2.24.2 docker image not working in rootless mode on Ubuntu 22.04 host

[troed]

Downgrading to 2.24.0 works fine. I did not test 2.24.1

The issue presents as the following in the log:

+ exec gosu deconz /usr/bin/deCONZ --auto-connect=1 --appdata=/opt/deCONZ --dbg-info=2 --dbg-aps=2 --dbg-zcl=2 --dbg-ddf=0 --dbg-dev=0 --dbg-zdp=2 --dbg-ota=0 --dbg-error=0 --dbg-http=0 --http-port=8380 --ws-port=8381 -platform minimal
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-deconz'
libpng warning: iCCP: known incorrect sRGB profile
QThread::start: Thread creation error (Operation not permitted)
QThread::start: Thread creation error (Operation not permitted)

[senilio]

Could you share your docker-compose file, and hopefully we'll be able to reproduce the error?

[troed]

Sorry, sure. I did try looking into the actual reason (which could be Qt libs or seccomp problems) but didn't manage to find anything. The host is fully updated, on kernel 5.15.0-88 and uses cgroup2.

version: '3'

networks:
  external_network:
  internal_network:
    internal: true

services:
  deconz:
    image: deconzcommunity/deconz
    container_name: deconz
    restart: always
    volumes:
      - /home/hass/deconz/storage:/opt/deCONZ
    devices:
      - /dev/ttyACM0
    environment:
      - DECONZ_WEB_PORT=8380
      - DECONZ_WS_PORT=8381
      - DEBUG_INFO=1
      - DEBUG_APS=0
      - DEBUG_ZCL=0
      - DEBUG_ZDP=0
      - DEBUG_OTAU=0
      - DECONZ_VNC_MODE=1
      - DECONZ_VNC_DISPLAY=1
      - DECONZ_VNC_PORT=5901
      - DECONZ_VNC_PASSWORD=something
    networks:
      - internal_network
      - external_network
    ports:
      - "8180:80"
      - "8543:443"
      - "8380:8380"
      - "8381:8381"
      - "5901:5901"

(other containers removed)

[matthias-burgfried]

2.24.1 unfortunately did not work for me. I have not tested 2.24. I went back to 2.23.2.

[phdelodder]

@matthias-burgfried same issue as @troed ? If it is a different one please open a new issue.

[matthias-burgfried]

@phdelodder: yes, same issue.

[phdelodder]

When adding privilege:true does it work then?

[troed]

When adding privilege:true does it work then?

Unfortunately it will be difficult for me to test that since it's not rootless anymore if adding that privilege. It risks messing up the installation, sorry.

[phdelodder]

@troed it seems to be a issue with permissions https://www.reddit.com/r/docker/comments/vc1rkn/problem_with_threads_in_container/ I'm open to suggestions

[phdelodder]

You could checkout https://docs.docker.com/engine/security/seccomp/ and https://github.com/docker-library/golang/issues/467#issuecomment-1601845758 as it seems to be related to your issue.

[troed]

Alright, I'll look into using a seccomp profile. Any hint as to what has changed from 2.24.0 to 2.24.2 that could trip one of the permissions listed on the seccomp page?

[phdelodder]

Upgraded the Debian base image to the latest

[troed]

Confirmed - changing to unconfined seccomp makes 2.24.2 start here. I might try to figure out exactly which permission is needed instead of just running unconfined.

services:
  deconz:
    security_opt:
      - seccomp:unconfined

[bhsolberg]

I found anything newer than image ID 38c2213ae52e (2.24.1) made the container startup "freezing"; i.e. perpetually listed in "health: starting"-status for docker, with the "QThread::start: Thread creation error (Operation not permitted)" error as the last entry in the log. Even the current 2.24.1 tag has the same problem. The 2.24.0 tag works fine. What changed after the 38c2213ae52e image ID to make this break? What is the recommended fix (or workaround), besides using the "unconfined" seccomp option as described above?

[bhsolberg]

Bump... or, is the conclusion that only setting the seccomp option to "unconfined" will make this work?

[phdelodder]

@bhsolberg introduced NON_ROOT env option, could see if it's fixed?

[senilio]

Will close this issue in a couple of days due to it going stale