Sysbox Installation Issue due to Sysbox-mgr

Tried to install sysbox and faced issue with sysbox-mgr.

Below is details about the server I am installing Sysbox in:

Kernel version: 5.4.65-1-pve
Distro: Ubuntu 20.04 (LTS) Focal
Architecture: amd64

Below is the error encountered during installation:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'sysbox-ce' instead of './sysbox-ce_0.5.0-0.linux_amd64.deb'
The following NEW packages will be installed:
  sysbox-ce
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 0 B/11.2 MB of archives.
After this operation, 40.8 MB of additional disk space will be used.
Get:1 /home/admin/staging/sysbox-docker-test/sysbox-ce_0.5.0-0.linux_amd64.deb sysbox-ce amd64 0.5.0-0.linux [11.2 MB]
Selecting previously unselected package sysbox-ce.
(Reading database ... 84737 files and directories currently installed.)
Preparing to unpack .../sysbox-ce_0.5.0-0.linux_amd64.deb ...
Unpacking sysbox-ce (0.5.0-0.linux) ...
Setting up sysbox-ce (0.5.0-0.linux) ...

Your OS does not support 'idmapped' feature (kernel < 5.12), nor it  provides 'shiftfs' support. In consequence, applications within Sysbox  containers may be unable to access volume-mounts, which will show up as  owned by 'nobody:nogroup' inside the container. Refer to Sysbox  installation documentation for details.

Configfs kernel module could not be loaded. Configfs may be required by certain applications running inside a Sysbox container.

Docker bridge-ip network to configure (172.20.0.1/16) overlaps with existing system subnet. Installation process will skip this docker network setting. Please manually configure docker's 'bip' subnet to avoid connectivity issues.

The linux kernel headers package was not found. This may be expected by user applications running within Sysbox containers. Please install it with this command:
    "sudo apt-get install -y linux-headers-$(uname -r)"

Created symlink /etc/systemd/system/sysbox.service.wants/sysbox-fs.service → /lib/systemd/system/sysbox-fs.service.
Created symlink /etc/systemd/system/sysbox.service.wants/sysbox-mgr.service → /lib/systemd/system/sysbox-mgr.service.
Created symlink /etc/systemd/system/multi-user.target.wants/sysbox.service → /lib/systemd/system/sysbox.service.
Job for sysbox-mgr.service failed because the control process exited with error code.
See "systemctl status sysbox-mgr.service" and "journalctl -xe" for details.
A dependency job for sysbox.service failed. See 'journalctl -xe' for details.

Error encountered when running "sudo apt-get install -y linux-headers-$(uname -r)"

Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package linux-headers-5.4.65-1-pve
E: Couldn't find any package by glob 'linux-headers-5.4.65-1-pve'
E: Couldn't find any package by regex 'linux-headers-5.4.65-1-pve'

Logs shown when running "sudo systemctl journalctl-xe"

Jul 05 19:24:16 SERC-S1 sysbox-mgr[23181]: time="2022-07-05 19:24:16" level=info msg="Starting ..."
Jul 05 19:24:16 SERC-S1 sysbox-mgr[23181]: time="2022-07-05 19:24:16" level=fatal msg="failed to create sysbox-mgr: preflight check failed: failed to modprobe configfs: exit status 1"
Jul 05 19:24:16 SERC-S1 systemd[1]: sysbox-mgr.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- An ExecStart= process belonging to unit sysbox-mgr.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Jul 05 19:24:16 SERC-S1 systemd[1]: sysbox-mgr.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit sysbox-mgr.service has entered the 'failed' state with result 'exit-code'.
Jul 05 19:24:16 SERC-S1 systemd[1]: Failed to start sysbox-mgr (part of the Sysbox container runtime).
-- Subject: A start job for unit sysbox-mgr.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit sysbox-mgr.service has finished with a failure.
-- 
-- The job identifier is 83947 and the job result is failed.
Jul 05 19:24:16 SERC-S1 systemd[1]: Dependency failed for Sysbox container runtime.
-- Subject: A start job for unit sysbox.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit sysbox.service has finished with a failure.
-- 
-- The job identifier is 83997 and the job result is dependency.
Jul 05 19:24:16 SERC-S1 systemd[1]: sysbox.service: Job sysbox.service/start failed with result 'dependency'.
Jul 05 19:24:16 SERC-S1 systemd[1]: Starting sysbox-fs (part of the Sysbox container runtime)...
-- Subject: A start job for unit sysbox-fs.service has begun execution
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit sysbox-fs.service has begun execution.
-- 
-- The job identifier is 83897.
Jul 05 19:24:17 SERC-S1 sysbox-fs[23188]: time="2022-07-05 19:24:17" level=info msg="Initiating sysbox-fs ..."
Jul 05 19:24:17 SERC-S1 sysbox-fs[23188]: time="2022-07-05 19:24:17" level=info msg="Initializing with 'allow-immutable-remounts' knob disabled (default)"
Jul 05 19:24:17 SERC-S1 sysbox-fs[23188]: time="2022-07-05 19:24:17" level=info msg="Initializing with 'allow-immutable-unmounts' knob enabled (default)"
Jul 05 19:24:17 SERC-S1 sysbox-fs[23188]: time="2022-07-05 19:24:17" level=info msg="FUSE dir = /var/lib/sysboxfs"
Jul 05 19:24:17 SERC-S1 sysbox-fs[23188]: time="2022-07-05 19:24:17" level=info msg="IOvec memParser elected"
Jul 05 19:24:17 SERC-S1 sysbox-fs[23188]: time="2022-07-05 19:24:17" level=info msg="Listening on /run/sysbox/sysfs.sock"
Jul 05 19:24:17 SERC-S1 systemd[1]: Started sysbox-fs (part of the Sysbox container runtime).
-- Subject: A start job for unit sysbox-fs.service has finished successfully
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit sysbox-fs.service has finished successfully.
-- 
-- The job identifier is 83897.

Prints shown after running "sudo systemctl list-units -t service --all | grep sysbox"

  sysbox-fs.service                      loaded    active   running sysbox-fs (part of the Sysbox container runtime)         
● sysbox-mgr.service                     loaded    failed   failed  sysbox-mgr (part of the Sysbox container runtime)        
  sysbox.service                         loaded    inactive dead    Sysbox container runtime

I have tried a couple of things, such as installing pve-headers-5.4.65-1-pve and also shiftfs, but nothing seems to work. I guess the installation of shiftfs is working, as illustrated by below prints when running "modinfo shiftfs"

filename:       /lib/modules/5.4.65-1-pve/updates/dkms/shiftfs.ko
license:        GPL v2
description:    id shifting filesystem
author:         Christian Brauner <christian.brauner@ubuntu.com>
author:         Seth Forshee <seth.forshee@canonical.com>
author:         James Bottomley
alias:          fs-shiftfs
srcversion:     225AF9C817280FFD72CB9A8
depends:        
retpoline:      Y
name:           shiftfs
vermagic:       5.4.65-1-pve SMP mod_unload modversions

Anyone knows how to make the installation work?

Hi @kokleong9406, a few comments below...

First of all, I would suggest installing the latest Sysbox version (i.e., v0.5.2) as there are important fixes since v0.5.0.

"Your OS does not support 'idmapped' feature (kernel < 5.12), nor it provides 'shiftfs' support. In consequence, applications within Sysbox containers may be unable to access volume-mounts, which will show up as owned by 'nobody:nogroup' inside the container. Refer to Sysbox installation documentation for details."

The above message shouldn't be displayed now that you installed shiftfs.

"Docker bridge-ip network to configure (172.20.0.1/16) overlaps with existing system subnet. Installation process will skip this docker network setting. Please manually configure docker's 'bip' subnet to avoid connectivity issues."

