I have applied these configs:
$ lxc config show docker
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
architecture: x86_64
config:
image.architecture: x86_64
image.description: Ubuntu 20.04 LTS server (20210510)
image.os: ubuntu
image.release: focal
linux.kernel_modules: arp_tables,br_netfilter,ip6table_filter,iptable_filter,overlay
security.nesting: "true"
security.syscalls.intercept.bpf: "true"
security.syscalls.intercept.bpf.devices: "true"
volatile.base_image: fa972674c1b11e54f47e99fac4ecfb57e1a019faa70e654dbfe0f11712655c1a
volatile.eth0.host_name: veth1b2f173d
volatile.eth0.hwaddr: 00:16:3e:c9:8e:69
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.power: RUNNING
volatile.uuid: a202841b-c4d5-4f69-a181-6407b5b13efb
devices: {}
ephemeral: false
profiles:
- default
stateful: false
description: ""
I’m still seeing the following:
error
$ sudo docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown.
ERRO[0000] error waiting for container: context canceled
logs
Jun 2 19:44:29 docker systemd-networkd[178]: vethf8c705c: Link UP
Jun 2 19:44:29 docker networkd-dispatcher[211]: WARNING:Unknown index 7 seen, reloading interface list
Jun 2 19:44:29 docker systemd-udevd[1162]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 2 19:44:29 docker systemd-udevd[1162]: Using default interface naming scheme 'v245'.
Jun 2 19:44:29 docker systemd-udevd[1162]: veth8e97b63: Could not generate persistent MAC: No data available
Jun 2 19:44:29 docker systemd-udevd[1163]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 2 19:44:29 docker systemd-udevd[1163]: Using default interface naming scheme 'v245'.
Jun 2 19:44:29 docker systemd-udevd[1163]: vethf8c705c: Could not generate persistent MAC: No data available
Jun 2 19:44:30 docker containerd[241]: time="2021-06-02T19:44:29.999932313Z" level=info msg="starting signal loop" namespace=moby path=/run/containerd/io.containerd.runtime.v2.task/moby/a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d pid=1180
Jun 2 19:44:30 docker systemd[1]: Attaching device control BPF program to cgroup /system.slice/docker-a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d.scope failed: Operation not permitted
Jun 2 19:44:30 docker systemd[1]: Started libcontainer container a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d.
Jun 2 19:44:30 docker systemd[1]: Attaching device control BPF program to cgroup /system.slice/docker-a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d.scope failed: Operation not permitted
Jun 2 19:44:30 docker systemd[1]: docker-a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d.scope: Succeeded.
Jun 2 19:44:30 docker systemd[1]: Stopped libcontainer container a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d.
Jun 2 19:44:30 docker containerd[241]: time="2021-06-02T19:44:30.085058802Z" level=info msg="shim disconnected" id=a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d
Jun 2 19:44:30 docker dockerd[302]: time="2021-06-02T19:44:30.085393882Z" level=error msg="stream copy error: reading from a closed fifo"
Jun 2 19:44:30 docker dockerd[302]: time="2021-06-02T19:44:30.085443862Z" level=error msg="stream copy error: reading from a closed fifo"
Jun 2 19:44:30 docker systemd-networkd[178]: vethf8c705c: Link DOWN
Jun 2 19:44:30 docker systemd-networkd[178]: rtnl: received neighbor for link '8' we don't know about, ignoring.
Jun 2 19:44:30 docker systemd-networkd[178]: rtnl: received neighbor for link '8' we don't know about, ignoring.
Jun 2 19:44:30 docker dockerd[302]: time="2021-06-02T19:44:30.229934562Z" level=error msg="a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d cleanup: failed to delete container from containerd: no such container"
Jun 2 19:44:30 docker dockerd[302]: time="2021-06-02T19:44:30.229986822Z" level=error msg="Handler for POST /v1.41/containers/a8780af0b35f4801788bdd103496d0ad1ca8ef9edf04a347a3db018ceba6776d/start returned error: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown"