Message ID | ZsS52zTjT0Ca9twG@waldemar-brodkorb.de |
---|---|
State | Changes Requested |
Headers | show |
Series | package/docker-engine: fix runtime problem | expand |
Waldemar, All, On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: > When starting a container you get: > # docker run nginx > docker0: port 1(veth7743781) entered blocking state > docker0: port 1(veth7743781) entered disabled state > veth7743781: entered allmulticast mode > veth7743781: entered promiscuous mode > docker0: port 1(veth7743781) entered disabled state > veth7743781 (unregistering): left allmulticast mode > veth7743781 (unregistering): left promiscuous mode > docker0: port 1(veth7743781) entered disabled state > docker: Error response from daemon: failed to create task for > container: failed to create shim task: OCI runtime create failed: > error opening file `/proc/self/uid_map`: No such file or directory: unknown. > > Add the missing kernel module to allow starting containers. > > Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> > --- > package/docker-engine/docker-engine.mk | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk > index 268b851520..baec32d79d 100644 > --- a/package/docker-engine/docker-engine.mk > +++ b/package/docker-engine/docker-engine.mk > @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE) > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT) > $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES) > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) As far as I can see, this is an optional feature, and is not strictly required: https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 So I don't think we should forecfully enable it. Regards, Yann E. MORIN. > $(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS) > $(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS) > $(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS) > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
On Tue, 20 Aug 2024 23:26:33 +0200 "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: > > When starting a container you get: > > # docker run nginx > > docker0: port 1(veth7743781) entered blocking state > > docker0: port 1(veth7743781) entered disabled state > > veth7743781: entered allmulticast mode > > veth7743781: entered promiscuous mode > > docker0: port 1(veth7743781) entered disabled state > > veth7743781 (unregistering): left allmulticast mode > > veth7743781 (unregistering): left promiscuous mode > > docker0: port 1(veth7743781) entered disabled state > > docker: Error response from daemon: failed to create task for > > container: failed to create shim task: OCI runtime create failed: > > error opening file `/proc/self/uid_map`: No such file or directory: unknown. > > > > Add the missing kernel module to allow starting containers. > > > > Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> > > --- > > package/docker-engine/docker-engine.mk | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk > > index 268b851520..baec32d79d 100644 > > --- a/package/docker-engine/docker-engine.mk > > +++ b/package/docker-engine/docker-engine.mk > > @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS > > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE) > > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT) > > $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES) > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) > > As far as I can see, this is an optional feature, and is not strictly > required: > > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 > > So I don't think we should forecfully enable it. On the other hand, Waldemar is encountering the issue while doing a simple "docker run <container>", which seems to be like the most basic thing you would want to do with docker. So if CONFIG_USER_NS is needed for something as basic as starting up a container, I believe it's not really an optional feature? Thomas
Thomas, All, On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly: > On Tue, 20 Aug 2024 23:26:33 +0200 > "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: [--SNIP--] > > > Add the missing kernel module to allow starting containers. [--SNIP--] > > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) > > As far as I can see, this is an optional feature, and is not strictly > > required: > > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 > > So I don't think we should forecfully enable it. > On the other hand, Waldemar is encountering the issue while doing a > simple "docker run <container>", which seems to be like the most basic > thing you would want to do with docker. So if CONFIG_USER_NS is needed > for something as basic as starting up a container, I believe it's not > really an optional feature? In that case, we are missig way more options, like CGROUP_PIDS, SECCOMP, MEMCG_SWAP_ENABLED, and a good bunch of others... The way the moby (alias docker-engine) config-check script make that flag optional is very peculiar: they run the check in a {} list, which means any failure is ignored, so their check_flags() failure is ignored for those options, meaning they really are optional from the point of view of moby, and they do not require it. And indeed it is optional, as our runtime test for docker-compose (test which uses docker-engine) with a custom kernel configuratio nthat does not have USER_NS, does not fail although it does run multiple containers... Regards, Yann E. MORIN.
At 2024-08-21 06:00:49, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: >Thomas, All, > >On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly: >> On Tue, 20 Aug 2024 23:26:33 +0200 >> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: >> > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: >[--SNIP--] >> > > Add the missing kernel module to allow starting containers. >[--SNIP--] >> > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) >> > As far as I can see, this is an optional feature, and is not strictly >> > required: >> > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 >> > So I don't think we should forecfully enable it. >> On the other hand, Waldemar is encountering the issue while doing a >> simple "docker run <container>", which seems to be like the most basic >> thing you would want to do with docker. So if CONFIG_USER_NS is needed >> for something as basic as starting up a container, I believe it's not >> really an optional feature? > >In that case, we are missig way more options, like CGROUP_PIDS, SECCOMP, >MEMCG_SWAP_ENABLED, and a good bunch of others... > >The way the moby (alias docker-engine) config-check script make that >flag optional is very peculiar: they run the check in a {} list, which >means any failure is ignored, so their check_flags() failure is ignored >for those options, meaning they really are optional from the point of >view of moby, and they do not require it. > >And indeed it is optional, as our runtime test for docker-compose (test >which uses docker-engine) with a custom kernel configuratio nthat does >not have USER_NS, does not fail although it does run multiple >containers... In fact, USER_NS is optional for runc, but mandatory for crun. > >Regards, >Yann E. MORIN. > -- Regards, TIAN Yuanhao
Yuanhao, All, On 2024-08-21 14:18 +0800, TIAN Yuanhao spake thusly: > At 2024-08-21 06:00:49, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > >On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly: > >> On Tue, 20 Aug 2024 23:26:33 +0200 > >> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > >> > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: > >> > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) > >> > As far as I can see, this is an optional feature, and is not strictly > >> > required: > >> > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 > >> > So I don't think we should forecfully enable it. > >> On the other hand, Waldemar is encountering the issue while doing a > >> simple "docker run <container>", which seems to be like the most basic > >> thing you would want to do with docker. So if CONFIG_USER_NS is needed > >> for something as basic as starting up a container, I believe it's not > >> really an optional feature? [--SNIP--] > In fact, USER_NS is optional for runc, but mandatory for crun. OK, but still, for docker-engine *itself*, USER_NS is optional, as we can clearly see in our runtime test that does not enable USER_NS and still succeeds at running containers. And indeed, our runtime test uses runc, so it kinda makes sense that it works. But then, if that's crun that needs USER_NS, enabling USER_+NS in the kernel config should be done in the crun package, not in the docker-engine one. Thanks for the feedback! Regards, Yann E. MORIN.
diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk index 268b851520..baec32d79d 100644 --- a/package/docker-engine/docker-engine.mk +++ b/package/docker-engine/docker-engine.mk @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE) $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT) $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES) + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) $(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS) $(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS) $(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS)
When starting a container you get: # docker run nginx docker0: port 1(veth7743781) entered blocking state docker0: port 1(veth7743781) entered disabled state veth7743781: entered allmulticast mode veth7743781: entered promiscuous mode docker0: port 1(veth7743781) entered disabled state veth7743781 (unregistering): left allmulticast mode veth7743781 (unregistering): left promiscuous mode docker0: port 1(veth7743781) entered disabled state docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: error opening file `/proc/self/uid_map`: No such file or directory: unknown. Add the missing kernel module to allow starting containers. Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> --- package/docker-engine/docker-engine.mk | 1 + 1 file changed, 1 insertion(+)