[Buildroot] docker package in buildroot

[Buildroot] docker package in buildroot

[Waldemar Brodkorb]

Hi,

I would like to test Docker (docker-engine) in Buildroot.

When starting a container I get:
# docker run nginx
docker0: port 1(veth7743781) entered blocking state
docker0: port 1(veth7743781) entered disabled state
veth7743781: entered allmulticast mode
veth7743781: entered promiscuous mode
docker0: port 1(veth7743781) entered disabled state
veth7743781 (unregistering): left allmulticast mode
veth7743781 (unregistering): left promiscuous mode
docker0: port 1(veth7743781) entered disabled state
docker: Error response from daemon: failed to create task for
container: failed to create shim task: OCI runtime create failed:
error opening file `/proc/self/uid_map`: No such file or directory:
unknown.

It is inside Qemu aarch64 system with glibc.

Is anyone using Docker in Buildroot? Is it a known problem?

best regards
 Waldemar
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] docker package in buildroot

[Thomas Petazzoni via buildroot]

Hello,

On Tue, 20 Aug 2024 11:13:25 +0200
Waldemar Brodkorb <wbx@openadk.org> wrote:

> I would like to test Docker (docker-engine) in Buildroot.
> 
> When starting a container I get:
> # docker run nginx
> docker0: port 1(veth7743781) entered blocking state
> docker0: port 1(veth7743781) entered disabled state
> veth7743781: entered allmulticast mode
> veth7743781: entered promiscuous mode
> docker0: port 1(veth7743781) entered disabled state
> veth7743781 (unregistering): left allmulticast mode
> veth7743781 (unregistering): left promiscuous mode
> docker0: port 1(veth7743781) entered disabled state
> docker: Error response from daemon: failed to create task for
> container: failed to create shim task: OCI runtime create failed:
> error opening file `/proc/self/uid_map`: No such file or directory:
> unknown.
> 
> It is inside Qemu aarch64 system with glibc.

Quick question: did you build your kernel with Buildroot, or
separately? If you built it with Buildroot, did you build it with
Docker already enabled?

Indeed the docker-engine package enables a shitload of kernel options:

define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS
        $(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)
        $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG)
        $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_SCHED)
        $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_FREEZER)
        $(call KCONFIG_ENABLE_OPT,CONFIG_CPUSETS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
        $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES)
        $(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NET_NS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
        $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE_NETFILTER)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNTRACK)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_IPVS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
        $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
        $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
        $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
        $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
        $(call KCONFIG_ENABLE_OPT,CONFIG_VETH)
        $(call KCONFIG_ENABLE_OPT,CONFIG_OVERLAY_FS)
        $(call KCONFIG_ENABLE_OPT,CONFIG_KEYS)
        $(DOCKER_ENGINE_DRIVER_BTRFS_LINUX_CONFIG_FIXUPS)
        $(DOCKER_ENGINE_DRIVER_DM_LINUX_CONFIG_FIXUPS)
endef

Maybe some are missing? :-)

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] docker package in buildroot

[Waldemar Brodkorb]

Hi Thomas,
Thomas Petazzoni wrote,

> Hello,
> 
> On Tue, 20 Aug 2024 11:13:25 +0200
> Waldemar Brodkorb <wbx@openadk.org> wrote:
> 
> > I would like to test Docker (docker-engine) in Buildroot.
> > 
> > When starting a container I get:
> > # docker run nginx
> > docker0: port 1(veth7743781) entered blocking state
> > docker0: port 1(veth7743781) entered disabled state
> > veth7743781: entered allmulticast mode
> > veth7743781: entered promiscuous mode
> > docker0: port 1(veth7743781) entered disabled state
> > veth7743781 (unregistering): left allmulticast mode
> > veth7743781 (unregistering): left promiscuous mode
> > docker0: port 1(veth7743781) entered disabled state
> > docker: Error response from daemon: failed to create task for
> > container: failed to create shim task: OCI runtime create failed:
> > error opening file `/proc/self/uid_map`: No such file or directory:
> > unknown.
> > 
> > It is inside Qemu aarch64 system with glibc.
> 
> Quick question: did you build your kernel with Buildroot, or
> separately? If you built it with Buildroot, did you build it with
> Docker already enabled?

Yes, I built the Kernel with Buildroot. I used the
qemu-system-aarch64 defconfig and enabled docker.
 
> Indeed the docker-engine package enables a shitload of kernel options:
> 
> define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS
>         $(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_SCHED)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_FREEZER)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_CPUSETS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NET_NS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE_NETFILTER)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNTRACK)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_IPVS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_VETH)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_OVERLAY_FS)
>         $(call KCONFIG_ENABLE_OPT,CONFIG_KEYS)
>         $(DOCKER_ENGINE_DRIVER_BTRFS_LINUX_CONFIG_FIXUPS)
>         $(DOCKER_ENGINE_DRIVER_DM_LINUX_CONFIG_FIXUPS)
> endef
> 
> Maybe some are missing? :-)

And who knows which one's are missing? :)

best regards
 Waldemar
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] docker package in buildroot

[Fiona Klute via buildroot]

Am 20.08.24 um 12:39 schrieb Waldemar Brodkorb:
> Hi Thomas,
> Thomas Petazzoni wrote,
>
>> Hello,
>>
>> On Tue, 20 Aug 2024 11:13:25 +0200
>> Waldemar Brodkorb <wbx@openadk.org> wrote:
>>
>>> I would like to test Docker (docker-engine) in Buildroot.
>>>
>>> When starting a container I get:
>>> # docker run nginx
>>> docker0: port 1(veth7743781) entered blocking state
>>> docker0: port 1(veth7743781) entered disabled state
>>> veth7743781: entered allmulticast mode
>>> veth7743781: entered promiscuous mode
>>> docker0: port 1(veth7743781) entered disabled state
>>> veth7743781 (unregistering): left allmulticast mode
>>> veth7743781 (unregistering): left promiscuous mode
>>> docker0: port 1(veth7743781) entered disabled state
>>> docker: Error response from daemon: failed to create task for
>>> container: failed to create shim task: OCI runtime create failed:
>>> error opening file `/proc/self/uid_map`: No such file or directory:
>>> unknown.
>>>
>>> It is inside Qemu aarch64 system with glibc.
>>
>> Quick question: did you build your kernel with Buildroot, or
>> separately? If you built it with Buildroot, did you build it with
>> Docker already enabled?
>
> Yes, I built the Kernel with Buildroot. I used the
> qemu-system-aarch64 defconfig and enabled docker.
>
>> Indeed the docker-engine package enables a shitload of kernel options:
>>
>> define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_SCHED)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_FREEZER)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_CPUSETS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NET_NS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE_NETFILTER)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNTRACK)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_IPVS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_VETH)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_OVERLAY_FS)
>>          $(call KCONFIG_ENABLE_OPT,CONFIG_KEYS)
>>          $(DOCKER_ENGINE_DRIVER_BTRFS_LINUX_CONFIG_FIXUPS)
>>          $(DOCKER_ENGINE_DRIVER_DM_LINUX_CONFIG_FIXUPS)
>> endef
>>
>> Maybe some are missing? :-)
>
> And who knows which one's are missing? :)

My guess is CONFIG_USER_NS. With its default config the Docker engine
doesn't use user namespaces, I guess you enabled it in your config?
That'd explain why it works with the default setup but fails for you.

I have Docker running in Buildroot on aarch64, but my kernel config
contains CONFIG_USER_NS already. ;-)

Best regards,
Fiona

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] docker package in buildroot

[Yann E. MORIN]

Fiona, All,

On 2024-08-22 16:00 +0200, Fiona Klute via buildroot spake thusly:
> Am 20.08.24 um 12:39 schrieb Waldemar Brodkorb:
> > > On Tue, 20 Aug 2024 11:13:25 +0200
> > > Waldemar Brodkorb <wbx@openadk.org> wrote:
> > > > When starting a container I get:
[--SNIP--]
> > > > docker: Error response from daemon: failed to create task for
> > > > container: failed to create shim task: OCI runtime create failed:
> > > > error opening file `/proc/self/uid_map`: No such file or directory:
> > > > unknown.
[--SNIP--]
> > > Indeed the docker-engine package enables a shitload of kernel options:
> > And who knows which one's are missing? :)
> My guess is CONFIG_USER_NS. With its default config the Docker engine
> doesn't use user namespaces, I guess you enabled it in your config?
> That'd explain why it works with the default setup but fails for you.

Thanks for the feedback, and for confirming USER_NS is needed; Waldenar
already sent a patch enabling USER_NS:
    https://lore.kernel.org/buildroot/ZsWTTvL0qv6By7lK@landeda/T/#mc8b308c86882ccd8934dd24f9c6a55028861be39

However, I had some comments on it:
    https://lore.kernel.org/buildroot/ZsWTTvL0qv6By7lK@landeda/T/#mc49f4054e2612b4c432c63b12e9112e06ff9b863

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot