-
Notifications
You must be signed in to change notification settings - Fork 598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to setup UID/GID map #383
Comments
Are you running with |
Yep, here's the command i'm using to run the container:
|
Hmm, that should work -- maybe something similar to moby/moby#41812 ? Did your image get corrupted somehow or was unable to set the extended capabilities on the |
I'm not sure if that's relevant to the issue, but as the error message says something that i believe might be related to "capabilities" on "Could not set caps", i've tried running $ getcap newuidmap newgidmap
newuidmap cap_setuid=ep
newgidmap cap_setgid=ep I think it's also worth mentioning that the Below are the commands i use to compile ./configure \
--prefix="$PWD/build" \
--disable-shared \
--disable-account-tools-setuid \
--disable-nls \
--without-audit \
--without-libpam \
--without-selinux \
--without-acl \
--without-attr \
--without-tcb \
--without-yescrypt \
--without-nscd \
--without-group-name-max-length \
--with-fcaps # or --without-fcaps
make LDFLAGS="--static -s" -j "$(nproc)"
make -j "$(nproc)" install |
|
Due to the fact that i don't have an internet connection on this VM, I'm currently saving (and compressing) the dind container with the following command: docker save docker:22.06.0-beta.0-dind-rootless | gzip > dind.tar.gz I've extracted the compressed container archive on the VM, and tried inspecting the file capabilities of both docker run --rm --privileged docker:22.06.0-beta.0-dind-rootless getcap /usr/bin/newuidmap /usr/bin/newgidmap And i've got an empty output, i'm not sure if the compression has anything to do with the extracted image being corrupted, or if i should |
Are either of the host you're doing For reference, here's what it should look like: $ docker run --rm docker:22.06-rc-dind-rootless getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/newgidmap cap_setgid=ep |
I don't think so, from what i've saw on the docs:
The host where i'm running I'll try some others ideas i have in mind and share the results here as soon as i can |
I've tried running an interactive session on the dind container (as root) to see if by manually setting the proper capabilites on $ setcap cap_setuid+ep /usr/bin/newuidmap
Failed to set capabilities on file '/usr/bin/newuidmap': Not supported After some further inspection, i found out that the I even tried not gzipping the archive and repeating the process with both It seems like for some reason, any file capabilities are instantly dropped once i try to run any docker image on the VM (it works fine on bare metal), and i also couldn't find any kernel config that seems to enable/disable support for file capabilites, so i assume that's enabled by default (at least for ext4) |
@tianon @yosifkit i've figured out what was wrong, my kernel was lacking support for extended attributes, i've enabled it by compiling with the option Thanks a lot for your help on this! |
I'm trying to run docker-in-docker (dind) (more specifically,
docker:22.06.0-beta.0-dind-rootless
) image on a very bare-bones Linux installation, but whenever i try to run the container, i get the following error message:The aforementioned Linux host (running on a VirtualBox VM) is composed solely of the following components:
newuidmap
andnewgidmap
binaries, added on an attempt to fix the problem, not sure if that should be on the container side)Everything listed above (with the exception of docker) is built from source, statically linked and customized to be as minimal as possible
The text was updated successfully, but these errors were encountered: