search

flatcar / Flatcar

Flatcar project repository for issue tracking, project documentation, etc.
https://www.flatcar.org/
Apache License 2.0
658 stars 28 forks source link

Unable to run `./run_sdk_container -t` with rootless Docker #1393

Open george-angel opened 4 months ago

george-angel commented 4 months ago

Description

Attempting to run $ ./run_sdk_container -t, results in the following error:

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open /dev/console: permission denied: unknown

My guess is this is because Docker is running in rootless mode.

Impact

Not able to start Flatcar SDK.

Environment and steps to reproduce

  1. Running Arch Linux, with following Docker setup: https://wiki.archlinux.org/title/docker#Rootless_Docker_daemon
  2. Checkout https://github.com/flatcar/scripts and try to run $ ./run_sdk_container -t
  3. Error:
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open /dev/console: permission denied: unknown

Expected behavior

No error :)

I'm guessing its to do with this mount: https://github.com/flatcar/scripts/blob/flatcar-3874/run_sdk_container#L140 . https://github.com/containers/podman/issues/6772#issuecomment-650084082 feels like a relevant explanation, although the project is different.

jepio commented 4 months ago

We use loopback mounts from the sdk, which requires access to /dev/loop-control but also access to /dev/loopX devices as they are created by udev in the host. So unfortunately this requires access to hosts /dev and I don't think it'll work rootless.

I would be happy if someone proved me wrong.

t-lo commented 3 months ago

Unfortunately @jepio is correct; for the same reason using podman requires sudo (which we wrap in the run_sdk_container scripts). Loopback mounts are required by build_image and image_to_vm.sh to build base OS and vendor images. That said, we're entirely open to modernising that part of our build logic by e.g. using a rootless image builder like mkosi. So if someone would want to take on this endeavour we'd be very open to it, and supportive.