search

docker-library / docker

Docker Official Image packaging for Docker
Apache License 2.0
1.14k stars 580 forks source link

Docker in Docker: 'unshare: operation not permitted' when running GitHub Actions Runner on Azure Container Apps" #513

Open Shaannks opened 3 days ago

Shaannks commented 3 days ago

I'm encountering an issue when running a self-hosted GitHub Actions runner inside Azure Container Apps, which utilizes Docker in Docker installation. The Docker daemon starts up successfully with the fuse-overlayfs storage driver, but when attempting to pull an image, I receive the following error:

failed to register layer: unshare: operation not permitted Warning: Docker pull failed with exit code 1, back off 5.716 seconds before retry.

image

Docker Version: Version: 27.3.1

Seccomp Configuration: I tried setting the seccomp profile to unconfined. Custom Seccomp Policy: Created a seccomp policy that allows the unshare syscall, but the issue persists. User Namespace: Attempted to set up user namespace remapping for a non-root user, but this also did not resolve the issue. (not configured any storage at azure- guess won't make any difference)

I would appreciate any guidance or solutions to resolve this issue. If there are specific configurations or permissions that need to be adjusted in the Docker setup for Azure Container Apps, please let me know.

tianon commented 2 days ago

fuse-overlayfs sounds like you're trying to use the -rootless variants, which are quite a bit fiddlier to get working properly in my experience -- is that accurate? Is there a reason you might be doing so? (and/or why you wouldn't simply be using the overlay2 driver if not?)

Shaannks commented 2 days ago

@tianon - I tried both rootless and root but ended up facing the same error while trying with different storage drivers I saw only fuse-overlayfs working. daemon won't start with any other storage driver

Shaannks commented 2 days ago

daemon- dockerd --iptables=False --ip6tables=False

image seccomp image

seccomp no luck with this

Shaannks commented 2 days ago

failed to start daemon: error initializing graphdriver: driver not supported: overlay2

tianon commented 2 days ago

Your container is definitely running with privileged? (even for the rootless variant, that's required)

You'll also want to verify/validate that you've got actual local storage mounted at /var/lib/docker inside the container (something like NFS is going to be a bad time -- you need something that the overlay2 driver supports as an underlay like actual ext4).