyInstaller to package it for ease of use. PyInstaller needs some tmp space to unpack and execute some stuff in order for docker-compose to work. PyInstaller should always cleanup after itself. Looking at the tmp directory from my machine, and there has never been anything left behind. – Kevin Aug 05 '20 at 13:04
  • 1
    @OAH, another word of caution. Exporting `TMPDIR` will put it into the environment for every command you run from that shell. That means, in your example, every command will use `/root/tmp_alternative` for tmp space. Not all programs may clean-up after themselves, so it is something to be aware of. – Kevin Aug 05 '20 at 13:06
  • `TMPDIR` may be configured properly when using shell but this variable might be missing when running from `Powershell` so ensure this variable is defined for the shell that runs `docker-compose` – Damian Jun 19 '23 at 11:21
2

fixed in RHEL by setting export TMP=/var/tmp before running the cmd

Abdennour TOUMI
  • 87,526
  • 38
  • 249
  • 254