Develop Reference

process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown (Docker))

I'm trying to deploy a docker container to perform some testings with gitlab runners but when I'm doing the docker-compose up command I get the following output:
admin#runners-test:~/runner-test$ sudo docker-compose up -d
Starting gitlab-runner ... error
ERROR: for gitlab-runner Cannot start service gitlab-runner: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown
ERROR: for gitlab-runner Cannot start service gitlab-runner: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown
ERROR: Encountered errors while bringing up the project.
Abd this is the output of journalctl:
Sep 23 07:23:24 runners-test dockerd[231]: time="2022-09-23T07:23:24.560275437Z" level=error msg="stream copy error: reading from a closed fifo"
Sep 23 07:23:24 runners-test dockerd[231]: time="2022-09-23T07:23:24.577270402Z" level=error msg="stream copy error: reading from a closed fifo"
Sep 23 07:23:24 runners-test dockerd[231]: time="2022-09-23T07:23:24.675282811Z" level=error msg="0cd3bbb779a947012c9059921f092b569eb088bb2fe0bf99a8ae3266ec43abbd cleanup: failed to delete container from containerd: no such container"
Sep 23 07:23:24 runners-test dockerd[231]: time="2022-09-23T07:23:24.675625496Z" level=error msg="Handler for POST /v1.25/containers/0cd3bbb779a947012c9059921f092b569eb088bb2fe0bf99a8ae3266ec43abbd/start returned error: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown"
And the docker-compose file:
version: '3'
services:
gitlab-runner:
container_name: gitlab-runner
image: 'gitlab/gitlab-runner:latest'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./config:/etc/gitlab-runner
restart:
unless-stopped
This error occurs with any container I try to lift, even doing a simple docker run hello-world...
I also take a look to this post on proxmox forum but I don't know how to add kernel command line parameters for a lxc container, I'v been trying editing the /etc/default/grub file but update-grub command doesn't work as I want inside the lxc, I get the following output:
admin#runners-test:/$ sudo update-grub
[sudo] password for admin:
/usr/sbin/grub-probe: error: failed to get canonical path of `/dev/mapper/pve-vm--1010118--disk--0'.
I'm really stuck with this, so any kind of help would be welcome :) Thanks!

I referenced many other links when finally discovering doing a (on CentOS) update did the trick. So:
yum update -y
reboot
After the reboot, the system came back online and I proceeded to run my docker container, in this case a docker registry:
[root#server ~]# docker run -d --name registry registry:2
c40941bf42c853709bcca05bad4e8914df1f4932a355607f37b55f7e0ed01e60
[root#server ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
NAMES
c40941bf42c8 registry:2 "/entrypoint.sh /e..." 3 seconds ago Up 2 seconds 5000/tcp
The docker container booted up fine.
So, also here are reference pages I checked out, and I did not have to change anything in /boot/boot.txt as this one references, but is good info:
https://my-take-on.tech/2021/05/07/fix-docker-cgroup-errors-after-systemd-248-update/
and this one, which after I read it, it had me finally trying to do a yum update for fix:
docker-compose throws errors by starting mariadb for an private nextcloud installation

Building a docker container via packer and provisioning via chef-solo fails on starting a service

