Can't run in background

[geerlingguy]

I am able to run oneshot commands with the container, but if I try using an example from the repo:

docker run --detach --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro geerlingguy/docker-fedora37-ansible:latest

I see the container as exited (255) in the ps output:

$ docker ps -a
CONTAINER ID   IMAGE                                        COMMAND            CREATED         STATUS                       PORTS     NAMES
8d336e488a23   geerlingguy/docker-fedora37-ansible:latest   "/usr/sbin/init"   5 seconds ago   Exited (255) 4 seconds ago             admiring_hertz

Therefore, if I try running the example command on the running container, it fails:

$ docker exec --tty 8d33 env TERM=xterm ansible --version
Error response from daemon: Container 8d336e488a2315fddfb3e23ad5131bd08e875b45971e1ec926a64a3491cc0242 is not running

Looking at the Fedora 37 ChangeSet, I don't see anything pointing to a breaking change in the way the init system/systemd is set up...

[stefangweichinger]

Subscribed here after you pointed me here. Tried to reproduce, I see the exact same behavior so far.

[jadams]

I'm fairly sure this is a problem with cgroups v2 and user namespace remapping in docker. Same problem as https://github.com/freeipa/freeipa-container/issues/429

tl;dr is that you need to add

{ "userns-remap": "default" }

to /etc/docker/daemon.json

which is the right way to do it, the wrong way like I responded with on twitter is to do

docker run --detach --cgroupns host --tmpfs /tmp --tmpfs /run --volume=/sys/fs/cgroup:/sys/fs/cgroup geerling
guy/docker-fedora37-ansible:latest

which is not recommended since now your docker container has control over your host cgroups but then you don't have to enabel userns-remap which in my case broke most interactions between existing containers