Develop Reference

Sysbox-runc is not working as runtime for docker in Ubuntu

I attempted to use sysbox-runc as the runtime for Docker on Ubuntu. sysbox-runc is operational. Nevertheless, an error occurred when I tried to create a container using Docker.
The command I was using: docker run --runtime=sysbox-runc nginx
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: container_linux.go:425: starting container process caused: process_linux.go:607: container init caused: process_linux.go:578: handleReqOp caused: rootfs_init_linux.go:366: failed to mkdirall /var/lib/sysbox/shiftfs/2e6d4302-28cd-4d9d-827e-6088b8b34e89/var/lib/kubelet: mkdir /var/lib/sysbox/shiftfs/2e6d4302-28cd-4d9d-827e-6088b8b34e89/var/lib/kubelet: value too large for defined data type caused: mkdir /var/lib/sysbox/shiftfs/2e6d4302-28cd-4d9d-827e-6088b8b34e89/var/lib/kubelet: value too large for defined data type: unknown.
ERRO[0000] error waiting for container: context canceled
Notes:
The same works fine with the default runtime runc.
Running docker and sysbox-runc as root.
Has anyone come across this before, please?

Is it ubuntu 22.04 ? Do you use kernel 5.15.(>=48) ? plz take a look at
Unfortunately there isn't much we can do with Ubuntu kernels 5.15.(>=48) as they are apparently missing a Ubuntu-patch on overlayfs that breaks interaction with shiftfs.
If you can, please upgrade to newer kernels (e.g., 5.19, 6.0, etc.).
If you must use kernel 5.15, try using 5.15.47 or earlier.
If you must use kernel 5.15.(>=48), you can work-around the problem by either:
Removing the shiftfs module from the kernel (e.g., rmmod) or
Configuring Sysbox to not use shiftfs. You do this by configuring the systemd service unit for sysbox-mgr, and passing the --disable-shiftfs flag to Sysbox. See here for more.
https://github.com/nestybox/sysbox/issues/596#issuecomment-1291235140

Troubleshooting docker intermitted failure issue for cgroup process

Let me try to describe my situation here (trying best to capture whatever information I have).
We have a production level service which consists of many dockers containing multiple services running in cloud (asuzre) VM.
Now if we keep on running it for long (long >= 5 days) as a part of Longivity testing, we can see -- sometimes (i.e. not always after 5 days, sometimes) - services start failing, denial of services to our clients.
ERROR: for health-checker Cannot start service health-checker: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"failed to write 1 to memory.kmem.limit_in_bytes: write /sys/fs/cgroup/memory/docker/ad4926b8e5b583ce3ae30d4e3d1f1379ee89fc2735d83a87b127ef4e1e7089db/memory.kmem.limit_in_bytes: cannot allocate memory\"": unknown {}
ERROR: for credentials Cannot start service credentials: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"failed to write 1 to memory.kmem.limit_in_bytes: write /sys/fs/cgroup/memory/docker/5b2cef0997776af7265fcc41bd640059a29fc723375e43acde63514f58ec6055/memory.kmem.limit_in_bytes: cannot allocate memory\"": unknown {}
ERROR: for occm Cannot start service occm: runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"failed to write 1 to memory.kmem.limit_in_bytes: write /sys/fs/cgroup/memory/docker/9d5912c7459a514c6f9bdaa3a170b1bf0ba4fa3189b482b72c2013a85cf5b8ba/memory.kmem.limit_in_bytes: cannot allocate memory\"": unknown {}
failed to perform container upgrade task. java.lang.RuntimeException: Failed to deploy containers {akkaAddress=akka://some-manager, akkaSource=akka://some-manager/user/service-deployer, sourceActorSystem=some-manager}
So as a consequence, none of our services are accessible, all the https calls are denied:
Name does not resolve {}\n","stream":"stdout","time":"2021-07-02T03:38:29.720361925Z"}
Name does not resolve {}\n","stream":"stdout","time":"2021-07-02T03:38:29.744298675Z"}
I was trying doing lots of google and try to get something actionable and meaningful from where to start.
Any pointer / insight / clue will be highly appreciated.
(I understand I may not be very detailed or very pin pointing the issue - actually I am bit clueless as it's failing sometimes after 5 days of run.)
Seeking guidance.
Pradip

Rebuild your docker & containerd after upgrading the kernel.
This happened to me after upgrading 5.4.6 -> 5.18.5 in one go. Rebuilding docker & containerd packages solved it.

Docker stopped working with error message OCI runtime create failed

I'm using Manjaro Linux and Kernerl 5.10.13.
I'm not sure what happened, maybe something was updated, but Docker stopped working for me.
When I try to do docker run hello-world, I see the following message:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:367:
starting container process caused: process_linux.go:495: container init caused: apply apparmor
profile: apparmor failed to apply profile: write /proc/self/attr/exec: invalid argument: unknown.
ERRO[0000] error waiting for container: context canceled
If I switch to kernel 5.9.16, it seems to be fine. Am I missing something here?

You may need to enable apparmor in your kernel parameters (apparmor=1 lsm=lockdown,yama,apparmor,bpf)
See https://www.reddit.com/r/archlinux/comments/ldhx0v/cant_start_docker_containers_on_latest_kernel/

I'm not sure what happened there, but the next morning (around 7 hours after I posted this), there was an update on my system, which seems to have resolved the issue

Cannot run JHipster docker

Im trying to run https://hub.docker.com/r/jhipster/jhipster/ as part of a Jenkins build on OpenShift, with CentOS host, but am getting the following error:
Failed to start container with docker id 38194274e387 with error:
Error response from daemon:
{"message":"invalid header field value \"oci runtime error: container_linux.go:247:
starting container process caused \\\"chdir to cwd (\\\\\\\"/home/jenkins/workspace/copy-of-sw\\\\\\\") set in config.json failed: no such file or directory\\\"\\n\""}
The dockerfile contents can be viewed on https://hub.docker.com/r/jhipster/jhipster/~/dockerfile/
Does anyone know how to resolve this?

For a Jenkins build, you want to use the CI image jhipster/jhipster-ci-stack https://hub.docker.com/r/jhipster/jhipster-ci-stack/
That Docker image jhipster/jhipster is used for developing with the generator, it will not work correctly in a Jenkins pipeline unless you are changing the generator and want to test that. How to use that image can be found in the "Docker installation (for advanced users only)" of https://jhipster.github.io/installation/

Crash during startup with network share for gitlab container

Following the documentation, I am trying to setup my own gitlab using the docker container.
In the volumes section, the host path /srv/gitlab is a network share.
I have a group with name docker and the current user belongs to that group. While mounting the network share, I specified the uid=,gid=docker.
My problem is, the docker container starts but keeps crashing with some permission error. I am pretty sure its because of the network share.
Anyone has any idea on setting correct permissions for the network share before starting the gitlab container?
This is how the error looks like:
[2016-09-07T23:18:49+00:00] FATAL: Stacktrace dumped to /opt/gitlab/embedded/cookbooks/cache/chef-stacktrace.out
[2016-09-07T23:18:49+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-09-07T23:18:49+00:00] ERROR: directory[/etc/gitlab] (gitlab::default line 26) had an error: Errno::EACCES: Permission denied # chown_internal - /etc/gitlab
[2016-09-07T23:18:49+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)