search

gotoz / runq

run regular Docker images in KVM/Qemu
Apache License 2.0
802 stars 45 forks source link

Container going for restart loop with latest qemu version #30

Closed NiranjanUv closed 5 months ago

NiranjanUv commented 7 months ago

Brief description We updated the qemu version to 4.4.16 - 1:4.2-3ubuntu6.28 and see that the container is going for restart loop. qemu has recently released a new version to fix the CVE-2023-2861 vulnerability.

The error seen is 9p: broken or compromised client detected; attempt to open special file (i.e. neither regular file, nor directory).

Steps to reproduce the issue

  1. Create container with runq. It will go for restart loop.

Expected behaviour Container should be stable and not restart.

Actual behaviour Container in restart loop

Content of section runtimes of /etc/docker/daemon.json

{
    "data-root": "/var/lib/quotagroups/lv_data_pool/appliance_data/docker",
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "10m",
        "max-file": "3"
    },
    "group": "uwsgi",
    "hosts": [
        "unix:///var/run/docker.sock"
    ],
    "dns": [
        "9.152.120.241",
        "9.152.64.172"
    ],
    "runtimes": {
        "runq": {
            "path": "/var/lib/runq/runq",
            "runtimeArgs": [
                "--cpu",
                "1",
                "--mem",
                "512",
                "--dns",
                "9.152.120.241,9.152.64.172"
            ]
        }
    },
    "bip": "10.0.1.1/16",
    "default-runtime": "runq",
    "seccomp-profile": "/etc/docker/default.json"

Content of /var/lib/runq/qemu/proxy --version d60f677 (go1.21.5)

Content of docker --version Docker version 24.0.5, build 24.0.5-0ubuntu1~20.04.1

Additional information

pmorjan commented 7 months ago

Newer versions of Qemu prevent the use of "special files" such as sockets or device nodes on 9pFS. https://www.mail-archive.com/qemu-devel@nongnu.org/msg967749.html The new behavior may cause problems for containers that rely on "special files," such as "Docker in Docker". A possible solution is to use a root disk instead of 9pFS. I have adapted the examples under 'test/examples' accordingly. Please let me know if this helps.

NiranjanUv commented 7 months ago

Seeing a different error while using ROOTFS - [proxy d60f677] rootdisk "0001" not found. Is any code change required apart from the docker run command example ?

pmorjan commented 5 months ago

No. (sorry for the delay)