* [Buildroot] [PATCH] package/docker-engine: fix runtime problem @ 2024-08-20 15:44 Waldemar Brodkorb 2024-08-20 21:26 ` Yann E. MORIN 0 siblings, 1 reply; 6+ messages in thread From: Waldemar Brodkorb @ 2024-08-20 15:44 UTC (permalink / raw) To: buildroot; +Cc: Christian Stewart When starting a container you get: # docker run nginx docker0: port 1(veth7743781) entered blocking state docker0: port 1(veth7743781) entered disabled state veth7743781: entered allmulticast mode veth7743781: entered promiscuous mode docker0: port 1(veth7743781) entered disabled state veth7743781 (unregistering): left allmulticast mode veth7743781 (unregistering): left promiscuous mode docker0: port 1(veth7743781) entered disabled state docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: error opening file `/proc/self/uid_map`: No such file or directory: unknown. Add the missing kernel module to allow starting containers. Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> --- package/docker-engine/docker-engine.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk index 268b851520..baec32d79d 100644 --- a/package/docker-engine/docker-engine.mk +++ b/package/docker-engine/docker-engine.mk @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE) $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT) $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES) + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) $(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS) $(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS) $(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS) -- 2.30.2 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/docker-engine: fix runtime problem 2024-08-20 15:44 [Buildroot] [PATCH] package/docker-engine: fix runtime problem Waldemar Brodkorb @ 2024-08-20 21:26 ` Yann E. MORIN 2024-08-20 21:32 ` Thomas Petazzoni via buildroot 0 siblings, 1 reply; 6+ messages in thread From: Yann E. MORIN @ 2024-08-20 21:26 UTC (permalink / raw) To: Waldemar Brodkorb; +Cc: Christian Stewart, buildroot Waldemar, All, On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: > When starting a container you get: > # docker run nginx > docker0: port 1(veth7743781) entered blocking state > docker0: port 1(veth7743781) entered disabled state > veth7743781: entered allmulticast mode > veth7743781: entered promiscuous mode > docker0: port 1(veth7743781) entered disabled state > veth7743781 (unregistering): left allmulticast mode > veth7743781 (unregistering): left promiscuous mode > docker0: port 1(veth7743781) entered disabled state > docker: Error response from daemon: failed to create task for > container: failed to create shim task: OCI runtime create failed: > error opening file `/proc/self/uid_map`: No such file or directory: unknown. > > Add the missing kernel module to allow starting containers. > > Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> > --- > package/docker-engine/docker-engine.mk | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk > index 268b851520..baec32d79d 100644 > --- a/package/docker-engine/docker-engine.mk > +++ b/package/docker-engine/docker-engine.mk > @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE) > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT) > $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES) > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) As far as I can see, this is an optional feature, and is not strictly required: https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 So I don't think we should forecfully enable it. Regards, Yann E. MORIN. > $(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS) > $(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS) > $(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS) > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/docker-engine: fix runtime problem 2024-08-20 21:26 ` Yann E. MORIN @ 2024-08-20 21:32 ` Thomas Petazzoni via buildroot 2024-08-20 22:00 ` Yann E. MORIN 0 siblings, 1 reply; 6+ messages in thread From: Thomas Petazzoni via buildroot @ 2024-08-20 21:32 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Christian Stewart, buildroot On Tue, 20 Aug 2024 23:26:33 +0200 "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: > > When starting a container you get: > > # docker run nginx > > docker0: port 1(veth7743781) entered blocking state > > docker0: port 1(veth7743781) entered disabled state > > veth7743781: entered allmulticast mode > > veth7743781: entered promiscuous mode > > docker0: port 1(veth7743781) entered disabled state > > veth7743781 (unregistering): left allmulticast mode > > veth7743781 (unregistering): left promiscuous mode > > docker0: port 1(veth7743781) entered disabled state > > docker: Error response from daemon: failed to create task for > > container: failed to create shim task: OCI runtime create failed: > > error opening file `/proc/self/uid_map`: No such file or directory: unknown. > > > > Add the missing kernel module to allow starting containers. > > > > Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> > > --- > > package/docker-engine/docker-engine.mk | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk > > index 268b851520..baec32d79d 100644 > > --- a/package/docker-engine/docker-engine.mk > > +++ b/package/docker-engine/docker-engine.mk > > @@ -106,6 +106,7 @@ define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS > > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE) > > $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT) > > $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES) > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) > > As far as I can see, this is an optional feature, and is not strictly > required: > > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 > > So I don't think we should forecfully enable it. On the other hand, Waldemar is encountering the issue while doing a simple "docker run <container>", which seems to be like the most basic thing you would want to do with docker. So if CONFIG_USER_NS is needed for something as basic as starting up a container, I believe it's not really an optional feature? Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/docker-engine: fix runtime problem 2024-08-20 21:32 ` Thomas Petazzoni via buildroot @ 2024-08-20 22:00 ` Yann E. MORIN 2024-08-21 6:18 ` TIAN Yuanhao 0 siblings, 1 reply; 6+ messages in thread From: Yann E. MORIN @ 2024-08-20 22:00 UTC (permalink / raw) To: Thomas Petazzoni; +Cc: Christian Stewart, buildroot Thomas, All, On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly: > On Tue, 20 Aug 2024 23:26:33 +0200 > "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: [--SNIP--] > > > Add the missing kernel module to allow starting containers. [--SNIP--] > > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) > > As far as I can see, this is an optional feature, and is not strictly > > required: > > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 > > So I don't think we should forecfully enable it. > On the other hand, Waldemar is encountering the issue while doing a > simple "docker run <container>", which seems to be like the most basic > thing you would want to do with docker. So if CONFIG_USER_NS is needed > for something as basic as starting up a container, I believe it's not > really an optional feature? In that case, we are missig way more options, like CGROUP_PIDS, SECCOMP, MEMCG_SWAP_ENABLED, and a good bunch of others... The way the moby (alias docker-engine) config-check script make that flag optional is very peculiar: they run the check in a {} list, which means any failure is ignored, so their check_flags() failure is ignored for those options, meaning they really are optional from the point of view of moby, and they do not require it. And indeed it is optional, as our runtime test for docker-compose (test which uses docker-engine) with a custom kernel configuratio nthat does not have USER_NS, does not fail although it does run multiple containers... Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/docker-engine: fix runtime problem 2024-08-20 22:00 ` Yann E. MORIN @ 2024-08-21 6:18 ` TIAN Yuanhao 2024-08-21 7:12 ` Yann E. MORIN 0 siblings, 1 reply; 6+ messages in thread From: TIAN Yuanhao @ 2024-08-21 6:18 UTC (permalink / raw) To: buildroot; +Cc: Thomas Petazzoni, Christian Stewart, Yann E. MORIN At 2024-08-21 06:00:49, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: >Thomas, All, > >On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly: >> On Tue, 20 Aug 2024 23:26:33 +0200 >> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: >> > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: >[--SNIP--] >> > > Add the missing kernel module to allow starting containers. >[--SNIP--] >> > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) >> > As far as I can see, this is an optional feature, and is not strictly >> > required: >> > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 >> > So I don't think we should forecfully enable it. >> On the other hand, Waldemar is encountering the issue while doing a >> simple "docker run <container>", which seems to be like the most basic >> thing you would want to do with docker. So if CONFIG_USER_NS is needed >> for something as basic as starting up a container, I believe it's not >> really an optional feature? > >In that case, we are missig way more options, like CGROUP_PIDS, SECCOMP, >MEMCG_SWAP_ENABLED, and a good bunch of others... > >The way the moby (alias docker-engine) config-check script make that >flag optional is very peculiar: they run the check in a {} list, which >means any failure is ignored, so their check_flags() failure is ignored >for those options, meaning they really are optional from the point of >view of moby, and they do not require it. > >And indeed it is optional, as our runtime test for docker-compose (test >which uses docker-engine) with a custom kernel configuratio nthat does >not have USER_NS, does not fail although it does run multiple >containers... In fact, USER_NS is optional for runc, but mandatory for crun. > >Regards, >Yann E. MORIN. > -- Regards, TIAN Yuanhao _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/docker-engine: fix runtime problem 2024-08-21 6:18 ` TIAN Yuanhao @ 2024-08-21 7:12 ` Yann E. MORIN 0 siblings, 0 replies; 6+ messages in thread From: Yann E. MORIN @ 2024-08-21 7:12 UTC (permalink / raw) To: TIAN Yuanhao; +Cc: Thomas Petazzoni, Christian Stewart, buildroot Yuanhao, All, On 2024-08-21 14:18 +0800, TIAN Yuanhao spake thusly: > At 2024-08-21 06:00:49, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > >On 2024-08-20 23:32 +0200, Thomas Petazzoni via buildroot spake thusly: > >> On Tue, 20 Aug 2024 23:26:33 +0200 > >> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > >> > On 2024-08-20 17:44 +0200, Waldemar Brodkorb spake thusly: > >> > > + $(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS) > >> > As far as I can see, this is an optional feature, and is not strictly > >> > required: > >> > https://github.com/moby/moby/blob/master/contrib/check-config.sh#L235 > >> > So I don't think we should forecfully enable it. > >> On the other hand, Waldemar is encountering the issue while doing a > >> simple "docker run <container>", which seems to be like the most basic > >> thing you would want to do with docker. So if CONFIG_USER_NS is needed > >> for something as basic as starting up a container, I believe it's not > >> really an optional feature? [--SNIP--] > In fact, USER_NS is optional for runc, but mandatory for crun. OK, but still, for docker-engine *itself*, USER_NS is optional, as we can clearly see in our runtime test that does not enable USER_NS and still succeeds at running containers. And indeed, our runtime test uses runc, so it kinda makes sense that it works. But then, if that's crun that needs USER_NS, enabling USER_+NS in the kernel config should be done in the crun package, not in the docker-engine one. Thanks for the feedback! Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-08-21 7:12 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-08-20 15:44 [Buildroot] [PATCH] package/docker-engine: fix runtime problem Waldemar Brodkorb 2024-08-20 21:26 ` Yann E. MORIN 2024-08-20 21:32 ` Thomas Petazzoni via buildroot 2024-08-20 22:00 ` Yann E. MORIN 2024-08-21 6:18 ` TIAN Yuanhao 2024-08-21 7:12 ` Yann E. MORIN
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox