Closed kokleong9406 closed 2 years ago
Hi @kokleong9406, a few comments below...
First of all, I would suggest installing the latest Sysbox version (i.e., v0.5.2) as there are important fixes since v0.5.0.
"Your OS does not support 'idmapped' feature (kernel < 5.12), nor it provides 'shiftfs' support. In consequence, applications within Sysbox containers may be unable to access volume-mounts, which will show up as owned by 'nobody:nogroup' inside the container. Refer to Sysbox installation documentation for details."
The above message shouldn't be displayed now that you installed shiftfs
.
"Docker bridge-ip network to configure (172.20.0.1/16) overlaps with existing system subnet. Installation process will skip this docker network setting. Please manually configure docker's 'bip' subnet to avoid connectivity issues."
This is a warning to let you know that if you were to run inner containers (that is, containers within a sysbox container), then chances are that you could run into traffic forwarding issues given that the inner network subnet overlaps with the outer (host-level) one. This is probably a direct consequence of your /etc/docker/daemon.json
being already configured with a default bip
that matches the sysbox's default one (172.20.0.1
). If that's the case, you can easily workaround these potential issues by changing your host-level dockerd config.
"Configfs kernel module could not be loaded. Configfs may be required by certain applications running inside a Sysbox container."
This is the one preventing sysbox-mgr
daemon to run. We are currently working on relaxing this requirement, but i'm surprised to see that this is affecting an Ubuntu system as configfs
kernel module is loaded by default in most distros (including Ubuntu). What's the output you see if you do: modprobe configfs
?
Thanks for the suggestion. Okay, modprobe configsfs
produces below output:
admin@SERC-S1:~$ modprobe configfs
modprobe: FATAL: Module configfs not found in directory /lib/modules/5.4.65-1-pve
Seems like that kernel (5.4.65-1-pve, Proxmox?) does not have configfs built-in, so that's not going to work unfortunately until we relax the requirement for configfs in sysbox-mgr.
Is there a different Ubuntu kernel you can try (they typically do come with configfs built-in)?
Thanks for the info. I was just testing sysbox installation in one of my ubuntu server (in the problem statement highlighted in this open issue) which does not work. And I just wanted to confirm are there any methods to make the installation succeed. The answer seems to be a no at the moment.
On the other hand, I have another Ubuntu in which sysbox installation work though :) By the way, since my ubuntu is using 172.20.x.x subnet for DNS lookup, may I check with you how can I "change my host level Dockerd config" as suggested above?
Thanks for the info. I was just testing sysbox installation in one of my ubuntu server (in the problem statement highlighted in this open issue) which does not work. And I just wanted to confirm are there any methods to make the installation succeed. The answer seems to be a no at the moment.
That's right.
On the other hand, I have another Ubuntu in which sysbox installation work though :)
Ok great to hear. Hope you find it useful!
By the way, since my ubuntu is using 172.20.x.x subnet for DNS lookup, may I check with you how can I "change my host level Dockerd config" as suggested above?
Can you post the contents of the /etc/docker/daemon.json
file on the host where the sysbox installer issued the warning?
Thanks!
The sysbox installation that is successful in my other Ubuntu, the installation succeeded without any warnings. After installation, my /etc/docker/daemon.json
looks like below:
Lets call this Config 1
{
"storage-driver": "overlay2",
"features": {
"buildkit": true
},
"default-address-pools": [
{
"base": "172.18.0.0/16",
"size": 24
},
{
"base": "172.19.0.0/16",
"size": 24
},
{
"base": "172.21.0.0/16",
"size": 24
}
],
"runtimes": {
"sysbox-runc": {
"path": "/usr/bin/sybsbox-runc"
}
},
"bip": "172.20.0.1/16",
"default-runtime": "sysbox-runc"
}
In Config 2, I changed the bip
to 172.22.0.1/16
. I just arbitrarily chose "22", i.e., any number except "20"
In Config 3, I removed bip
and default-runtime
With both Config 1 and Config 2, I am not able to build system image with this Dockerfile:
FROM ubuntu:18.04
RUN apt-get update && \
apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release && \
mkdir -p /etc/apt/keyrings && \
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && \
echo "Installing docker-ce-cli" && \
apt-get update && \
apt-get -y install ca-certificates curl gnupg lsb-release && \
mkdir /etc/apt/keyrings && \
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
apt-get update && \
apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin && \
COPY docker_pull_inner_image.sh /usr/bin
RUN chmod +x /usr/bin/docker_pull_inner_image.sh && docker_pull_inner_image.sh && rm /usr/bin/docker_pull_inner_image.sh
Below is the build error encountered with Config 1:
(cwl_airflow_venv_v2) kokleong@ldap:~/projects/docker-test/sysbox-test$ docker build --no-cache -f Dockerfile_v1 -t test:test .
[+] Building 20.4s (3/3) FINISHED
=> [internal] load build definition from Dockerfile_v1 0.0s
=> => transferring dockerfile: 1.34kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> ERROR [internal] load metadata for docker.io/library/ubuntu:18.04 20.0s
------
> [internal] load metadata for docker.io/library/ubuntu:18.04:
------
failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head "https://registry-1.docker.io/v2/library/ubuntu/manifests/18.04": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: read udp 127.0.0.1:33069->127.0.0.53:53: i/o timeout
Below is the build error encountered with Config 2:
(cwl_airflow_venv_v2) kokleong@ldap:~/projects/docker-test/sysbox-test$ docker build --no-cache -f Dockerfile_v1 -t test:test .
[+] Building 123.9s (5/6)
=> [internal] load build definition from Dockerfile_v1 0.0s
=> => transferring dockerfile: 41B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:18.04 2.4s
=> CACHED [1/3] FROM docker.io/library/ubuntu:18.04@sha256:478caf1bec1afd54a58435ec681c8755883b7eb843a8630091890130b15a79af 0.0s
=> ERROR [2/3] RUN apt-get update && apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release && mkdir -p /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/k 121.3s
------
> [2/3] RUN apt-get update && apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release && mkdir -p /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && echo "Installing docker-ce-cli" && apt-get update && apt-get -y install ca-certificates curl gnupg lsb-release && mkdir /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && apt-get update && apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin && COPY docker_pull_inner_image.sh /usr/bin:
#5 41.08 Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
#5 41.08 Temporary failure resolving 'archive.ubuntu.com'
#5 41.09 Err:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
#5 41.09 Temporary failure resolving 'security.ubuntu.com'
#5 81.11 Err:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
#5 81.11 Temporary failure resolving 'archive.ubuntu.com'
#5 121.1 Err:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
#5 121.1 Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 Reading package lists...
#5 121.2 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease Temporary failure resolving 'archive.ubuntu.com'
#5 121.2 W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease Temporary failure resolving 'security.ubuntu.com'
#5 121.2 W: Some index files failed to download. They have been ignored, or old ones used instead.
#5 121.2 Reading package lists...
#5 121.2 Building dependency tree...
#5 121.2 Reading state information...
#5 121.2 Package gnupg is not available, but is referred to by another package.
#5 121.2 This may mean that the package is missing, has been obsoleted, or
#5 121.2 is only available from another source
#5 121.2
#5 121.2 Package ca-certificates is not available, but is referred to by another package.
#5 121.2 This may mean that the package is missing, has been obsoleted, or
#5 121.2 is only available from another source
#5 121.2
#5 121.2 E: Unable to locate package gcc
#5 121.2 E: Unable to locate package build-essential
#5 121.2 E: Unable to locate package wget
#5 121.2 E: Unable to locate package curl
#5 121.2 E: Unable to locate package nano
#5 121.2 E: Package 'ca-certificates' has no installation candidate
#5 121.2 E: Unable to locate package curl
#5 121.2 E: Package 'gnupg' has no installation candidate
#5 121.2 E: Unable to locate package lsb-release
------
executor failed running [/bin/sh -c apt-get update && apt-get install -y gcc build-essential wget curl nano ca-certificates curl gnupg lsb-release && mkdir -p /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && echo "Installing docker-ce-cli" && apt-get update && apt-get -y install ca-certificates curl gnupg lsb-release && mkdir /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && apt-get update && apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin && COPY docker_pull_inner_image.sh /usr/bin]: exit code: 100
With Config 3, I am able to build the image successfully.
[..] With Config 3, I am able to build the image successfully.
I figured out the same. I have 4 Ubuntu 22.04 servers running on an Intel NUC (all different types), all configured via ansible. What you describe with regards to configuration is the same I experienced: don't set the bip and runtime, then it mostly works. Sometimes sysbox stops working, which I can detect in this way:
$ systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● sysbox-mgr.service loaded failed failed sysbox-mgr (part of the Sysbox container runtime)
and because gitlab-runner (which uses sysbox as a runtime) can no longer connect to the docker socket:
ERROR: Job failed (system failure): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? (docker.go:856:0s)
but sysbox-runc seems to work (as far as this is to be considered a relevant test):
$ sysbox-runc list
ID PID STATUS BUNDLE CREATED OWNER
A reboot and then a recreate of the gitlab-runner container sometimes(!) fixes the problem. Because its this inconsistent, I didn't really know how to create a proper issue for it.
I hope this adds anything useful at all. Thank you for sharing about the docker daemon config problem though, It helped me.
Hi @kokleong9406, apologies for the belated reply.
The overall goal with the subnet configs is to ensure the nested Docker Engine (which by default will use subnet 172.17.0.0) does not overlap with the subnets used by the Docker Engine on the host.
Thus, the subnet config in "Config1" looks OK, except for extra caution I would configure the subnets for the default-address-pools to 172.21.0.0, 172.22.00, 172.23.0.0, and above. I would shy away from 172.18.0.0 or 172.19.0.0 since the nested Docker Engine could end up using those subnets (they are close to its default 172.17.0.0).
Having said this, it's not clear to me that this is the reason you see the failure in the nested build.
The best way to debug that failure is to launch an interactive container with Docker + Sysbox, and then follow the steps of the Dockerfile, particularly the docker_pull_inner_image.sh
step since that's where the nested Docker Engine gets started and container images are pulled inside the Sysbox container.
We do test and use this technique quite a bit, so I am confident it works well.
Regarding the errors you reported:
failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head "https://registry-1.docker.io/v2/library/ubuntu/manifests/18.04": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: read udp 127.0.0.1:33069->127.0.0.53:53: i/o timeout
That does appear to be network related, though it's not clear to me how Config1 could have caused this.
=> ERROR [2/3] RUN apt-get update && apt-get install -y gcc build-essential wget ...
Weird that you would get an error there. Try running the sysbox container interactively and doing apt-get update
, and see if you get the same errors.
Also, I noticed you are using a base image of ubuntu:18.04
; try a newer ubuntu version just in case.
With Config 3, I am able to build the image successfully.
I don't see how that can be: with config3 the default runtime reverts back to "runc", but then that would cause the Docker Engine to not start properly inside the container and pull the inner images. Not sure how that could work ...
Hope that helps!
Hi @jeroenhendricksen,
Thanks for giving Sysbox a shot, and sorry to hear you run into some trouble. Happy to help though.
Sometimes sysbox stops working
Looks like sysbox-mgr stopped working, generally you can check the sysbox-mgr log to see why (e.g., journalctl -u sysbox-mgr
).
However, please file a separate issue (or join the Sysbox slack channel) since it appears to be different that what this issue is covering.
@kokleong9406, @jeroenhendricksen, I believe the issues being reported have been addressed with the latest changes (i.e., elimination of the configfs
requirement), as well as the answers provided above. I will go ahead and close this issue now. Please, reopen it if you're still facing installation issues.
Tried to install sysbox and faced issue with sysbox-mgr.
Below is details about the server I am installing Sysbox in:
Below is the error encountered during installation:
Error encountered when running "sudo apt-get install -y linux-headers-$(uname -r)"
Logs shown when running "sudo systemctl journalctl-xe"
Prints shown after running "sudo systemctl list-units -t service --all | grep sysbox"
I have tried a couple of things, such as installing pve-headers-5.4.65-1-pve and also shiftfs, but nothing seems to work. I guess the installation of shiftfs is working, as illustrated by below prints when running "modinfo shiftfs"
Anyone knows how to make the installation work?