DevHeads.net

Docker and user namespaces on F30

Hi,

I just updated to F30 and my docker setup with user namespaces doesn't
work anymore. When I try to run:
docker run -it --rm docker.io/php:7-fpm-alpine sh
I get this error:
docker: Error response from daemon: OCI runtime create failed:
container_linux.go:348: starting container process caused
"process_linux.go:402: container init caused \"rootfs_linux.go:58:
mounting \\\"mqueue\\\" to rootfs
\\\"/var/lib/docker/1000.1001/btrfs/subvolumes/38ce5c87e31bbbcec010db85
383d1af57e8652ff4e4c411cebe0c2102a36a020\\\" at \\\"/dev/mqueue\\\"
caused \\\"operation not permitted\\\"\"": unknown.

I tried to disable SELinux with setenforce 0 but got the same result.

However, dk run --userns=host -it --rm docker.io/php:7-fpm-alpine sh
works fine. So it seems to be limited to user namespaces.

My kernel: 5.0.9-301.fc30.x86_64

Any ideas on where this may come from? This worked fine on F29 (and
probably on older versions too, I have this setup for a while now).

Regards,

Comments

Re: Docker and user namespaces on F30

By Jun Aruga at 05/06/2019 - 10:17

Podman 1.2 and Docker CE 18.09.5 on My Fedora 30 work for your use case.

$ rpm -q kernel
kernel-5.0.5-200.fc29.x86_64
kernel-5.0.10-200.fc29.x86_64
kernel-5.0.10-300.fc30.x86_64

$ podman --version
podman version 1.2.0

$ podman run -it --rm docker.io/php:7-fpm-alpine sh
/var/www/html # uname -a
Linux f8b9dafd7816 5.0.10-300.fc30.x86_64 #1 SMP Tue Apr 30 16:22:12
UTC 2019 x86_64 Linux

$ docker --version
Docker version 18.09.5, build e8ff056

$ docker run -it --rm docker.io/php:7-fpm-alpine sh
/var/www/html # uname -a
Linux 936e897b0a9b 5.0.10-300.fc30.x86_64 #1 SMP Tue Apr 30 16:22:12
UTC 2019 x86_64 Linux

On Sat, May 4, 2019 at 5:05 PM Julien Enselme < ... at jujens dot eu> wrote:

Re: Docker and user namespaces on F30

By Tomasz Torcz at 05/10/2019 - 13:10

On Mon, May 06, 2019 at 04:17:18PM +0200, Jun Aruga wrote:
This is not what Fedora ships. We have (in F30)
docker-1.13.1-67.git1185cfd or moby-engine-18.06.3-2.ce.gitd7080c1.

Re: Docker and user namespaces on F30

By Michael Catanzaro at 05/10/2019 - 13:21

On Fri, May 10, 2019 at 12:10 PM, Tomasz Torcz < ... at pipebreaker dot pl>
wrote:
What is going on with this very weird, very confusing versioning? The
Fedora version doesn't even look like the upstream date-based version
numbers? Is the Fedora release really just that old?

Re: Docker and user namespaces on F30

By Jun Aruga at 05/13/2019 - 07:23

Yes, it's not what Fedora ships, because I wanted to use below feature
in my use cases.
The docker Fedora ships does not have the feature, but podman has it.

<a href="https://github.com/moby/moby/blob/master/CHANGELOG.md" title="https://github.com/moby/moby/blob/master/CHANGELOG.md">https://github.com/moby/moby/blob/master/CHANGELOG.md</a>
The rpms/docker will be removed on F31. I guess after F31,
rpms/podman's poman-docker is the new one for the docker command.

<a href="https://src.fedoraproject.org/rpms/docker/tree/master" title="https://src.fedoraproject.org/rpms/docker/tree/master">https://src.fedoraproject.org/rpms/docker/tree/master</a>
<a href="https://src.fedoraproject.org/rpms/podman/blob/master/f/podman.spec#_520" title="https://src.fedoraproject.org/rpms/podman/blob/master/f/podman.spec#_520">https://src.fedoraproject.org/rpms/podman/blob/master/f/podman.spec#_520</a>

I use both Podman and Docker CE to check compatibilitiies between them
and check Docker CE's new features, reporting it to podman GitHub for
contributions.
I think that it's beneficial that someone does this to know the trend,
not to be isolated from the market's needs.

Yes, the Fedora release is old.
Though I might be wrong, It's because I suppose that docker changed
the versioning and lisence policy at the point of the past time.
Fedora can not ship it because of that.
After F31, you do not see the confusing versioning, because
podman-docker is shipped instead of docker.

Re: Docker and user namespaces on F30

By Julien Enselme at 05/08/2019 - 09:43

Sadly this doesn't work either. With podman, I have this error:
ERRO[0004] Error pulling image ref //php:7-fpm-alpine: Error committing
the finished image: error adding layer with blob
"sha256:f581654c6ada4fba71ebfbfe4cd96430abe7b5dabebd92a6a62c11391a79cc9
8": Error processing tar file(exit status 1): there might not be enough
IDs available in the namespace (requested 82:82 for /home/www-data):
lchown /home/www-data: invalid argument
Failed
Error: unable to pull docker.io/php:7-fpm-alpine: unable to pull image:
Error committing the finished image: error adding layer with blob
"sha256:f581654c6ada4fba71ebfbfe4cd96430abe7b5dabebd92a6a62c11391a79cc9
8": Error processing tar file(exit status 1): there might not be enough
IDs available in the namespace (requested 82:82 for /home/www-data):
lchown /home/www-data: invalid argument

Which looks even stranger.

I see we don't have the same version of docker. I have version 18.06.3,
build d7080c1. Did you install docker from
<a href="https://docs.docker.com/install/" title="https://docs.docker.com/install/">https://docs.docker.com/install/</a> ?

Re: Docker and user namespaces on F30

By Jun Aruga at 05/08/2019 - 13:09

Yes, for docker-ce I installed it from the page's Linux/Fedora page
when I used Fedora 29.

If you are fine to remove all the images, try below one.

$ sudo systemctl stop docker
$ cd /var/lib/
$ sudo rm -rf docker
$ sudo systemctl start docker
<= recreate initial /var/lib/docker
$ docker run -it --rm docker.io/php:7-fpm-alpine sh

For podman, if you have not set the rootless setting to run podman
without sudo, you can try it with sudo.

$ sudo podman run -it --rm docker.io/php:7-fpm-alpine sh

Does below command work for you?

$ docker run -t --rm docker.io/alpine uname -a
Linux 828dcafd0bbe 5.0.10-300.fc30.x86_64 #1 SMP Tue Apr 30 16:22:12
UTC 2019 x86_64 Linux

What is dk command?

Re: Docker and user namespaces on F30

By Julien Enselme at 05/09/2019 - 03:47

On Wed, 2019-05-08 at 19:09 +0200, Jun Aruga wrote:
I tried and it didn't work.

An alias to the docker command. I forgot to edit the command after
pasting it here. Sorry.

I managed to make the command work after updating to docker 18.09.5
(same version as you). Docker doesn't officially provide RPM for fedora
30 for the stable version of docker yet but I was able to build it from
SRPM available on koji for F31.

So I guess I'll just ask if this version can be pushed to F30.