This is a warning to let you know that if you were to run inner containers (that is, containers within a sysbox container), then chances are that you could run into traffic forwarding issues given that the inner network subnet overlaps with the outer (host-level) one. This is probably a direct consequence of your /etc/docker/daemon.json being already configured with a default bip that matches the sysbox's default one (172.20.0.1). If that's the case, you can easily workaround these potential issues by changing your host-level dockerd config.

"Configfs kernel module could not be loaded. Configfs may be required by certain applications running inside a Sysbox container."

This is the one preventing sysbox-mgr daemon to run. We are currently working on relaxing this requirement, but i'm surprised to see that this is affecting an Ubuntu system as configfs kernel module is loaded by default in most distros (including Ubuntu). What's the output you see if you do: modprobe configfs?

Thanks for the suggestion. Okay, modprobe configsfs produces below output:

admin@SERC-S1:~$ modprobe configfs
modprobe: FATAL: Module configfs not found in directory /lib/modules/5.4.65-1-pve

Seems like that kernel (5.4.65-1-pve, Proxmox?) does not have configfs built-in, so that's not going to work unfortunately until we relax the requirement for configfs in sysbox-mgr.

Is there a different Ubuntu kernel you can try (they typically do come with configfs built-in)?

Thanks for the info. I was just testing sysbox installation in one of my ubuntu server (in the problem statement highlighted in this open issue) which does not work. And I just wanted to confirm are there any methods to make the installation succeed. The answer seems to be a no at the moment.

On the other hand, I have another Ubuntu in which sysbox installation work though :) By the way, since my ubuntu is using 172.20.x.x subnet for DNS lookup, may I check with you how can I "change my host level Dockerd config" as suggested above?

Thanks for the info. I was just testing sysbox installation in one of my ubuntu server (in the problem statement highlighted in this open issue) which does not work. And I just wanted to confirm are there any methods to make the installation succeed. The answer seems to be a no at the moment.

That's right.

On the other hand, I have another Ubuntu in which sysbox installation work though :)

Ok great to hear. Hope you find it useful!

By the way, since my ubuntu is using 172.20.x.x subnet for DNS lookup, may I check with you how can I "change my host level Dockerd config" as suggested above?

Can you post the contents of the /etc/docker/daemon.json file on the host where the sysbox installer issued the warning?

Thanks!

The sysbox installation that is successful in my other Ubuntu, the installation succeeded without any warnings. After installation, my /etc/docker/daemon.json looks like below:

Lets call this Config 1

{
    "storage-driver": "overlay2",
    "features": {
        "buildkit": true
    },
    "default-address-pools": [
        {
            "base": "172.18.0.0/16",
            "size": 24
        },
        {
            "base": "172.19.0.0/16",
            "size": 24
        },
        {
            "base": "172.21.0.0/16",
            "size": 24
        }
    ],
    "runtimes": {
        "sysbox-runc": {
            "path": "/usr/bin/sybsbox-runc"
        }
    },
    "bip": "172.20.0.1/16",
    "default-runtime": "sysbox-runc"
}

In Config 2, I changed the bip to 172.22.0.1/16. I just arbitrarily chose "22", i.e., any number except "20" In Config 3, I removed bip and default-runtime

With both Config 1 and Config 2, I am not able to build system image with this Dockerfile:

FROM ubuntu:18.04

RUN apt-get update && \
    apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release && \
    mkdir -p /etc/apt/keyrings && \
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && \
    echo "Installing docker-ce-cli" && \
    apt-get update && \
    apt-get -y install ca-certificates curl gnupg lsb-release && \
    mkdir /etc/apt/keyrings && \
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
    apt-get update && \
    apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin && \

COPY docker_pull_inner_image.sh /usr/bin
RUN chmod +x /usr/bin/docker_pull_inner_image.sh && docker_pull_inner_image.sh && rm /usr/bin/docker_pull_inner_image.sh

Below is the build error encountered with Config 1:

