Unable to run a systemd container with ro /sys/fs/cgroup #1654
Description
Description
I'm not sure this is right place to report though as I'm using nerdctl & containerd within a lima-vm (https://github.com/lima-vm/lima/). Feel free to move or close the issue if unrelated 🙇🏻
I was trying to run a systemd-enabled container with nerdctl in a lima-managed virtual machine on my m1-based macbook pro.
I tried 2 different images w/o success:
- https://hub.docker.com/r/jrei/systemd-ubuntu
- https://hub.docker.com/r/dhoppeit/docker-ubuntu-systemd
With systemd debug enabled I got the following errors:
Failed to create /init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
I found the issue is described in moby repo: moby/moby#42275. Though I'm really surprised as nerdctl is not using moby as far as I understand.. 🤔
Steps to reproduce the issue
- Provision the VM with
limactl start default - SSH into the VM with
limactl shell default -
jay@lima-default:~$ sudo nerdctl run -it --tmpfs /tmp --tmpfs /run --tmpfs /run/lock --cap-add SYS_ADMIN --name ubuntu-20.04 --volume /sys/fs/cgroup:/sys/fs/cgroup:ro dhoppeit/docker-ubuntu-systemd:20.04 /lib/systemd/systemd --log-level=debug --log-target=console systemd 245.4-4ubuntu3.19 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid) Detected virtualization docker. Detected architecture arm64. Welcome to Ubuntu 20.04.5 LTS! Set hostname to <e950a4b16a5e>. Failed to add address 127.0.0.1 to loopback interface: Operation not permitted Failed to add address ::1 to loopback interface: Operation not permitted Failed to bring loopback interface up: Operation not permitted Failed to bump AF_UNIX datagram queue length, ignoring: Read-only file system Setting 'fs/file-max' to '9223372036854775807'. Failed to bump fs.file-max, ignoring: Read-only file system Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Unified cgroup hierarchy is located at /sys/fs/cgroup. Failed to create /init.scope control group: Read-only file system Failed to allocate manager object: Read-only file system [!!!!!!] Failed to allocate manager object. Exiting PID 1...
Describe the results you received and expected
Got:
Failed to create /init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
Want: systemd-enabled container is up and running w/o any issues.
What version of nerdctl are you using?
jay@lima-default:~$ /usr/local/bin/nerdctl --version
nerdctl version 1.0.0
jay@lima-default:~$ /usr/local/bin/containerd --version
containerd github.com/containerd/containerd v1.6.8 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
Lima
Host information
jay@lima-default:~$ nerdctl info
Client:
Namespace: default
Debug Mode: false
Server:
Server Version: v1.6.8
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Log: fluentd journald json-file syslog
Storage: native overlayfs stargz fuse-overlayfs
Security Options:
apparmor
seccomp
Profile: default
cgroupns
rootless
Kernel Version: 5.19.0-26-generic
Operating System: Ubuntu 22.10
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 3.813GiB
Name: lima-default
ID: 6272f224-2be7-43b4-8579-1fa018a88f1a
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled