search

nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Apache License 2.0
2.71k stars 151 forks source link

Docker's `--ipc=shareable` does not work with Sysbox #482

Open mviereck opened 2 years ago

mviereck commented 2 years ago

If I try to share the same IPC namespace of two containers, the first one started with --ipc=shareable and the second one with --ipc=container:CONTAINERID, I get this error at the start of the second container:

docker: Error response from daemon: failed to create shim task: OCI runtime create failed: container_linux.go:419: starting container process caused: process_linux.go:607: container init caused: rootfs_linux.go:67: setting up rootfs mounts caused: rootfs_linux.go:1122: mounting "mqueue" to rootfs "/var/lib/sysbox/rootfs/cdf52a9bd7a7ce08f5ed3cbf226ed2133a5533535a4053d3c36253ba36df700a/top/merged" at "dev/mqueue" caused: operation not permitted: unknown.

Another IPC issue: If I start with --ipc=host I get:

docker: Error response from daemon: failed to create shim task: OCI runtime create failed: error in the container spec: invalid namespace config: container spec missing namespaces Set{ipc}: unknown.

The second error message sound like there is no IPC option specified.

This happened with the sysbox test version for id mapped mounts 0.5.0-dev, but I assume the IPC issue is unrelated to the mounts.

ctalledo commented 2 years ago

Hi @mviereck , thanks for filing the issue.

The --ipc=shareable should work, but I can see why it would fail right now: Sysbox always uses the user namespace (userns) in containers, and the ipc namespace is a "child" of the container's userns. Thus, sharing an ipc ns between containers implies sharing the user-ns, and Sysbox is not realizing this. As a side note, Sysbox does do this for network namespace (if it detects 2 containers are on the same network ns, it will place them on the same parent user-ns).

The --ipc=host won't work with Sysbox, because you can't do this for containers that use the user-ns. More info here. I need to add --ipc to the table shown in there.

mviereck commented 2 years ago

Thanks for the insight! Would it make sense if Sysbox would enable the same userns in this case ipc is shared? Or an option like --userns=container:CONTAINERID? However, this is not important for me yet.

ctalledo commented 2 years ago

Would it make sense if Sysbox would enable the same userns in this case ipc is shared?

Yes, that would be the fix.

However, this is not important for me yet.

Good to know, thanks.