(cwl_airflow_venv_v2) kokleong@ldap:~/projects/docker-test/sysbox-test$ docker build --no-cache -f Dockerfile_v1 -t test:test .
[+] Building 20.4s (3/3) FINISHED                                                                                                                                                                                                                                                  
 => [internal] load build definition from Dockerfile_v1                                                                                                                                                                                                                       0.0s
 => => transferring dockerfile: 1.34kB                                                                                                                                                                                                                                        0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                             0.0s
 => => transferring context: 2B                                                                                                                                                                                                                                               0.0s
 => ERROR [internal] load metadata for docker.io/library/ubuntu:18.04                                                                                                                                                                                                        20.0s
------
 > [internal] load metadata for docker.io/library/ubuntu:18.04:
------
failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head "https://registry-1.docker.io/v2/library/ubuntu/manifests/18.04": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: read udp 127.0.0.1:33069->127.0.0.53:53: i/o timeout

Below is the build error encountered with Config 2:

(cwl_airflow_venv_v2) kokleong@ldap:~/projects/docker-test/sysbox-test$ docker build --no-cache -f Dockerfile_v1 -t test:test .
[+] Building 123.9s (5/6)                                                                                                                                                                                                                                                          
 => [internal] load build definition from Dockerfile_v1                                                                                                                                                                                                                       0.0s
 => => transferring dockerfile: 41B                                                                                                                                                                                                                                           0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                             0.0s
 => => transferring context: 2B                                                                                                                                                                                                                                               0.0s
 => [internal] load metadata for docker.io/library/ubuntu:18.04                                                                                                                                                                                                               2.4s
 => CACHED [1/3] FROM docker.io/library/ubuntu:18.04@sha256:478caf1bec1afd54a58435ec681c8755883b7eb843a8630091890130b15a79af                                                                                                                                                  0.0s
 => ERROR [2/3] RUN apt-get update &&     apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release &&     mkdir -p /etc/apt/keyrings &&     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/k  121.3s
------                                                                                                                                                                                                                                                                             
 > [2/3] RUN apt-get update &&     apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release &&     mkdir -p /etc/apt/keyrings &&     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg &&     echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null &&     echo "Installing docker-ce-cli" &&     apt-get update &&     apt-get -y install ca-certificates curl gnupg lsb-release &&     mkdir /etc/apt/keyrings &&     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg &&     echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null &&     apt-get update &&     apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin && COPY docker_pull_inner_image.sh /usr/bin:                                                                                                                                                                                                                                                    
#5 41.08 Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
#5 41.08   Temporary failure resolving 'archive.ubuntu.com'
#5 41.09 Err:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
#5 41.09   Temporary failure resolving 'security.ubuntu.com'
#5 81.11 Err:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
#5 81.11   Temporary failure resolving 'archive.ubuntu.com'
#5 121.1 Err:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
#5 121.1   Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 Reading package lists...
#5 121.2 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease  Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
#5 121.2 W: Some index files failed to download. They have been ignored, or old ones used instead.
#5 121.2 Reading package lists...
#5 121.2 Building dependency tree...
#5 121.2 Reading state information...
#5 121.2 Package gnupg is not available, but is referred to by another package.
#5 121.2 This may mean that the package is missing, has been obsoleted, or
#5 121.2 is only available from another source
#5 121.2 
#5 121.2 Package ca-certificates is not available, but is referred to by another package.
#5 121.2 This may mean that the package is missing, has been obsoleted, or
#5 121.2 is only available from another source
#5 121.2 
#5 121.2 E: Unable to locate package gcc
#5 121.2 E: Unable to locate package build-essential
#5 121.2 E: Unable to locate package wget
#5 121.2 E: Unable to locate package curl
#5 121.2 E: Unable to locate package nano
#5 121.2 E: Package 'ca-certificates' has no installation candidate
#5 121.2 E: Unable to locate package curl
#5 121.2 E: Package 'gnupg' has no installation candidate
#5 121.2 E: Unable to locate package lsb-release
------

executor failed running [/bin/sh -c apt-get update &&     apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release &&     mkdir -p /etc/apt/keyrings &&     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg &&     echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null &&     echo "Installing docker-ce-cli" &&     apt-get update &&     apt-get -y install ca-certificates curl gnupg lsb-release &&     mkdir /etc/apt/keyrings &&     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg &&     echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null &&     apt-get update &&     apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin && COPY docker_pull_inner_image.sh /usr/bin]: exit code: 100

With Config 3, I am able to build the image successfully.

[..] With Config 3, I am able to build the image successfully.

I figured out the same. I have 4 Ubuntu 22.04 servers running on an Intel NUC (all different types), all configured via ansible. What you describe with regards to configuration is the same I experienced: don't set the bip and runtime, then it mostly works. Sometimes sysbox stops working, which I can detect in this way:

$ systemctl --failed
  UNIT               LOAD   ACTIVE SUB    DESCRIPTION
● sysbox-mgr.service loaded failed failed sysbox-mgr (part of the Sysbox container runtime)

and because gitlab-runner (which uses sysbox as a runtime) can no longer connect to the docker socket:

ERROR: Job failed (system failure): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? (docker.go:856:0s)

but sysbox-runc seems to work (as far as this is to be considered a relevant test):

$ sysbox-runc list
ID          PID         STATUS      BUNDLE      CREATED     OWNER

A reboot and then a recreate of the gitlab-runner container sometimes(!) fixes the problem. Because its this inconsistent, I didn't really know how to create a proper issue for it.

I hope this adds anything useful at all. Thank you for sharing about the docker daemon config problem though, It helped me.

Hi @kokleong9406, apologies for the belated reply.

The overall goal with the subnet configs is to ensure the nested Docker Engine (which by default will use subnet 172.17.0.0) does not overlap with the subnets used by the Docker Engine on the host.

Thus, the subnet config in "Config1" looks OK, except for extra caution I would configure the subnets for the default-address-pools to 172.21.0.0, 172.22.00, 172.23.0.0, and above. I would shy away from 172.18.0.0 or 172.19.0.0 since the nested Docker Engine could end up using those subnets (they are close to its default 172.17.0.0).

Having said this, it's not clear to me that this is the reason you see the failure in the nested build.

The best way to debug that failure is to launch an interactive container with Docker + Sysbox, and then follow the steps of the Dockerfile, particularly the docker_pull_inner_image.sh step since that's where the nested Docker Engine gets started and container images are pulled inside the Sysbox container.

We do test and use this technique quite a bit, so I am confident it works well.

Regarding the errors you reported:

failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head "https://registry-1.docker.io/v2/library/ubuntu/manifests/18.04": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: read udp 127.0.0.1:33069->127.0.0.53:53: i/o timeout

That does appear to be network related, though it's not clear to me how Config1 could have caused this.

=> ERROR [2/3] RUN apt-get update && apt-get install -y gcc build-essential wget ...

Weird that you would get an error there. Try running the sysbox container interactively and doing apt-get update, and see if you get the same errors.

Also, I noticed you are using a base image of ubuntu:18.04; try a newer ubuntu version just in case.

With Config 3, I am able to build the image successfully.

I don't see how that can be: with config3 the default runtime reverts back to "runc", but then that would cause the Docker Engine to not start properly inside the container and pull the inner images. Not sure how that could work ...

Hope that helps!

Hi @jeroenhendricksen,

Thanks for giving Sysbox a shot, and sorry to hear you run into some trouble. Happy to help though.

Sometimes sysbox stops working

Looks like sysbox-mgr stopped working, generally you can check the sysbox-mgr log to see why (e.g., journalctl -u sysbox-mgr).

However, please file a separate issue (or join the Sysbox slack channel) since it appears to be different that what this issue is covering.

@kokleong9406, @jeroenhendricksen, I believe the issues being reported have been addressed with the latest changes (i.e., elimination of the configfs requirement), as well as the answers provided above. I will go ahead and close this issue now. Please, reopen it if you're still facing installation issues.

nestybox / sysbox

Sysbox Installation Issue due to Sysbox-mgr #569