Hello,
I’m having some issues with a DinI (Docker in Incus) setup.
I’ve been troubleshooting the issues and have seemingly narrowed it down to something I need to tweak with seccomp. I’m just not sure what that is and am looking for some help in that regard.
I have a few Incus Containers stood up and they are all running Docker CE 28.0.1 inside of them. They all have host mountpoints back to ZFS datasets. Each containers root is ZFS as well and has been set as zfs.delegate for their volume/dataset although I’m not 100% sure they actually need this at this point.
I’ve enabled the following configs as well:
security.nesting: "true"
security.syscalls.intercept.mknod: "true"
security.syscalls.intercept.setxattr: "true"
Everything is working well with the exception that I’m having some issues with some containers being pulled and installed. The file it chokes on varies.
root@apps2:/opt/stacks/rocketchat# docker compose up -d
[+] Running 12/14
✔ mongodb Pulled 20.5s
✔ 45f335159959 Pull complete 16.4s
⠙ rocketchat [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 646.6MB / 652.9MB Pulling 80.1s
✔ 66a3d608f3fa Pull complete 0.9s
✔ 24871bca5b8d Pull complete 3.9s
✔ 1e6e0ecc9e1d Pull complete 4.0s
✔ 2d985417673a Pull complete 4.1s
✔ 729d9a5a7ee6 Pull complete 15.8s
✔ 57a52c1427e8 Pull complete 72.4s
✔ 2dce6b4867c2 Pull complete 76.7s
⠴ 512783b0c37c Extracting [==================================================>] 25.41kB/25.41kB 78.6s
✔ b0417b3b3b72 Download complete 10.7s
✔ 195e1f2ca7d3 Download complete 11.3s
✔ 4f4fb700ef54 Download complete 11.1s
failed to register layer: failed to mknod('/usr/lib/libstdc++fs.a', S_IFCHR, 0): file exists
There is a log entry in /var/logs/incus/apps2/lxc.log when this happens as well:
lxc apps2 20250321152828.607 ERROR seccomp - ../src/lxc/seccomp.c:seccomp_notify_handler:1555 - No such file or directory - Failed to send seccomp notification
I’ve gone through the production setup guide as well which I realize should be well above my needs.
Key systctl values:
sysctl -a|grep -E 'fs.inotify|fs.aio|keys|vm.max|bpf'
fs.aio-max-nr = 524288
fs.aio-nr = 1
fs.inotify.max_queued_events = 1048576
fs.inotify.max_user_instances = 1048576
fs.inotify.max_user_watches = 1048576
kernel.bpf_stats_enabled = 0
kernel.keys.gc_delay = 300
kernel.keys.maxbytes = 2000000
kernel.keys.maxkeys = 2000
kernel.keys.persistent_keyring_expiry = 259200
kernel.keys.root_maxbytes = 25000000
kernel.keys.root_maxkeys = 1000000
kernel.unprivileged_bpf_disabled = 2
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 1000000000
vm.max_map_count = 262144
Docker info:
Client: Docker Engine - Community
Version: 28.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.21.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.33.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 10
Running: 10
Paused: 0
Stopped: 0
Images: 10
Server Version: 28.0.1
Storage Driver: overlay2
Backing Filesystem: zfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 nvidia runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
runc version: v1.2.4-0-g6c52b3f
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.12.15-production+truenas
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 62.73GiB
Name: apps2
ID: 45886574-ef72-43ee-85de-d0750da90054
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
When I disable the default seccomp profile, things work as expected without issue.
raw.lxc: lxc.seccomp.profile =
Success with it disabled:
root@apps2:/opt/stacks/rocketchat# docker compose up -d
[+] Running 14/14
✔ rocketchat Pulled 73.7s
✔ 66a3d608f3fa Pull complete 1.1s
✔ 24871bca5b8d Pull complete 3.6s
✔ 1e6e0ecc9e1d Pull complete 3.7s
✔ 2d985417673a Pull complete 3.8s
✔ 729d9a5a7ee6 Pull complete 13.2s
✔ 57a52c1427e8 Pull complete 68.1s
✔ 2dce6b4867c2 Pull complete 71.4s
✔ 512783b0c37c Pull complete 71.5s
✔ b0417b3b3b72 Pull complete 71.7s
✔ 195e1f2ca7d3 Pull complete 71.9s
✔ 4f4fb700ef54 Pull complete 72.0s
✔ mongodb Pulled 18.4s
✔ 45f335159959 Pull complete 13.3s
[+] Running 3/3
✔ Network rocketchat_default Created 0.1s
✔ Container rocketchat-mongodb-1 Started 7.0s
✔ Container rocketchat-rocketchat-1 Started 4.9s
Thank you in advance for the assistance. 