the following is an excerpt of a much bigger image factory template that builds a centos:7 docker image. everything works as expected however i get a dbus error on the running container. any help is appreciated!
this same code works if:
i use vmware-iso or virtualbox builders.
i use a centos:6 image
what i have tried with no effect:
switched to chef-client -z
added the /sys/fs/cgroup:/sys/fs/cgroup:ro volume
added privileged to the docker builder
template:
{
"builders": [{
"type": "docker",
"image": "centos:7",
"privileged": true,
"changes": [
"ONBUILD RUN {{ isotime }}"
],
"volumes": {
"/sys/fs/cgroup": "/sys/fs/cgroup:ro"
},
"export_path": "~/tmp/party_parrot.tar"
}],
"provisioners": [{
"cookbook_paths": [
"chef"
],
"prevent_sudo": true,
"run_list": [
"redhat_factory::default"
],
"chef_license": "accept",
"type": "chef-solo"
}]
}
chef cookbook:
package 'tuned'
service 'tuned' do
action %i(start enable)
end
log:
docker: output will be in this color.
==> docker: Creating a temporary directory for sharing data...
==> docker: Pulling Docker image: centos:7
docker: 7: Pulling from library/centos
docker: Digest: sha256:0f4ec88e21daf75124b8a9e5ca03c37a5e937e0e108a255d890492430789b60e
docker: Status: Image is up to date for centos:7
docker: docker.io/library/centos:7
==> docker: Starting docker container...
docker: Run command: docker run --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /Users/cr2p/.packer.d/tmp727655581:/packer-files -d -i -t --entrypoint=/bin/sh -- centos:7
docker: Container ID: f62d47e257a210442cce7f059a2be3dceb06fbce7673f16e04a52bdf5fa92891
==> docker: Using docker communicator to connect: 172.17.0.4
==> docker: Provisioning with chef-solo
docker: Installing Chef...
==> docker: % Total % Received % Xferd Average Speed Time Time Time Current
==> docker: Dload Upload Total Spent Left Speed
docker: el 7 x86_64
docker: Getting information for chef stable for el...
docker: downloading https://omnitruck.chef.io/stable/chef/metadata?v=&p=el&pv=7&m=x86_64
docker: to file /tmp/install.sh.17/metadata.txt
docker: trying curl...
==> docker: 100 23409 100 23409 0 0 34412 0 --:--:-- --:--:-- --:--:-- 34374
docker: sha1 dffee30e640f443cf1fbf8db17f319db09c1e21e
docker: sha256 b855820c1697dad395d3798f265e8c431b54a3bd29bbbd9ef87995cceaad3f17
docker: url https://packages.chef.io/files/stable/chef/17.2.29/el/7/chef-17.2.29-1.el7.x86_64.rpm
docker: version 17.2.29
docker: downloaded metadata file looks valid...
docker: downloading https://packages.chef.io/files/stable/chef/17.2.29/el/7/chef-17.2.29-1.el7.x86_64.rpm
docker: to file /tmp/install.sh.17/chef-17.2.29-1.el7.x86_64.rpm
docker: trying curl...
docker: Comparing checksum with sha256sum...
docker:
docker: WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
docker:
docker: You are installing a package without a version pin. If you are installing
docker: on production servers via an automated process this is DANGEROUS and you will
docker: be upgraded without warning on new releases, even to new major releases.
docker: Letting the version float is only appropriate in desktop, test, development or
docker: CI/CD environments.
docker:
docker: WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
docker:
docker: Installing chef
docker: installing with rpm...
==> docker: warning: /tmp/install.sh.17/chef-17.2.29-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
docker: Preparing... ########################################
docker: Updating / installing...
docker: chef-17.2.29-1.el7 ########################################
docker: Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io
docker: Creating directory: /tmp/packer-chef-solo
docker: Creating directory: /tmp/packer-chef-solo/cookbooks-0
docker: Creating configuration file 'solo.rb'
docker: Creating JSON attribute file
docker: Executing Chef: chef-solo --no-color -c /tmp/packer-chef-solo/solo.rb -j /tmp/packer-chef-solo/node.json
docker: +---------------------------------------------+
docker: ✔ 2 product licenses accepted.
docker: +---------------------------------------------+
docker: Starting Chef Infra Client, version 17.2.29
docker: Patents: https://www.chef.io/patents
docker: [2021-06-17T15:02:07+00:00] WARN: Plugin Network: unable to detect ipaddress
