Hi, On Thu, Aug 19, 2021 at 3:27 PM Forest <fores...@sonic.net> wrote: > > Package: docker.io > Version: 20.10.5+dfsg1-1+b5 > Severity: important > > Dear Maintainer, > > After upgrading from Buster to Bullseye, rootless docker containers now fail > to build or start, with the following error message: > > Error response from daemon: OCI runtime create failed: > container_linux.go:367: starting container process caused: > process_linux.go:340: applying cgroup configuration for > process caused: read unix @->/run/systemd/private: read: connection reset by > peer: unknown > Error: failed to start containers: mycontainer >
It works for me. Here are my docker.service file and cgroup mount info. Could you compare the output? ====>docker.service<===== $ cat /home/zsj/.config/systemd/user/docker.service [Unit] Description=Docker Application Container Engine (Rootless) Documentation=https://docs.docker.com/engine/security/rootless/ [Service] Environment=PATH=/usr/share/docker.io/contrib:/sbin:/usr/sbin:/usr/local/bin:/usr/bin:/bin ExecStart=/usr/share/docker.io/contrib/dockerd-rootless.sh ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always StartLimitBurst=3 StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Delegate=yes Type=simple KillMode=mixed [Install] WantedBy=default.target ====>end docker.service<==== ====>cgroup<==== ~$ mount|grep cgroup cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot) ====end cgroup<==== ====>systemctl<==== zsj@debian:~$ systemctl --user status docker.service ● docker.service - Docker Application Container Engine (Rootless) Loaded: loaded (/home/zsj/.config/systemd/user/docker.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2021-08-19 22:47:03 CST; 5min ago Docs: https://docs.docker.com/engine/security/rootless/ Main PID: 1119185 (rootlesskit) Tasks: 40 Memory: 69.8M CPU: 1.346s CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service ├─1119185 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --cop> ├─1119198 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --> ├─1119217 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 1119198 tap0 ├─1119224 dockerd └─1119241 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info Aug 19 22:47:04 debian dockerd-rootless.sh[1119224]: time="2021-08-19T22:47:04.193598506+08:00" level=error msg="failed to mount overlay: operation not permitted" storage> Aug 19 22:47:04 debian dockerd-rootless.sh[1119224]: time="2021-08-19T22:47:04.204710358+08:00" level=warning msg="Unable to find cpu controller" =====>end systemctl<===== ====>docker info<==== zsj@debian:~$ docker -c rootless info Client: Context: rootless Debug Mode: false Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 20.10.5+dfsg1 Storage Driver: vfs Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: 1.4.5~ds1-2 runc version: 1.0.0~rc93+ds1-5+b2 init version: Security Options: seccomp Profile: default rootless cgroupns Kernel Version: 5.10.0-7-amd64 Operating System: Debian GNU/Linux 11 (bullseye) OSType: linux Architecture: x86_64 ====>end docker info<==== > The failure seems related to the switch from cgroup v1 to v2 in Bullseye. > I have found two workarounds: > > 1. Edit ~/.config/systemd/user/docker.service (which was generated by > dockerd-rootless-setuptool.sh), adding this option to the ExecStart command: > --exec-opt native.cgroupdriver=cgroupfs > > 2. Boot the system with these kernel options: > systemd.unified_cgroup_hierarchy=false > systemd.legacy_systemd_cgroup_controller=false > > Thanks for your attention. > > -- System Information: > Debian Release: 11.0 > APT prefers stable-security > APT policy: (500, 'stable-security'), (500, 'stable') > Architecture: arm64 (aarch64) > > Kernel: Linux 5.10.0-8-arm64 (SMP w/6 CPU threads) I think the difference may be the arch, as I'm testing it on amd64. Not sure if it's an arm64 specific kernel issue. -- Shengjing Zhu
