[sane-devel] Running sane din docker

Olaf Meeuwissen paddy-hack at member.fsf.org
Tue Aug 1 10:40:36 UTC 2017


Hi Jan,

Jan De Luyck writes:

> On Sun, 30 Jul 2017, at 06:31, Olaf Meeuwissen wrote:
>> Hi Jan,
>>
>> Jan De Luyck writes:
>>
>> [...]
>>
>> Can I have a look at your Dockerfile?  What docker command-line
>> invocation (or what docker-compose.yml) do you use?
>
> Sure. I've got everything up on https://github.com/jdeluyck/docker-saned

Thanks.  I had a quick look and didn't notice much out of the ordinary
(although I must admit I've never used runit).  One thing looked a bit
weird though: the need for the device to have group ID 'lp' (7).  IIRC,
on Debian they use a dynamically added saned user/group.  This typically
has an numeric ID >100.

But this user/group stuff shouldn't really matter for as far as I can
see, inside the container everything is run as root anyway (unless in
the very unlikely case that saned is setuid).

Your README.md also mentions you derived your setup from another one,
sesceu/docker-saned.  Have you checked if that works as expected?  I
noticed it passes a few other environment variables to the container.

>> Can you scan via the USB interface from within the container as well as
>> from outside of the container?  If that works, the problem is with the
>> networking part.
>>
>> Can you scan via saned from *within* the container?  Obviously, from
>> outside the container doesn't work otherwise you wouldn't have asked
>> here ;-)
>
> I've tested with scanimage:
>
> # scanimage -T
> scanimage: scanning image of size 638x877 pixels at 24 bits/pixel
> scanimage: acquiring RGB frame, 8 bits/sample
> scanimage: reading one scanline, 1914 bytes...  PASS
> scanimage: reading one byte...          PASS
> scanimage: stepped read, 2 bytes...     PASS
> [...]
>
> - which I would say looks good. This is running from inside the
> container.

Looks fine but is this via USB or via saned for localhost?  That is,
what is the default device inside the container?  A simple

  scanimage -L

should tell you that.

>> >> > By sharing the /dev/bus/usb filesystem to the container, and mapping the
>> >> > necessary ports, I've gotten it to run (using runit to keep the services
>> >> > up and running). The scanner is detected, and I can start a remote scan
>> >> > - unfortunately it never completes, it fails shortly in the scan with a
>> >> > SIGPIPE error, and the client app (being scanimage or xsane) bombs out.
>> >> >
>> >> > The docker container is based on Debian Stable, I have dbus running
>> >> > inside it and ahavi is available.
>>
>> IIUC, you shouldn't need either.  Not for a USB scanner exposed via
>> saned.
>
> Oh. OK. That greatly reduces my dependencies.

Yup!  Smaller container, yeah!

>> >> > Running scanimage -T returns:
>> >> > $ scanimage -T
>> >> > scanimage: scanning image of size 638x877 pixels at 24 bits/pixel
>> >> > scanimage: acquiring RGB frame, 8 bits/sample
>> >> > scanimage: reading one scanline, 1914 bytes...  FAIL No data
>>
>> No data?  Right from the start ...
>>
>> >> > [...]
>> >> > scanimage: stepped read, 3 bytes...     FAIL No data
>> >> > scanimage: received signal 13
>> >> > scanimage: trying to stop scanner
>> >> > Segmentation fault
>> >> >
>> >> > The last messages I get from saned -d128 are:
>> >> >
>> >> > [saned] do_scan: trying to write 8192 bytes to client
>> >> > [saned] quit: received signal 13
>>
>> Given that you get No data from the start, there may be something more
>> interesting earlier in the log.
>
> This is the full dump:
>
> # saned -d 128
> [saned] main: starting debug mode (level 128)
> [saned] read_config: searching for config file
> [saned] read_config: data port range: 10000 - 10001
> [saned] read_config: done reading config
> [saned] saned (AF-indep+IPv6) from sane-backends 1.0.25 starting up
> [saned] do_bindings: trying to get port for service "sane-port" (getaddrinfo)
> [saned] do_bindings: [1] socket () using IPv6
> [saned] do_bindings: [1] setsockopt ()
> [saned] do_bindings: [1] bind () to port 6566
> [saned] do_bindings: [1] listen ()
> [saned] do_bindings: [0] socket () using IPv4
> [saned] do_bindings: [0] setsockopt ()
> [saned] do_bindings: [0] bind () to port 6566
> [saned] do_bindings: [0] bind failed: Address already in use

Hmm, probably not really an issue given log messages further down but
you might want to disable IPv6.

> [saned] run_standalone: spawning Avahi process
> [saned] run_standalone: waiting for control connection
> [saned] saned_avahi_callback: AVAHI_CLIENT_CONNECTING
> [saned] handle_connection: processing client connection
> [saned] check_host: detected an IPv4-mapped address
> [saned] check_host: access by remote host: ::ffff:172.17.0.1
> [saned] check_host: remote host is not IN_LOOPBACK nor IN6_LOOPBACK
> [saned] check_host: local hostname: fdb8cf4e1d9f
> [saned] check_host: local hostname(s) (from DNS): fdb8cf4e1d9f
> [saned] check_host: local hostname(s) (from DNS): (null)
> [saned] check_host: local hostname(s) (from DNS): (null)
> [saned] check_host: remote host doesn't have same addr as local
> [saned] check_host: opening config file: /etc/hosts.equiv
> [saned] check_host: can't open config file: /etc/hosts.equiv (No such file or directory)
> [saned] check_host: opening config file: saned.conf
> [saned] check_host: config file line: `# saned.conf'
> [saned] check_host: config file line: `# Configuration for the saned daemon'
> [saned] check_host: config file line: `'
> [saned] check_host: config file line: `## Daemon options'
> [saned] check_host: config file line: `# Port range for the data connection. Choose a range inside [1024 - 65535].'
> [saned] check_host: config file line: `# Avoid specifying too large a range, for performance reasons.'
> [saned] check_host: config file line: `#'
> [saned] check_host: config file line: `# ONLY use this if your saned server is sitting behind a firewall. If your'
> [saned] check_host: config file line: `# firewall is a Linux machine, we strongly recommend using the'
> [saned] check_host: config file line: `# Netfilter nf_conntrack_sane connection tracking module instead.'
> [saned] check_host: config file line: `#'
> [saned] check_host: config file line: `data_portrange = 10000 - 10001'
> [saned] check_host: config file line: `'
> [saned] check_host: config file line: `'
> [saned] check_host: config file line: `## Access list'
> [saned] check_host: config file line: `# A list of host names, IP addresses or IP subnets (CIDR notation) that'
> [saned] check_host: config file line: `# are permitted to use local SANE devices. IPv6 addresses must be enclosed'
> [saned] check_host: config file line: `# in brackets, and should always be specified in their compressed form.'
> [saned] check_host: config file line: `#'
> [saned] check_host: config file line: `# The hostname matching is not case-sensitive.'
> [saned] check_host: config file line: `'
> [saned] check_host: config file line: `#scan-client.somedomain.firm'
> [saned] check_host: config file line: `#192.168.0.1'
> [saned] check_host: config file line: `#192.168.0.1/29'
> [saned] check_host: config file line: `#[2001:db8:185e::42:12]'
> [saned] check_host: config file line: `#[2001:db8:185e::42:12]/64'
> [saned] check_host: config file line: `'
> [saned] check_host: config file line: `# NOTE: /etc/inetd.conf (or /etc/xinetd.conf) and'
> [saned] check_host: config file line: `# /etc/services must also be properly configured to start'
> [saned] check_host: config file line: `# the saned daemon as documented in saned(8), services(4)'
> [saned] check_host: config file line: `# and inetd.conf(4) (or xinetd.conf(5)).'
> [saned] check_host: config file line: `localhost'
> [saned] check_host: DNS lookup returns IP address: ::1
> [saned] check_host: DNS lookup returns IP address: ::1
> [saned] check_host: DNS lookup returns IP address: ::1
> [saned] check_host: DNS lookup returns IP address: 127.0.0.1
> [saned] check_host: DNS lookup returns IP address: 127.0.0.1
> [saned] check_host: DNS lookup returns IP address: 127.0.0.1
> [saned] check_host: config file line: `0.0.0/0'

Access from anywhere.  That should be getting in the way ;-)

> [saned] check_host: subnet with base IP = 0.0.0, CIDR netmask = 0
> [saned] check_host: access granted from IP address 172.17.0.1 (in subnet 0.0.0/0)
> [saned] init: access granted
> [saned] init: access granted to user@::ffff:172.17.0.1
> [saned] process_request: waiting for request
> [saned] process_request: got request 1
> [saned] process_request: waiting for request
> [saned] process_request: got request 2
> [saned] process_request: access to resource `hpaio' granted
> [saned] process_request: sane_open returned: Success
> [saned] process_request: waiting for request
> [saned] process_request: got request 4
> [saned] process_request: waiting for request
> [saned] process_request: got request 5
> [...]
> [saned] process_request: waiting for request
> [saned] process_request: got request 7
> [saned] start_scan: trying to bind data port 10000
> [saned] start_scan: using port 10000 for data
> [saned] process_request: waiting for data connection
> [saned] process_request: access to data port from ::ffff:172.17.0.1
> [saned] do_scan: start
> [saned] do_scan: trying to read 8188 bytes from scanner
> [saned] do_scan: read 8188 bytes from scanner
> [saned] do_scan: processing RPC request on fd 4
> [saned] process_request: waiting for request
> [saned] process_request: got request 6
> [saned] do_scan: trying to write 8192 bytes to client
> [saned] do_scan: wrote 8192 bytes to client

So the first batch of data is sent to the client.  But your earlier log
showed a "FAIL No data" for the 1914 byte data of the first scanline.
Is the written data really getting there?

> [saned] do_scan: trying to read 8188 bytes from scanner
> [saned] do_scan: read 8188 bytes from scanner

Scanner is still alive and providing data.

> [saned] do_scan: trying to write 8192 bytes to client
> [saned] quit: received signal 13

Scanner provided data can no longer be sent because the receiving end
went poof!  No clue as to why it went away.

> [saned] quit: exiting
> #

If that first `scanimage -T` from within the container was via saned,
i.e. a 'net:...' device, I'd revert to network capture software
(e.g. wireshark or some such) to have an up close look at what's going
on at the network layer and try to line that up with what the saned code
and scanimage (outside the container) say they're up to.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join



More information about the sane-devel mailing list