docker: [2021-06-17T15:02:07+00:00] ERROR: shard_seed: Failed to get dmi property serial_number: is dmidecode installed?
docker: resolving cookbooks for run list: ["redhat_factory::default"]
docker: Synchronizing Cookbooks:
docker: - redhat_factory (1.0.0)
docker: Installing Cookbook Gems:
docker: Compiling Cookbooks...
docker: [2021-06-17T15:02:08+00:00] WARN: Resource yum_package built into Chef Infra Client is being overridden by the resource from a cookbook. Please upgrade your cookbook or remove the cookbook from your run_list.
docker: [2021-06-17T15:02:08+00:00] WARN: Provider yum_package built into Chef Infra Client is being overridden by the provider from a cookbook. Please upgrade your cookbook or remove the cookbook from your run_list.
docker: Converging 4 resources
docker: Recipe: redhat_factory::default
docker: * entitler[entitler] action nothing (skipped due to action :nothing)
docker: Recipe: redhat_factory::dummy
docker: * yum_package[tuned] action install
docker: - install version 0:2.11.0-11.el7_9.noarch of package tuned
docker: * service[tuned] action start
docker: * service[tuned]: No custom command for start specified and unable to locate the init.d script!
docker: ================================================================================
docker: Error executing action `start` on resource 'service[tuned]'
docker: ================================================================================
docker:
docker: Chef::Exceptions::Service
docker: -------------------------
docker: service[tuned]: No custom command for start specified and unable to locate the init.d script!
docker:
docker: Resource Declaration:
docker: ---------------------
docker: # In /tmp/packer-chef-solo/local-mode-cache/cache/cookbooks/redhat_factory/recipes/dummy.rb
docker:
docker: 3: service 'tuned' do
docker: 4: action %i(start enable)
docker: 5: end
docker:
docker: Compiled Resource:
docker: ------------------
docker: # Declared in /tmp/packer-chef-solo/local-mode-cache/cache/cookbooks/redhat_factory/recipes/dummy.rb:3:in `from_file'
docker:
docker: service("tuned") do
docker: action [:start, :enable]
docker: default_guard_interpreter :default
docker: declared_type :service
docker: cookbook_name "redhat_factory"
docker: recipe_name "dummy"
docker: service_name "tuned"
docker: supports {:restart=>nil, :reload=>nil, :status=>nil}
docker: end
docker:
docker: System Info:
docker: ------------
docker: chef_version=17.2.29
docker: platform=centos
docker: platform_version=7.9.2009
docker: ruby=ruby 3.0.1p64 (2021-04-05 revision 0fb782ee38) [x86_64-linux]
docker: program_name=/usr/bin/chef-solo
docker: executable=/opt/chef/bin/chef-solo
docker:
docker:
docker: Running handlers:
docker: [2021-06-17T15:02:37+00:00] ERROR: Running exception handlers
docker: Running handlers complete
docker: [2021-06-17T15:02:37+00:00] ERROR: Exception handlers complete
docker: Chef Infra Client failed. 1 resources updated in 31 seconds
docker: [2021-06-17T15:02:37+00:00] FATAL: Stacktrace dumped to /tmp/packer-chef-solo/local-mode-cache/cache/chef-stacktrace.out
docker: [2021-06-17T15:02:37+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
docker: [2021-06-17T15:02:37+00:00] FATAL: Chef::Exceptions::Service: service[tuned] (redhat_factory::dummy line 3) had an error: Chef::Exceptions::Service: service[tuned]: No custom command for start specified and unable to locate the init.d script!
==> docker: Provisioning step had errors: Running the cleanup provisioner, if present...
==> docker: Killing the container: f62d47e257a210442cce7f059a2be3dceb06fbce7673f16e04a52bdf5fa92891
Build 'docker' errored after 48 seconds 995 milliseconds: Error executing Chef: Non-zero exit status: 1
==> Wait completed after 48 seconds 996 milliseconds
==> Some builds didn't complete successfully and had errors:
--> docker: Error executing Chef: Non-zero exit status: 1
==> Builds finished but no artifacts were created.
connecting to the running container:
[root#a74a6b2cfa39 /]# systemctl --system status tuned
Failed to get D-Bus connection: Operation not permitted
[root#a74a6b2cfa39 /]# systemctl --system start tuned
Failed to get D-Bus connection: Operation not permitted
thanks in advance!

