package/docker-engine: fix runtime problem

When starting a container you get:
# docker run nginx
docker0: port 1(veth7743781) entered blocking state
docker0: port 1(veth7743781) entered disabled state
veth7743781: entered allmulticast mode
veth7743781: entered promiscuous mode
docker0: port 1(veth7743781) entered disabled state
veth7743781 (unregistering): left allmulticast mode
veth7743781 (unregistering): left promiscuous mode
docker0: port 1(veth7743781) entered disabled state
docker: Error response from daemon: failed to create task for
container: failed to create shim task: OCI runtime create failed:
error opening file `/proc/self/uid_map`: No such file or directory: unknown.

Add the missing kernel module to allow starting containers.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
---
 package/docker-engine/docker-engine.mk | 1 +
 1 file changed, 1 insertion(+)

Waldemar, All,

On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly:
> When starting a container you get:
> # docker run nginx
> docker0: port 1(veth7743781) entered blocking state
> docker0: port 1(veth7743781) entered disabled state
> veth7743781: entered allmulticast mode
> veth7743781: entered promiscuous mode
> docker0: port 1(veth7743781) entered disabled state
> veth7743781 (unregistering): left allmulticast mode
> veth7743781 (unregistering): left promiscuous mode
> docker0: port 1(veth7743781) entered disabled state
> docker: Error response from daemon: failed to create task for
> container: failed to create shim task: OCI runtime create failed:
> error opening file `/proc/self/uid_map`: No such file or directory: unknown.
> 
> Add the missing kernel module to allow starting containers.
> 
> Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
> ---
>  package/docker-engine/docker-engine.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
> index 268b851520..baec32d79d 100644
> --- a/package/docker-engine/docker-engine.mk
> +++ b/package/docker-engine/docker-engine.mk
> @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS
>  	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
>  	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
>  	$(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES)
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)

As far as I can see, this is an optional feature, and is not strictly
required:

    https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235

So I don't think we should forecfully enable it.

Regards,
Yann E. MORIN.

>  	$(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS)
>  	$(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS)
>  	$(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS)
> -- 
> 2.30.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

On Tue, 20 Aug 2024 23:26:33 +0200
"Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly:
> > When starting a container you get:
> > # docker run nginx
> > docker0: port 1(veth7743781) entered blocking state
> > docker0: port 1(veth7743781) entered disabled state
> > veth7743781: entered allmulticast mode
> > veth7743781: entered promiscuous mode
> > docker0: port 1(veth7743781) entered disabled state
> > veth7743781 (unregistering): left allmulticast mode
> > veth7743781 (unregistering): left promiscuous mode
> > docker0: port 1(veth7743781) entered disabled state
> > docker: Error response from daemon: failed to create task for
> > container: failed to create shim task: OCI runtime create failed:
> > error opening file `/proc/self/uid_map`: No such file or directory: unknown.
> > 
> > Add the missing kernel module to allow starting containers.
> > 
> > Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
> > ---
> >  package/docker-engine/docker-engine.mk | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
> > index 268b851520..baec32d79d 100644
> > --- a/package/docker-engine/docker-engine.mk
> > +++ b/package/docker-engine/docker-engine.mk
> > @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS
> >  	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
> >  	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
> >  	$(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES)
> > +	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)  
> 
> As far as I can see, this is an optional feature, and is not strictly
> required:
> 
>     https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235
> 
> So I don't think we should forecfully enable it.

On the other hand, Waldemar is encountering the issue while doing a
simple "docker run <container>", which seems to be like the most basic
thing you would want to do with docker. So if CONFIG_USER_NS is needed
for something as basic as starting up a container, I believe it's not
really an optional feature?

Thomas

Thomas, All,

On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly:
> On Tue, 20 Aug 2024 23:26:33 +0200
> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly:
[--SNIP--]
> > > Add the missing kernel module to allow starting containers.
[--SNIP--]
> > > +	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)  
> > As far as I can see, this is an optional feature, and is not strictly
> > required:
> >     https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235
> > So I don't think we should forecfully enable it.
> On the other hand, Waldemar is encountering the issue while doing a
> simple "docker run <container>", which seems to be like the most basic
> thing you would want to do with docker. So if CONFIG_USER_NS is needed
> for something as basic as starting up a container, I believe it's not
> really an optional feature?

In that case, we are missig way more options, like CGROUP_PIDS, SECCOMP,
MEMCG_SWAP_ENABLED, and a good bunch of others...

The way the moby (alias docker-engine) config-check script make that
flag optional is very peculiar: they run the check in a {} list, which
means any failure is ignored, so their check_flags() failure is ignored
for those options, meaning they really are optional from the point of
view of moby, and they do not require it.

And indeed it is optional, as our runtime test for docker-compose (test
which uses docker-engine) with a custom kernel configuratio nthat does
not have USER_NS, does not fail although it does run multiple
containers...

Regards,
Yann E. MORIN.

At 2024-08-21 06:00:49, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
>Thomas, All,
>
>On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly:
>> On Tue, 20 Aug 2024 23:26:33 +0200
>> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
>> > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly:
>[--SNIP--]
>> > > Add the missing kernel module to allow starting containers.
>[--SNIP--]
>> > > +	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)  
>> > As far as I can see, this is an optional feature, and is not strictly
>> > required:
>> >     https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235
>> > So I don't think we should forecfully enable it.
>> On the other hand, Waldemar is encountering the issue while doing a
>> simple "docker run <container>", which seems to be like the most basic
>> thing you would want to do with docker. So if CONFIG_USER_NS is needed
>> for something as basic as starting up a container, I believe it's not
>> really an optional feature?
>
>In that case, we are missig way more options, like CGROUP_PIDS, SECCOMP,
>MEMCG_SWAP_ENABLED, and a good bunch of others...
>
>The way the moby (alias docker-engine) config-check script make that
>flag optional is very peculiar: they run the check in a {} list, which
>means any failure is ignored, so their check_flags() failure is ignored
>for those options, meaning they really are optional from the point of
>view of moby, and they do not require it.
>
>And indeed it is optional, as our runtime test for docker-compose (test
>which uses docker-engine) with a custom kernel configuratio nthat does
>not have USER_NS, does not fail although it does run multiple
>containers...

In fact, USER_NS is optional for runc, but mandatory for crun.

>
>Regards,
>Yann E. MORIN.
>
--
Regards,
TIAN Yuanhao

Yuanhao, All,

On 2024-08-21 14:18 +0800, TIAN Yuanhao spake thusly:
> At 2024-08-21 06:00:49, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> >On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly:
> >> On Tue, 20 Aug 2024 23:26:33 +0200
> >> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> >> > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly:
> >> > > +	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)  
> >> > As far as I can see, this is an optional feature, and is not strictly
> >> > required:
> >> >     https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235
> >> > So I don't think we should forecfully enable it.
> >> On the other hand, Waldemar is encountering the issue while doing a
> >> simple "docker run <container>", which seems to be like the most basic
> >> thing you would want to do with docker. So if CONFIG_USER_NS is needed
> >> for something as basic as starting up a container, I believe it's not
> >> really an optional feature?
[--SNIP--]
> In fact, USER_NS is optional for runc, but mandatory for crun.

OK, but still, for docker-engine *itself*, USER_NS is optional, as we
can clearly see in our runtime test that does not enable USER_NS and
still succeeds at running containers.

And indeed, our runtime test uses runc, so it kinda makes sense that it
works.

But then, if that's crun that needs USER_NS, enabling USER_+NS in the
kernel config should be done in the crun package, not in the
docker-engine one.

Thanks for the feedback!

Regards,
Yann E. MORIN.