LXD docker-ce on Gentoo

MattX · February 22, 2019, 12:12pm

Hi,
I can’t start docker-ce inside gentoo lxd container.

HOST: Gentoo Base System release 2.6 Openrc
OpenRC 0.40.3
Linux krenel 4.20.7
LXD 3.8
LXC Container where is installed Ubuntu 18.10
Docker version inside Ubuntu 18.10
Docker version 18.09.2, build 6247962

Gentoo > LXD -> Ubuntu -> Docker ;(

Configuration of lxc config show:

architecture: x86_64
config:
image.architecture: amd64
image.description: Ubuntu bionic amd64 (20190214_07:43)
image.os: Ubuntu
image.release: bionic
image.serial: “20190214_07:43”
limits.kernel.nofile: “200000”
raw.lxc: |-
lxc.apparmor.profile = unconfined
lxc.cgroup.devices.allow = a
lxc.mount.auto=proc:rw sys:rw cgroup:rw
lxc.cap.drop =
security.nesting: “true”
security.privileged: “true”
volatile.base_image: 746153ee726e2214876db280f2f68ec338062b0feb9d50bbdf38519a98610775
volatile.eth0.hwaddr: 00:16:3e:93:16:59
volatile.idmap.base: “0”
volatile.idmap.next: ‘[]’
volatile.last_state.idmap: ‘[]’
volatile.last_state.power: RUNNING
devices:
kernel:
path: /usr/src/
source: /usr/src/
type: disk
modules:
path: /lib/modules/
source: /lib/modules/
type: disk
ephemeral: false
profiles:

lanprofile
stateful: false
description: “”

Errors during startup Docker:

docker: Error response from daemon: cgroups: cannot find cgroup mount destination: unknown.
ERRO[0002] error waiting for container: context canceled

Syslog:
Feb 22 14:07:59 ubuntu dockerd[149]: time=“2019-02-22T14:07:59.050521154Z” level=error msg=“244aa231ad75ff61baf8e2d42656477a145f959de3065fc36fddaaae7936e54d cleanup: failed to delete container from containerd: no such container”
Feb 22 14:07:59 ubuntu dockerd[149]: time=“2019-02-22T14:07:59.050618561Z” level=error msg=“Handler for POST /v1.39/containers/244aa231ad75ff61baf8e2d42656477a145f959de3065fc36fddaaae7936e54d/start returned error: cgroups: cannot find cgroup mount destination: unknown”

ls /sys/fs/cgroups/
blkio cpu cpuacct cpuset debug devices freezer hugetlb memory net_cls net_prio perf_event pids rdma systemd unified

mount |grep cgroup
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,name=systemd)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/debug type cgroup (rw,nosuid,nodev,noexec,relatime,debug)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_prio)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)

Can someone explain what is wrong in my configuration ?

Regards,
Mattx

gpatel-fr · February 22, 2019, 1:07pm

did you use lxc-checkconfig to verify if the kernel has everything necessary compiled in ??

MattX · February 22, 2019, 2:33pm

— Namespaces —
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

— Control groups —
Cgroups: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/openrc
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/cpu
/sys/fs/cgroup/cpuacct
/sys/fs/cgroup/blkio
/sys/fs/cgroup/memory
/sys/fs/cgroup/devices
/sys/fs/cgroup/freezer
/sys/fs/cgroup/net_cls
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/net_prio
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/pids
/sys/fs/cgroup/rdma
/sys/fs/cgroup/debug
/sys/fs/cgroup/systemd

Cgroup v2 mount points:
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

— Misc —
Veth pair device: enabled, loaded
Macvlan: enabled, loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

— Checkpoint/Restore —
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

bmullan · February 22, 2019, 3:40pm

And you have to enable “nested” containers.

MattX · February 22, 2019, 3:56pm

For lxd container where is instaled docker i have sets : security.nesting: “true”
security.privileged: “true”.

That should be enough or nested should be configured somewhere else ?

stgraber · February 22, 2019, 4:02pm

That’s a pretty crappy error message from Docker… maybe you can increase the debugging level or strace it to see exactly what it is it’s looking for when it fails…

MattX · February 25, 2019, 6:04am

On LXD host when docker is starting
[ 45.659981] cgroup: lxd (5843) created nested cgroup for controller “memory” which has incomplete hierarchy support. Nested cgroups may change behavior in the future.
[ 45.659982] cgroup: “memory” requires setting use_hierarchy to 1 on the root

In rc.conf is set : rc_cggroup_memory_use_hierarchy=“YES”

[ 0.000000] cgroup: lxd (5842) created nested cgroup for controller “memory” which has incomplete hierarchy support. Nested cgroups may change behavior in the future.
[ 0.000000] cgroup: “memory” requires setting use_hierarchy to 1 on the root
[ 0.000000] eth0: renamed from mcIKPTRJ
[ 0.000000] device eth0 entered promiscuous mode
[ 0.000000] new mount options do not match the existing superblock, will be ignored
[ 0.000000] Initializing XFRM netlink socket
[ 0.000000] aufs au_opts_verify:1609:dockerd[6091]: dirperm1 breaks the protection by the permission bits on the lower branch
[ 0.000000] ------------[ cut here ]------------
[ 0.000000] kernel BUG at fs/aufs/finfo.c:114!
[ 0.000000] invalid opcode: 0000 [#1] SMP PTI
[ 0.000000] CPU: 0 PID: 6241 Comm: auplink Not tainted 4.20.7-aufs #11
[ 0.000000] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/28/2017
[ 0.000000] RIP: 0010:au_finfo_fin+0x3f/0x52
[ 0.000000] Code: 68 48 8b b8 d0 03 00 00 48 83 c7 70 e8 41 4d 0e 00 48 8b bb d0 00 00 00 48 83 7f 50 00 74 02 0f 0b 83 3d 67 5a ca 00 00 74 02 <0f> 0b 5b 48 83 c7 70 48 c7 c6 5f 6e 48 b1 e9 1f 59 c1 ff 48 83 c7
[ 0.000000] RSP: 0018:ffffa84480f97e88 EFLAGS: 00010202
[ 0.000000] RAX: 00003a68c3e17fd8 RBX: ffff8ddbb4416cc0 RCX: 0000000000000020
[ 0.000000] RDX: ffffffffffffffe0 RSI: ffffffffffffffff RDI: ffff8ddba8f3b780
[ 0.000000] RBP: ffff8ddbb5065280 R08: 0000000000000000 R09: 0000000000000000
[ 0.000000] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000a8b40001
[ 0.000000] R13: ffff8ddbb4416cc0 R14: ffff8ddbb50652a0 R15: 0000000000020000
[ 0.000000] FS: 00007f78aac85540(0000) GS:ffff8ddbbba00000(0000) knlGS:0000000000000000
[ 0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.000000] CR2: 000055c372163a98 CR3: 0000000133c34000 CR4: 00000000000006f0
[ 0.000000] Call Trace:
[ 0.000000] aufs_release_dir+0xf1/0xfe
[ 0.000000] __fput+0xd9/0x180
[ 0.000000] task_work_run+0x68/0x7c
[ 0.000000] exit_to_usermode_loop+0x4e/0x9d
[ 0.000000] do_syscall_64+0xcc/0xd3
[ 0.000000] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 0.000000] RIP: 0033:0x7f78aa7838d4

aftrer adding to cgconfig.conf :
group . {
memory {
memory.use_hierarchy = “1”;
}
}
cgroup memory hierarhy error has disappeared but docker does not start with same message “Error response from daemon: cgroups: cannot find cgroup mount destination: unknown.”

“kernel BUG at fs/aufs/finfo.c:114!” does this mean a problem with aufs ?

druggo · March 3, 2019, 4:24pm

I found a docker issue : https://github.com/docker/for-linux/issues/219
try install docker-ce version 17.09.1~ce-0~ubuntu .