i've been able to solve this by modifying my work in the following ways:
modify the run_command specifically the entrypoint attribute
add the tmpfs array
finally modify the staging directory of the chef provisioner
packer template:
{
"builders": [{
"type": "docker",
"image": "centos:7",
"pull": false,
"privileged": true,
"changes": [
"ONBUILD RUN {{ isotime }}"
],
"volumes": {
"/sys/fs/cgroup": "/sys/fs/cgroup:ro"
},
"export_path": "~/tmp/party_parrot.tar",
"tmpfs": [
"/tmp",
"/run"
],
"run_command": ["-d", "-i", "-t", "--entrypoint=/usr/sbin/init", "--", "{{.Image}}"]
}],
"provisioners": [{
"cookbook_paths": [
"chef"
],
"prevent_sudo": true,
"run_list": [
"redhat_factory::default"
],
"chef_license": "accept",
"type": "chef-solo",
"staging_directory": "/chef"
}]
}

The "systemctl" script is small program that just communicates with the systemd dameon on PID 1 in a system. The communication channel is opened by asking d-bus which is also not started. The privledged/cgroup trick had been used for some time until docker containers were able to run the systemd daemon directly.
Personally I'd prefer to use the docker-systemctl-replacement/ in order to get an installer up and running that was not prepared for a docker environment. While it was developed with "ansible" in mind it may be interesting to see it working with "chef" instead.

Docker-in-Docker issues with connecting to internal container network (Anchore Engine)

I am having issues when trying to connect to a docker-compose network from inside of a container. These are the files I am working with. The whole thing runs when I ./run.sh.
Dockerfile:
FROM docker/compose:latest
WORKDIR .
# EXPOSE 8228
RUN apk update
RUN apk add py-pip
RUN apk add jq
RUN pip install anchorecli
COPY dockertest.sh ./dockertest.sh
COPY docker-compose.yaml docker-compose.yaml
CMD ["./dockertest.sh"]
docker-compose.yaml
services:
# The primary API endpoint service
engine-api:
image: anchore/anchore-engine:v0.6.0
depends_on:
- anchore-db
- engine-catalog
#volumes:
#- ./config-engine.yaml:/config/config.yaml:z
ports:
- "8228:8228"
..................
## A NUMBER OF OTHER CONTAINERS THAT ANCHORE-ENGINE USES ##
..................
networks:
default:
external:
name: anchore-net
dockertest.sh
echo "------------- INSTALL ANCHORE CLI ---------------------"
engineid=`docker ps | grep engine-api | cut -f 1 -d ' '`
engine_ip=`docker inspect $engineid | jq -r '.[0].NetworkSettings.Networks."cws-anchore-net".IPAddress'`
export ANCHORE_CLI_URL=http://$engine_ip:8228/v1
export ANCHORE_CLI_USER='user'
export ANCHORE_CLI_PASS='pass'
echo "System status"
anchore-cli --debug system status #This line throws error (see below)
run.sh:
#!/bin/bash
docker build . -t anchore-runner
docker network create anchore-net
docker-compose up -d
docker run --network="anchore-net" -v //var/run/docker.sock:/var/run/docker.sock anchore-runner
#docker network rm anchore-net
Error Message:
System status
INFO:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 172.19.0.6:8228
Error: could not access anchore service (user=user url=http://172.19.0.6:8228/v1): HTTPConnectionPool(host='172.19.0.6', port=8228): Max retries exceeded with url: /v1
(Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused',))
Steps:
run.sh builds container image and creates network anchore-net
the container has an entrypoint script, which does multiple things
firstly, it brings up the docker-compose network as detached FROM inside the container
secondly, nstalls anchore-cli so I can run commands against container network
lastly, attempts to get a system status of the anchore-engine (d.c network) but thats where I am running into HTTP request connection issues.
I am dynamically getting the IP of the api endpoint container of anchore-engine and setting the URL of the request to do that. I have also tried passing those variables from command line such as:
anchore-cli --u user --p pass --url http://$engine_ip/8228/v1 system status but that throws the same error.
For those of you who took the time to read through this, I highly appreciate any input you can give me as to where the issue may be lying. Thank you very much.

Failed getting affiliation 'org3.department1 : : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set

I followed below steps of Hyperledger Fabric Balance Transfer Application (1.4.3 version):
I have made a copy of balance transfer application and created a new project.
Did required changes in below files
artifacts/channel/crytogen.yaml
artifacts/channel/configtx.yaml
artifacts/channel/docker-compose.yaml
artifacts/network-config.yaml
artifacts/org3.yaml
config.js
app/instantiate-chaincode.js
Started the network, everything went fine.
If I register user with orgName Org1 or Org2 everything works fine.
But when I tried to register user on Org3 from this api,
curl -s -X POST http://localhost:4000/users -H "content-type: application/x-www-form-urlencoded" -d 'username=Ramesh&orgName=Org3'
It is showing this error : Failed getting affiliation 'org3.department1 : : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set
By default, fabric-ca only has the following affiliations:
org1.department1
org1.department2
org2.department1
So I tried to add below commands in bash terminal, **docker exec -it bash **.
fabric-ca-client affiliation add org3
fabric-ca-client affiliation add org3.department1
Still getting same error.
Also I tried to add new org details in fabric-ca-server-config.yaml file and gave that path in docker-compose.yaml file volumes for all 3 orgs ca containers .
volumes:
- ./channel/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
- ../ca-server-config/fabric-ca-server-config.yaml:/etc/hyperledger/fabric-ca-server-config/fabric-ca-server-config.yaml
Restarted the netowrk, but it is showing below error,
ERROR: for ca.org3.example.com Cannot start service ca.org3.example.com: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"rootfs_linux.go:58: mounting \\"/home/ubuntu/fabric-samples/newProject/ca-server-config/fabric-ca-server-config.yaml\\" to rootfs \\"/var/lib/docker/overlay2/03d0b6d5e25572670c817f37b1a791938de81835680cce9f11f5d2c0f05d6320/merged\\" at \\"/var/lib/docker/overlay2/03d0b6d5e25572670c817f37b1a791938de81835680cce9f11f5d2c0f05d6320/merged/etc/hyperledger/fabric-ca-server-config/fabric-ca-server-config.yaml\\" caused \\"not a directory\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Please suggest on above error and how can i add new org in balance transfer application?

hyperledger-fabric byfn.sh -m failed with script/scripts.sh not found

I am running the byfn.sh script within docker container on windows 10.
Docker version 18.03.0-ce, build 0520e24302
I am getting the script.sh not found error message, please help.
$ ./byfn.sh -m up
Starting with channel 'mychannel' and CLI timeout of '10' seconds and CLI
delay of '3' seconds
Continue? [Y/n] y
proceeding ...
2018-04-28 20:28:24.254 UTC [main] main -> INFO 001 Exiting.....
LOCAL_VERSION=1.1.0
DOCKER_IMAGE_VERSION=1.1.0
Starting peer1.org2.example.com ... done
Starting peer0.org2.example.com ... done
Starting peer1.org1.example.com ... done
Starting peer0.org1.example.com ... done
Starting orderer.example.com ... done
cli is up-to-date
OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "exec: \"scripts/script.sh\": stat scripts/script.sh: no such file or directory": unknown
ERROR !!!! Test failed

Resolved the issue by copying the entire fabric-samples directory to c:\users\ directory.
Having the fabric-samples directory anywhere else on c:\ drive gives the error. Perhaps an explicit path needs to be defined somewhere if placing fabric-samples in any location other than c:\users\

I figured that the volumes from the docker container under Windows are not correctly mounted (not at all). But I don't know how to fix it... I'll get back if I have more information on this issue or even a solution.