Rootless docker on OpenWrt 21.02.3

[gheist]

Maintainer: @G-M0N3Y-2503 Environment: aarch64 Cortex-A53 21.03.2

Description: Trying to run rootless docker on the latest stable release. The feature is intended to allow non-privileged users to run Docker containers. When trying to run rootless docker the following error is observed:

toor@OpenWrt:~$ docker run -it --rm arm64v8/busybox docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "proc" to rootfs at "/proc": mount proc:/proc (via /proc/self/fd/7), flags: 0xe: operation not permitted: unknown.

Dockerd is run as follows: rootlesskit '--net=lxc-user-nic' '--mtu=1500' '--slirp4netns-sandbox=auto' '--slirp4netns-seccomp=auto' --disable-host-loopback '--port-driver=builtin' '--copy-up=/etc' '--copy-up=/run' '--propagation=rslave' '--lxc-user-nic-binary=/usr/lib/lxc/lxc-user-nic' --lxc-user-nic-bridge br-lan --debug --cgroupns /home/toor/bin/dockerd-rootless.sh --debug '--iptables=false'

Strace of dockerd shows that dockerd is trying to mount the container image opened via procfs (/proc/self/fd/7) and fails, despite running as "fake root"

7885 mount("/home/toor/.local/share/docker/vfs/dir/28e1713fe7e5bb5cbdee5268a23bb19a41c2a7a699e408a147987e62a309e119", "/home/toor/.local/share/docker 7885 <... mount resumed>) = 0
7885 newfstatat(AT_FDCWD, "/home/toor/.local/share/docker/vfs/dir/28e1713fe7e5bb5cbdee5268a23bb19a41c2a7a699e408a147987e62a309e119/proc", <unfinishe 7885 <... newfstatat resumed>{st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
7885 newfstatat(AT_FDCWD, "/home/toor/.local/share/docker/vfs/dir/28e1713fe7e5bb5cbdee5268a23bb19a41c2a7a699e408a147987e62a309e119/proc", <unfinishe 7885 <... newfstatat resumed>{st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
7885 newfstatat(AT_FDCWD, "/home/toor/.local/share/docker/vfs/dir/28e1713fe7e5bb5cbdee5268a23bb19a41c2a7a699e408a147987e62a309e119/proc", <unfinishe 7885 <... newfstatat resumed>{st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
7885 newfstatat(AT_FDCWD, "/home/toor/.local/share/docker/vfs/dir/28e1713fe7e5bb5cbdee5268a23bb19a41c2a7a699e408a147987e62a309e119/proc", <unfinishe 7885 <... newfstatat resumed>{st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
7885 futex(0xcda550, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
7885 <... futex resumed>) = 0
7885 openat(AT_FDCWD, "/home/toor/.local/share/docker/vfs/dir/28e1713fe7e5bb5cbdee5268a23bb19a41c2a7a699e408a147987e62a309e119/proc", O_RDONLY|O_CLOE 7885 <... openat resumed>) = 7
7885 epoll_ctl(8, EPOLL_CTL_ADD, 7, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=1746532184, u64=547207378776}} <unfinished ...>
7885 <... epoll_ctl resumed>) = -1 EBADF (Bad file descriptor)
7885 readlinkat(AT_FDCWD, "/proc/self/fd/7", <unfinished ...>
7885 <... readlinkat resumed>"/home/toor/.local/share/docker/v"..., 128) = 108
7885 mount("proc", "/proc/self/fd/7", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL <unfinished ...>
7885 <... mount resumed>) = -1 EPERM (Operation not permitted)

The issue is likely related to/identical to https://github.com/openwrt/packages/issues/15096

Similar issue has been observed when running docker within lxc, but it appears to be related to apparmor configuration by lxc, and got resolved by the following lxc commit https://github.com/lxc/lxd/commit/546e2a60809a108a1f505b99c6edbda52b12c739 In our case apparmor (or SELinux) are disabled in the kernel, it's kernel refusing mount even though the user has root uid

Environment

Raspberry Pi 3 with latest stable OpenWrt release Kernel 5.4.188 running cgroups v2

root@OpenWrt:~# uname -a Linux OpenWrt 5.4.188 #0 SMP Sat Apr 16 12:59:34 2022 aarch64 GNU/Linux root@OpenWrt:~# cat /etc/openwrt_release DISTRIB_ID='OpenWrt' DISTRIB_RELEASE='21.02.3' DISTRIB_REVISION='r16554-1d4dea6d4f' DISTRIB_TARGET='bcm27xx/bcm2710' DISTRIB_ARCH='aarch64_cortex-a53' DISTRIB_DESCRIPTION='OpenWrt 21.02.3 r16554-1d4dea6d4f' DISTRIB_TAINTS=''

Rootless docker is installed as follows: curl -fsSL https://get.docker.com/rootless | SKIP_IPTABLES=1 sh

Docker uses rootlesskit https://github.com/rootless-containers/rootlesskit for unprivileged execution using user/network/mount namespace capabilities We are using the setuid lxc-user-nic option for network namespacing and cgroup namespace (--cgroupns flag) for cgroups isolation

Rootless dockerd output toor@OpenWrt:~$ dockerd-rootless.sh --debug --iptables=false

• '[' -w /home/toor/.docker/run ]
• '[' -d /home/toor ]
• rootlesskit=
• command -v docker-rootlesskit
• command -v rootlesskit
• rootlesskit=rootlesskit
• break
• '[' -z rootlesskit ]
• : lxc-user-nic
• :
• : builtin
• : auto
• : auto
• net=lxc-user-nic
• mtu=
• '[' -z lxc-user-nic ]
• '[' -z ]
• mtu=1500
• '[' -z ]
• _DOCKERD_ROOTLESS_CHILD=1
• export _DOCKERD_ROOTLESS_CHILD
• id -u
• '[' 1000 '=' 0 ]
• command -v selinuxenabled
• exec rootlesskit '--net=lxc-user-nic' '--mtu=1500' '--slirp4netns-sandbox=auto' '--slirp4netns-seccomp=auto' --disable-host-loopback '--port-driver=builtin' '--copy-up=/etc' '--copy-up=/run' '--propagation=rslave' '--lxc-user-nic-binary=/usr/lib/lxc/lxc-user-nic' --lxc-user-nic-bridge br-lan --debug --cgroupns /home/toor/bin/dockerd-rootless.sh --debug '--iptables=false' WARN[0000] "lxc-user-nic" network driver is experimental WARN[0000] The host root filesystem is mounted as "". Setting child propagation to "rslave" is not supported. DEBU[0000] reaper: auto chosen value: false
  DEBU[0000] child: got msg from parent: {Stage:0 Message0:{} Message1:{StateDir: Network:{Dev: IP: Netmask:0 Gateway: DNS: MTU:0 Opaque:map[]} Port:{Opaque:map[]}}} DEBU[0000] reaper: auto chosen value: false
  DEBU[0000] child: got msg from parent: {Stage:1 Message0:{} Message1:{StateDir:/tmp/rootlesskit3772591430 Network:{Dev:eth0 IP: Netmask:0 Gateway: DNS: MTU:1500 Opaque:map[]} Port:{Opaque:map[builtin.readypipepath:/tmp/rootlesskit3772591430/.bp-ready.pipe builtin.socketpath:/tmp/rootlesskit3772591430/.bp.sock]}}} WARN[0000] failed to mount sysfs, falling back to read-only mount: operation not permitted WARN[0000] failed to mount sysfs: operation not permitted DEBU[0000] executing [ip link set lo up]
  DEBU[0000] executing [ip link set eth0 up]
  DEBU[0000] exchanging DHCP messages using eth0, may take a few seconds DEBU[0003] DHCP message 0: DHCPv4 Message opcode: BootRequest hwtype: Ethernet hopcount: 0 transaction ID: 0x2161774a num seconds: 0 flags: Unicast (0x00) client IP: 0.0.0.0 your IP: 0.0.0.0 server IP: 0.0.0.0 gateway IP: 0.0.0.0 client MAC: c2:bd:e2:21:b7:b7 server hostname: bootfile name: options: DHCP Message Type: DISCOVER Parameter Request List: Subnet Mask, Router, Domain Name Server, Domain Name DEBU[0003] DHCP message 1: DHCPv4 Message opcode: BootReply hwtype: Ethernet hopcount: 0 transaction ID: 0x2161774a num seconds: 0 flags: Unicast (0x00) client IP: 0.0.0.0 your IP: 172.16.100.156 server IP: 172.16.100.1 gateway IP: 0.0.0.0 client MAC: c2:bd:e2:21:b7:b7 server hostname: bootfile name: options: Subnet Mask: ffffff00 Router: 172.16.100.1 Domain Name Server: 172.16.100.1 Domain Name: lan Broadcast Address: 172.16.100.255 IP Addresses Lease Time: 12h0m0s DHCP Message Type: OFFER Server Identifier: 172.16.100.1 Renew Time Value: [0 0 84 96] Rebinding Time Value: [0 0 147 168] DEBU[0003] DHCP message 2: DHCPv4 Message opcode: BootRequest hwtype: Ethernet hopcount: 0 transaction ID: 0x2161774a num seconds: 0 flags: Unicast (0x00) client IP: 0.0.0.0 your IP: 0.0.0.0 server IP: 172.16.100.1 gateway IP: 0.0.0.0 client MAC: c2:bd:e2:21:b7:b7 server hostname: bootfile name: options: Requested IP Address: 172.16.100.156 DHCP Message Type: REQUEST Server Identifier: 172.16.100.1 Parameter Request List: Subnet Mask, Router, Domain Name Server, Domain Name DEBU[0003] DHCP message 3: DHCPv4 Message opcode: BootReply hwtype: Ethernet hopcount: 0 transaction ID: 0x2161774a num seconds: 0 flags: Unicast (0x00) client IP: 0.0.0.0 your IP: 172.16.100.156 server IP: 172.16.100.1 gateway IP: 0.0.0.0 client MAC: c2:bd:e2:21:b7:b7 server hostname: bootfile name: options: Subnet Mask: ffffff00 Router: 172.16.100.1 Domain Name Server: 172.16.100.1 Domain Name: lan Broadcast Address: 172.16.100.255 IP Addresses Lease Time: 12h0m0s DHCP Message Type: ACK Server Identifier: 172.16.100.1 Renew Time Value: [0 0 84 96] Rebinding Time Value: [0 0 147 168] DEBU[0003] executing [ip link set eth0 up]
  DEBU[0003] DHCP lease=12h0m0s, sleeping lease * 0.9
  DEBU[0003] executing [ip link set dev eth0 mtu 1500]
  DEBU[0003] executing [ip addr add 172.16.100.156/24 dev eth0] DEBU[0003] executing [ip route add default via 172.16.100.1 dev eth0]
• '[' -w /home/toor/.docker/run ]
• '[' -d /home/toor ]
• rootlesskit=
• command -v docker-rootlesskit
• command -v rootlesskit
• rootlesskit=rootlesskit
• break
• '[' -z rootlesskit ]
• : lxc-user-nic
• :
• : builtin
• : auto
• : auto
• net=lxc-user-nic
• mtu=
• '[' -z lxc-user-nic ]
• '[' -z ]
• mtu=1500
• '[' -z 1 ]
• '[' 1 '=' 1 ]
• rm -f /run/docker /run/containerd /run/xtables.lock
• '[' -n ]
• stat -c '%T' -f /etc /home/toor/bin/dockerd-rootless.sh: line 122: stat: not found
• '[' '=' tmpfs ]
• exec dockerd --debug '--iptables=false' INFO[2022-07-20T08:58:30.744965893Z] Starting up
  WARN[2022-07-20T08:58:30.745269225Z] Running in rootless mode. This mode has feature limitations. INFO[2022-07-20T08:58:30.745330683Z] Running with RootlessKit integration
  WARN[2022-07-20T08:58:30.748022336Z] could not change group /home/toor/.docker/run/docker.sock to docker: group docker not found DEBU[2022-07-20T08:58:30.748775769Z] Listener created for HTTP on unix (/home/toor/.docker/run/docker.sock) DEBU[2022-07-20T08:58:30.748956081Z] Containerd not running, starting daemon managed containerd INFO[2022-07-20T08:58:30.752827102Z] libcontainerd: started new containerd process pid=7471 INFO[2022-07-20T08:58:30.753191995Z] parsed scheme: "unix" module=grpc INFO[2022-07-20T08:58:30.753348609Z] scheme "unix" not registered, fallback to default scheme module=grpc INFO[2022-07-20T08:58:30.753532671Z] ccResolverWrapper: sending update to cc: {[{unix:///home/toor/.docker/run/docker/containerd/containerd.sock 0 }] } module=grpc INFO[2022-07-20T08:58:30.753631368Z] ClientConn switching balancer to "pick_first" module=grpc WARN[0000] containerd config version 1 has been deprecated and will be removed in containerd v2.0, please switch to version 2, see https://github.com/containerd/containerd/blob/main/docs/PLUGINS.md#version-header INFO[2022-07-20T08:58:30.896599461Z] starting containerd revision=10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1 version=v1.6.6 INFO[2022-07-20T08:58:31.124044186Z] loading plugin "io.containerd.content.v1.content"... type=io.containerd.content.v1 INFO[2022-07-20T08:58:31.124516736Z] loading plugin "io.containerd.snapshotter.v1.aufs"... type=io.containerd.snapshotter.v1 INFO[2022-07-20T08:58:31.134996107Z] skip loading plugin "io.containerd.snapshotter.v1.aufs"... error="aufs is not supported (modprobe aufs failed: exit status 255 \"\"): skip plugin" type=io.containerd.snapshotter.v1 INFO[2022-07-20T08:58:31.135452615Z] loading plugin "io.containerd.snapshotter.v1.btrfs"... type=io.containerd.snapshotter.v1 INFO[2022-07-20T08:58:31.136487089Z] skip loading plugin "io.containerd.snapshotter.v1.btrfs"... error="path /home/toor/.local/share/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs (ext4) must be a btrfs filesystem to be used with the btrfs snapshotter: skip plugin" type=io.containerd.snapshotter.v1 INFO[2022-07-20T08:58:31.136711411Z] loading plugin "io.containerd.snapshotter.v1.devmapper"... type=io.containerd.snapshotter.v1 WARN[2022-07-20T08:58:31.136924274Z] failed to load plugin io.containerd.snapshotter.v1.devmapper error="devmapper not configured" INFO[2022-07-20T08:58:31.137092658Z] loading plugin "io.containerd.snapshotter.v1.native"... type=io.containerd.snapshotter.v1 INFO[2022-07-20T08:58:31.137447344Z] loading plugin "io.containerd.snapshotter.v1.overlayfs"... type=io.containerd.snapshotter.v1 DEBU[2022-07-20T08:58:31.140790764Z] cannot mount overlay with "userxattr", probably the kernel does not support userxattr error="operation not permitted" INFO[2022-07-20T08:58:31.143032731Z] loading plugin "io.containerd.snapshotter.v1.zfs"... type=io.containerd.snapshotter.v1 INFO[2022-07-20T08:58:31.143943612Z] skip loading plugin "io.containerd.snapshotter.v1.zfs"... error="path /home/toor/.local/share/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter: skip plugin" type=io.containerd.snapshotter.v1 INFO[2022-07-20T08:58:31.144248141Z] loading plugin "io.containerd.metadata.v1.bolt"... type=io.containerd.metadata.v1 WARN[2022-07-20T08:58:31.144454025Z] could not use snapshotter devmapper in metadata plugin error="devmapper not configured" INFO[2022-07-20T08:58:31.144572671Z] metadata content store policy set policy=shared INFO[2022-07-20T08:58:31.145231938Z] loading plugin "io.containerd.differ.v1.walking"... type=io.containerd.differ.v1 INFO[2022-07-20T08:58:31.145645530Z] loading plugin "io.containerd.event.v1.exchange"... type=io.containerd.event.v1 INFO[2022-07-20T08:58:31.145815945Z] loading plugin "io.containerd.gc.v1.scheduler"... type=io.containerd.gc.v1 INFO[2022-07-20T08:58:31.146093704Z] loading plugin "io.containerd.service.v1.introspection-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.146266255Z] loading plugin "io.containerd.service.v1.containers-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.146439484Z] loading plugin "io.containerd.service.v1.content-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.146606514Z] loading plugin "io.containerd.service.v1.diff-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.146784586Z] loading plugin "io.containerd.service.v1.images-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.149193740Z] loading plugin "io.containerd.service.v1.leases-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.149495717Z] loading plugin "io.containerd.service.v1.namespaces-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.149658008Z] loading plugin "io.containerd.service.v1.snapshots-service"... type=io.containerd.service.v1 INFO[2022-07-20T08:58:31.149819882Z] loading plugin "io.containerd.runtime.v1.linux"... type=io.containerd.runtime.v1 INFO[2022-07-20T08:58:31.150438577Z] loading plugin "io.containerd.runtime.v2.task"... type=io.containerd.runtime.v2 DEBU[2022-07-20T08:58:31.150825971Z] loading tasks in namespace namespace=moby INFO[2022-07-20T08:58:31.151345916Z] loading plugin "io.containerd.monitor.v1.cgroups"... type=io.containerd.monitor.v1 INFO[2022-07-20T08:58:31.153815278Z] loading plugin "io.containerd.service.v1.tasks-service"... type=io.containerd.service.v1 DEBU[2022-07-20T08:58:31.154144182Z] No RDT config file specified, RDT not configured INFO[2022-07-20T08:58:31.154310379Z] loading plugin "io.containerd.grpc.v1.introspection"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.154506055Z] loading plugin "io.containerd.internal.v1.restart"... type=io.containerd.internal.v1 INFO[2022-07-20T08:58:31.155088969Z] loading plugin "io.containerd.grpc.v1.containers"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.155298499Z] loading plugin "io.containerd.grpc.v1.content"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.155485738Z] loading plugin "io.containerd.grpc.v1.diff"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.155669070Z] loading plugin "io.containerd.grpc.v1.events"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.155901360Z] loading plugin "io.containerd.grpc.v1.healthcheck"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.156095266Z] loading plugin "io.containerd.grpc.v1.images"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.156334587Z] loading plugin "io.containerd.grpc.v1.leases"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.156517138Z] loading plugin "io.containerd.grpc.v1.namespaces"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.156766304Z] loading plugin "io.containerd.internal.v1.opt"... type=io.containerd.internal.v1 WARN[2022-07-20T08:58:31.157127812Z] failed to load plugin io.containerd.internal.v1.opt error="mkdir /opt: permission denied" INFO[2022-07-20T08:58:31.157289530Z] loading plugin "io.containerd.grpc.v1.snapshots"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.157467446Z] loading plugin "io.containerd.grpc.v1.tasks"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.157649528Z] loading plugin "io.containerd.grpc.v1.version"... type=io.containerd.grpc.v1 INFO[2022-07-20T08:58:31.157826090Z] loading plugin "io.containerd.tracing.processor.v1.otlp"... type=io.containerd.tracing.processor.v1 INFO[2022-07-20T08:58:31.158017703Z] skip loading plugin "io.containerd.tracing.processor.v1.otlp"... error="no OpenTelemetry endpoint: skip plugin" type=io.containerd.tracing.processor.v1 INFO[2022-07-20T08:58:31.158171973Z] loading plugin "io.containerd.internal.v1.tracing"... type=io.containerd.internal.v1 ERRO[2022-07-20T08:58:31.158377389Z] failed to initialize a tracing processor "otlp" error="no OpenTelemetry endpoint: skip plugin" INFO[2022-07-20T08:58:31.159809517Z] serving... address=/home/toor/.docker/run/docker/containerd/containerd-debug.sock INFO[2022-07-20T08:58:31.160517794Z] serving... address=/home/toor/.docker/run/docker/containerd/containerd.sock.ttrpc INFO[2022-07-20T08:58:31.160985396Z] serving... address=/home/toor/.docker/run/docker/containerd/containerd.sock DEBU[2022-07-20T08:58:31.161173936Z] sd notification error="" notified=false state="READY=1" INFO[2022-07-20T08:58:31.161351383Z] containerd successfully booted in 0.272761s
  DEBU[2022-07-20T08:58:31.222526891Z] Created containerd monitoring client address=/home/toor/.docker/run/docker/containerd/containerd.sock DEBU[2022-07-20T08:58:31.232483661Z] Started daemon managed containerd
  DEBU[2022-07-20T08:58:31.236027704Z] Golang's threads limit set to 6120
  DEBU[2022-07-20T08:58:31.238276703Z] metrics API listening on /home/toor/.docker/run/docker/metrics.sock INFO[2022-07-20T08:58:31.238826075Z] parsed scheme: "unix" module=grpc INFO[2022-07-20T08:58:31.239007688Z] scheme "unix" not registered, fallback to default scheme module=grpc INFO[2022-07-20T08:58:31.239263000Z] ccResolverWrapper: sending update to cc: {[{unix:///home/toor/.docker/run/docker/containerd/containerd.sock 0 }] } module=grpc INFO[2022-07-20T08:58:31.239380291Z] ClientConn switching balancer to "pick_first" module=grpc INFO[2022-07-20T08:58:31.246668273Z] parsed scheme: "unix" module=grpc INFO[2022-07-20T08:58:31.246833584Z] scheme "unix" not registered, fallback to default scheme module=grpc INFO[2022-07-20T08:58:31.247044937Z] ccResolverWrapper: sending update to cc: {[{unix:///home/toor/.docker/run/docker/containerd/containerd.sock 0 }] } module=grpc INFO[2022-07-20T08:58:31.247187957Z] ClientConn switching balancer to "pick_first" module=grpc DEBU[2022-07-20T08:58:31.252788448Z] processing event stream module=libcontainerd namespace=plugins.moby DEBU[2022-07-20T08:58:31.252873865Z] Using default logging driver json-file
  DEBU[2022-07-20T08:58:31.253613965Z] [graphdriver] priority list: [btrfs zfs overlay2 fuse-overlayfs aufs overlay devicemapper vfs] DEBU[2022-07-20T08:58:31.254224066Z] zfs command is not available: exec: "zfs": executable file not found in $PATH storage-driver=zfs DEBU[2022-07-20T08:58:31.255681558Z] garbage collected d=8.755422ms ERRO[2022-07-20T08:58:31.258151545Z] failed to mount overlay: operation not permitted storage-driver=overlay2 ERRO[2022-07-20T08:58:31.258474147Z] exec: "fuse-overlayfs": executable file not found in $PATH storage-driver=fuse-overlayfs ERRO[2022-07-20T08:58:31.268404928Z] AUFS cannot be used in non-init user namespace storage-driver=aufs ERRO[2022-07-20T08:58:31.272618238Z] failed to mount overlay: operation not permitted storage-driver=overlay ERRO[2022-07-20T08:58:31.272864175Z] Failed to built-in GetDriver graph devicemapper /home/toor/.local/share/docker DEBU[2022-07-20T08:58:31.273314329Z] Initialized graph driver vfs
  DEBU[2022-07-20T08:58:31.279974345Z] No quota support for local volumes in /home/toor/.local/share/docker/volumes: Filesystem does not support, or has not enabled quotas WARN[2022-07-20T08:58:31.289507107Z] Unable to find memory controller
  DEBU[2022-07-20T08:58:31.290772100Z] Max Concurrent Downloads: 3
  DEBU[2022-07-20T08:58:31.290886839Z] Max Concurrent Uploads: 5
  DEBU[2022-07-20T08:58:31.290946005Z] Max Download Attempts: 5
  INFO[2022-07-20T08:58:31.291083505Z] Loading containers: start.
  DEBU[2022-07-20T08:58:31.291655481Z] Option Experimental: false
  DEBU[2022-07-20T08:58:31.291771834Z] Option DefaultDriver: bridge
  DEBU[2022-07-20T08:58:31.291833084Z] Option DefaultNetwork: bridge
  DEBU[2022-07-20T08:58:31.291909386Z] Network Control Plane MTU: 1500
  DEBU[2022-07-20T08:58:31.291907354Z] processing event stream module=libcontainerd namespace=moby WARN[2022-07-20T08:58:31.303623855Z] Could not load necessary modules for IPSEC rules: protocol not supported WARN[2022-07-20T08:58:31.333462706Z] Could not load necessary modules for Conntrack: Running modprobe nf_conntrack_netlink failed with message: ``, error: exit status 255 DEBU[2022-07-20T08:58:31.334509159Z] Did not find any interface with name docker0: Link not found DEBU[2022-07-20T08:58:31.335144364Z] Setting bridge mac address to 02:42:40:56:9a:ee DEBU[2022-07-20T08:58:31.338159868Z] Assigning address to bridge interface docker0: 172.17.0.1/16 DEBU[2022-07-20T08:58:31.339152884Z] Network (5b575f6) restored
  DEBU[2022-07-20T08:58:31.346218211Z] Allocating IPv4 pools for network bridge (5b575f6c6953dec422549e167ec1710dd07e44d7e35abd3f3a128d2a64d07df2) DEBU[2022-07-20T08:58:31.346382429Z] RequestPool(LocalDefault, 172.17.0.0/16, , map[], false) DEBU[2022-07-20T08:58:31.346638157Z] RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway]) DEBU[2022-07-20T08:58:31.346784093Z] Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:172.17.0.1
  DEBU[2022-07-20T08:58:31.363776138Z] releasing IPv4 pools from network bridge (5b575f6c6953dec422549e167ec1710dd07e44d7e35abd3f3a128d2a64d07df2) DEBU[2022-07-20T08:58:31.363930512Z] ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1) DEBU[2022-07-20T08:58:31.364212230Z] Released address PoolID:LocalDefault/172.17.0.0/16, Address:172.17.0.1 Sequence:App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65533, Sequence: (0xc0000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 DEBU[2022-07-20T08:58:31.364322021Z] ReleasePool(LocalDefault/172.17.0.0/16)
  DEBU[2022-07-20T08:58:31.369643972Z] cleanupServiceDiscovery for network:5b575f6c6953dec422549e167ec1710dd07e44d7e35abd3f3a128d2a64d07df2 DEBU[2022-07-20T08:58:31.369786315Z] cleanupServiceBindings for 5b575f6c6953dec422549e167ec1710dd07e44d7e35abd3f3a128d2a64d07df2 INFO[2022-07-20T08:58:31.382307654Z] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address DEBU[2022-07-20T08:58:31.382629632Z] Allocating IPv4 pools for network bridge (d0301d1a5d6621f8d843404ff6ea82a639bf2be43c478a118a8fe446429770fd) DEBU[2022-07-20T08:58:31.382750829Z] RequestPool(LocalDefault, 172.17.0.0/16, , map[], false) DEBU[2022-07-20T08:58:31.382948797Z] RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway]) DEBU[2022-07-20T08:58:31.383090098Z] Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:172.17.0.1
  INFO[2022-07-20T08:58:31.407217261Z] Loading containers: done.
  INFO[2022-07-20T08:58:31.436426949Z] Docker daemon commit=a89b842 graphdriver(s)=vfs version=20.10.17 INFO[2022-07-20T08:58:31.436800541Z] Daemon has completed initialization
  DEBU[2022-07-20T08:58:31.509144322Z] Registering routers
  DEBU[2022-07-20T08:58:31.509377185Z] Registering GET, /containers/{name:.}/checkpoints DEBU[2022-07-20T08:58:31.510131400Z] Registering POST, /containers/{name:.}/checkpoints DEBU[2022-07-20T08:58:31.510831605Z] Registering DELETE, /containers/{name}/checkpoints/{checkpoint} DEBU[2022-07-20T08:58:31.511806495Z] Registering HEAD, /containers/{name:.}/archive DEBU[2022-07-20T08:58:31.512558887Z] Registering GET, /containers/json
  DEBU[2022-07-20T08:58:31.513005239Z] Registering GET, /containers/{name:.}/export DEBU[2022-07-20T08:58:31.513692892Z] Registering GET, /containers/{name:.}/changes DEBU[2022-07-20T08:58:31.514439398Z] Registering GET, /containers/{name:.}/json
  DEBU[2022-07-20T08:58:31.515148925Z] Registering GET, /containers/{name:.}/top
  DEBU[2022-07-20T08:58:31.515814026Z] Registering GET, /containers/{name:.}/logs
  DEBU[2022-07-20T08:58:31.516687042Z] Registering GET, /containers/{name:.}/stats DEBU[2022-07-20T08:58:31.517410216Z] Registering GET, /containers/{name:.}/attach/ws DEBU[2022-07-20T08:58:31.518228492Z] Registering GET, /exec/{id:.}/json
  DEBU[2022-07-20T08:58:31.518962551Z] Registering GET, /containers/{name:.}/archive DEBU[2022-07-20T08:58:31.519773797Z] Registering POST, /containers/create
  DEBU[2022-07-20T08:58:31.520436397Z] Registering POST, /containers/{name:.}/kill DEBU[2022-07-20T08:58:31.521088946Z] Registering POST, /containers/{name:.}/pause DEBU[2022-07-20T08:58:31.521693526Z] Registering POST, /containers/{name:.}/unpause DEBU[2022-07-20T08:58:31.522351283Z] Registering POST, /containers/{name:.}/restart DEBU[2022-07-20T08:58:31.522973988Z] Registering POST, /containers/{name:.}/start DEBU[2022-07-20T08:58:31.523536850Z] Registering POST, /containers/{name:.}/stop DEBU[2022-07-20T08:58:31.524237158Z] Registering POST, /containers/{name:.}/wait DEBU[2022-07-20T08:58:31.524885488Z] Registering POST, /containers/{name:.}/resize DEBU[2022-07-20T08:58:31.525482360Z] Registering POST, /containers/{name:.}/attach DEBU[2022-07-20T08:58:31.526195065Z] Registering POST, /containers/{name:.}/copy DEBU[2022-07-20T08:58:31.526852144Z] Registering POST, /containers/{name:.}/exec DEBU[2022-07-20T08:58:31.527432558Z] Registering POST, /exec/{name:.}/start
  DEBU[2022-07-20T08:58:31.527997399Z] Registering POST, /exec/{name:.}/resize
  DEBU[2022-07-20T08:58:31.528705937Z] Registering POST, /containers/{name:.}/rename DEBU[2022-07-20T08:58:31.529429943Z] Registering POST, /containers/{name:.}/update DEBU[2022-07-20T08:58:31.530064054Z] Registering POST, /containers/prune
  DEBU[2022-07-20T08:58:31.530771186Z] Registering POST, /commit
  DEBU[2022-07-20T08:58:31.531199048Z] Registering PUT, /containers/{name:.}/archive DEBU[2022-07-20T08:58:31.531837170Z] Registering DELETE, /containers/{name:.}
  DEBU[2022-07-20T08:58:31.532548729Z] Registering GET, /images/json
  DEBU[2022-07-20T08:58:31.532932424Z] Registering GET, /images/search
  DEBU[2022-07-20T08:58:31.533452474Z] Registering GET, /images/get
  DEBU[2022-07-20T08:58:31.533883617Z] Registering GET, /images/{name:.}/get
  DEBU[2022-07-20T08:58:31.534437104Z] Registering GET, /images/{name:.}/history
  DEBU[2022-07-20T08:58:31.535085746Z] Registering GET, /images/{name:.}/json
  DEBU[2022-07-20T08:58:31.535719910Z] Registering POST, /images/load
  DEBU[2022-07-20T08:58:31.536162772Z] Registering POST, /images/create
  DEBU[2022-07-20T08:58:31.536635113Z] Registering POST, /images/{name:.}/push
  DEBU[2022-07-20T08:58:31.537420109Z] Registering POST, /images/{name:.}/tag
  DEBU[2022-07-20T08:58:31.538010262Z] Registering POST, /images/prune
  DEBU[2022-07-20T08:58:31.538620050Z] Registering DELETE, /images/{name:.}
  DEBU[2022-07-20T08:58:31.539212860Z] Registering OPTIONS, /{anyroute:.}
  DEBU[2022-07-20T08:58:31.539713638Z] Registering GET, /_ping
  DEBU[2022-07-20T08:58:31.540045407Z] Registering HEAD, /_ping
  DEBU[2022-07-20T08:58:31.540566759Z] Registering GET, /events
  DEBU[2022-07-20T08:58:31.541058006Z] Registering GET, /info
  DEBU[2022-07-20T08:58:31.541425400Z] Registering GET, /version
  DEBU[2022-07-20T08:58:31.542054615Z] Registering GET, /system/df
  DEBU[2022-07-20T08:58:31.542522113Z] Registering POST, /auth
  DEBU[2022-07-20T08:58:31.542886486Z] Registering GET, /volumes
  DEBU[2022-07-20T08:58:31.543272838Z] Registering GET, /volumes/{name:.}
  DEBU[2022-07-20T08:58:31.543939970Z] Registering POST, /volumes/create
  DEBU[2022-07-20T08:58:31.544364916Z] Registering POST, /volumes/prune
  DEBU[2022-07-20T08:58:31.544905954Z] Registering DELETE, /volumes/{name:.}
  DEBU[2022-07-20T08:58:31.545687617Z] Registering POST, /build
  DEBU[2022-07-20T08:58:31.546059386Z] Registering POST, /build/prune
  DEBU[2022-07-20T08:58:31.546523238Z] Registering POST, /build/cancel
  DEBU[2022-07-20T08:58:31.546910215Z] Registering POST, /session
  DEBU[2022-07-20T08:58:31.547326098Z] Registering POST, /swarm/init
  DEBU[2022-07-20T08:58:31.547712554Z] Registering POST, /swarm/join
  DEBU[2022-07-20T08:58:31.548097865Z] Registering POST, /swarm/leave
  DEBU[2022-07-20T08:58:31.548504529Z] Registering GET, /swarm
  DEBU[2022-07-20T08:58:31.548946454Z] Registering GET, /swarm/unlockkey
  DEBU[2022-07-20T08:58:31.549366972Z] Registering POST, /swarm/update
  DEBU[2022-07-20T08:58:31.549770772Z] Registering POST, /swarm/unlock
  DEBU[2022-07-20T08:58:31.550184051Z] Registering GET, /services
  DEBU[2022-07-20T08:58:31.550716913Z] Registering GET, /services/{id}
  DEBU[2022-07-20T08:58:31.551310035Z] Registering POST, /services/create
  DEBU[2022-07-20T08:58:31.551804251Z] Registering POST, /services/{id}/update
  DEBU[2022-07-20T08:58:31.552505133Z] Registering DELETE, /services/{id}
  DEBU[2022-07-20T08:58:31.553092630Z] Registering GET, /services/{id}/logs
  DEBU[2022-07-20T08:58:31.553715647Z] Registering GET, /nodes
  DEBU[2022-07-20T08:58:31.554072989Z] Registering GET, /nodes/{id}
  DEBU[2022-07-20T08:58:31.554602882Z] Registering DELETE, /nodes/{id}
  DEBU[2022-07-20T08:58:31.555174962Z] Registering POST, /nodes/{id}/update
  DEBU[2022-07-20T08:58:31.555803240Z] Registering GET, /tasks
  DEBU[2022-07-20T08:58:31.556226727Z] Registering GET, /tasks/{id}
  DEBU[2022-07-20T08:58:31.556784277Z] Registering GET, /tasks/{id}/logs
  DEBU[2022-07-20T08:58:31.557585054Z] Registering GET, /secrets
  DEBU[2022-07-20T08:58:31.557962447Z] Registering POST, /secrets/create
  DEBU[2022-07-20T08:58:31.558389633Z] Registering DELETE, /secrets/{id}
  DEBU[2022-07-20T08:58:31.558961713Z] Registering GET, /secrets/{id}
  DEBU[2022-07-20T08:58:31.559533897Z] Registering POST, /secrets/{id}/update
  DEBU[2022-07-20T08:58:31.560166602Z] Registering GET, /configs
  DEBU[2022-07-20T08:58:31.560555038Z] Registering POST, /configs/create
  DEBU[2022-07-20T08:58:31.561104514Z] Registering DELETE, /configs/{id}
  DEBU[2022-07-20T08:58:31.561703886Z] Registering GET, /configs/{id}
  DEBU[2022-07-20T08:58:31.562375549Z] Registering POST, /configs/{id}/update
  DEBU[2022-07-20T08:58:31.563086691Z] Registering GET, /plugins
  DEBU[2022-07-20T08:58:31.563461116Z] Registering GET, /plugins/{name:.}/json
  DEBU[2022-07-20T08:58:31.564091738Z] Registering GET, /plugins/privileges
  DEBU[2022-07-20T08:58:31.564576162Z] Registering DELETE, /plugins/{name:.}
  DEBU[2022-07-20T08:58:31.565186107Z] Registering POST, /plugins/{name:.}/enable
  DEBU[2022-07-20T08:58:31.565845478Z] Registering POST, /plugins/{name:.}/disable DEBU[2022-07-20T08:58:31.566453183Z] Registering POST, /plugins/pull
  DEBU[2022-07-20T08:58:31.566894327Z] Registering POST, /plugins/{name:.}/push
  DEBU[2022-07-20T08:58:31.567552084Z] Registering POST, /plugins/{name:.}/upgrade DEBU[2022-07-20T08:58:31.568290882Z] Registering POST, /plugins/{name:.}/set
  DEBU[2022-07-20T08:58:31.568956451Z] Registering POST, /plugins/create
  DEBU[2022-07-20T08:58:31.569448480Z] Registering GET, /distribution/{name:.}/json DEBU[2022-07-20T08:58:31.570085716Z] Registering POST, /grpc
  DEBU[2022-07-20T08:58:31.570476131Z] Registering GET, /networks
  DEBU[2022-07-20T08:58:31.570871962Z] Registering GET, /networks/
  DEBU[2022-07-20T08:58:31.571322741Z] Registering GET, /networks/{id:.+}
  DEBU[2022-07-20T08:58:31.571884925Z] Registering POST, /networks/create
  DEBU[2022-07-20T08:58:31.572642890Z] Registering POST, /networks/{id:.}/connect
  DEBU[2022-07-20T08:58:31.573301168Z] Registering POST, /networks/{id:.}/disconnect DEBU[2022-07-20T08:58:31.574160955Z] Registering POST, /networks/prune
  DEBU[2022-07-20T08:58:31.574683452Z] Registering DELETE, /networks/{id:.*}
  INFO[2022-07-20T08:58:31.576921357Z] API listen on /home/toor/.docker/run/docker.sock

DEBU[2022-07-20T08:59:30.982000763Z] Calling HEAD /_ping
DEBU[2022-07-20T08:59:30.998994683Z] Calling POST /v1.41/containers/create
DEBU[2022-07-20T08:59:31.001166598Z] form data: {"AttachStderr":true,"AttachStdin":true,"AttachStdout":true,"Cmd":null,"Domainname":"","Entrypoint":null,"Env":null,"HostConfig":{"AutoRemove":true,"Binds":null,"BlkioDeviceReadBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceWriteIOps":null,"BlkioWeight":0,"BlkioWeightDevice":[],"CapAdd":null,"CapDrop":null,"Cgroup":"","CgroupParent":"","CgroupnsMode":"","ConsoleSize":[0,0],"ContainerIDFile":"","CpuCount":0,"CpuPercent":0,"CpuPeriod":0,"CpuQuota":0,"CpuRealtimePeriod":0,"CpuRealtimeRuntime":0,"CpuShares":0,"CpusetCpus":"","CpusetMems":"","DeviceCgroupRules":null,"DeviceRequests":null,"Devices":[],"Dns":[],"DnsOptions":[],"DnsSearch":[],"ExtraHosts":null,"GroupAdd":null,"IOMaximumBandwidth":0,"IOMaximumIOps":0,"IpcMode":"","Isolation":"","KernelMemory":0,"KernelMemoryTCP":0,"Links":null,"LogConfig":{"Config":{},"Type":""},"MaskedPaths":null,"Memory":0,"MemoryReservation":0,"MemorySwap":0,"MemorySwappiness":-1,"NanoCpus":0,"NetworkMode":"default","OomKillDisable":false,"OomScoreAdj":0,"PidMode":"","PidsLimit":0,"PortBindings":{},"Privileged":false,"PublishAllPorts":false,"ReadonlyPaths":null,"ReadonlyRootfs":false,"RestartPolicy":{"MaximumRetryCount":0,"Name":"no"},"SecurityOpt":null,"ShmSize":0,"UTSMode":"","Ulimits":null,"UsernsMode":"","VolumeDriver":"","VolumesFrom":null},"Hostname":"","Image":"arm64v8/busybox","Labels":{},"NetworkingConfig":{"EndpointsConfig":{}},"OnBuild":null,"OpenStdin":true,"Platform":null,"StdinOnce":true,"Tty":true,"User":"","Volumes":{},"WorkingDir":""} DEBU[2022-07-20T08:59:31.258955953Z] container mounted via layerStore: &{/home/toor/.local/share/docker/vfs/dir/996ec748b54cd518b14625554a3db436bac71432f414823971ff3288e18edc5b 0x3412e80 0x3412e80} container=90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 DEBU[2022-07-20T08:59:31.275843519Z] Calling POST /v1.41/containers/90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74/attach?stderr=1&stdin=1&stdout=1&stream=1 DEBU[2022-07-20T08:59:31.276935493Z] attach: stdin: begin
DEBU[2022-07-20T08:59:31.277281272Z] attach: stdout: begin
DEBU[2022-07-20T08:59:31.277515802Z] attach: stderr: begin
DEBU[2022-07-20T08:59:31.279243084Z] Calling POST /v1.41/containers/90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74/wait?condition=removed DEBU[2022-07-20T08:59:31.282873586Z] Calling POST /v1.41/containers/90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74/start DEBU[2022-07-20T08:59:31.284651024Z] container mounted via layerStore: &{/home/toor/.local/share/docker/vfs/dir/996ec748b54cd518b14625554a3db436bac71432f414823971ff3288e18edc5b 0x3412e80 0x3412e80} container=90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 DEBU[2022-07-20T08:59:31.287078668Z] Assigning addresses for endpoint serene_sanderson's interface on network bridge DEBU[2022-07-20T08:59:31.287257365Z] RequestAddress(LocalDefault/172.17.0.0/16, , map[]) DEBU[2022-07-20T08:59:31.287416218Z] Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65533, Sequence: (0xc0000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:
DEBU[2022-07-20T08:59:31.338142041Z] Assigning addresses for endpoint serene_sanderson's interface on network bridge DEBU[2022-07-20T08:59:31.363306334Z] Programming external connectivity on endpoint serene_sanderson (41a7ecc3abfb2c501c912310683df1c8c2508ea7825039a41c0c7446b4bb0d4d) DEBU[2022-07-20T08:59:31.369708435Z] EnableService 90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 START DEBU[2022-07-20T08:59:31.370307182Z] EnableService 90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 DONE DEBU[2022-07-20T08:59:31.385126426Z] bundle dir created bundle=/home/toor/.docker/run/docker/containerd/90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 module=libcontainerd namespace=moby root=/home/toor/.local/share/docker/vfs/dir/996ec748b54cd518b14625554a3db436bac71432f414823971ff3288e18edc5b DEBU[2022-07-20T08:59:31.421983782Z] event published ns=moby topic=/containers/create type=containerd.events.ContainerCreate time="2022-07-20T08:59:31.509465711Z" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1 time="2022-07-20T08:59:31.509873000Z" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1 time="2022-07-20T08:59:31.510076541Z" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1 time="2022-07-20T08:59:31.511866427Z" level=info msg="starting signal loop" namespace=moby path=/home/toor/.docker/run/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 pid=7524 runtime=io.containerd.runc.v2 DEBU[2022-07-20T08:59:31.642375940Z] failed to delete task error="rpc error: code = NotFound desc = container not created: not found" id=90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 INFO[2022-07-20T08:59:31.643772286Z] shim disconnected id=90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 WARN[2022-07-20T08:59:31.644223326Z] cleaning up after shim disconnected id=90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 namespace=moby INFO[2022-07-20T08:59:31.644330252Z] cleaning up dead shim
WARN[2022-07-20T08:59:31.675619512Z] cleanup warnings time="2022-07-20T08:59:31Z" level=info msg="starting signal loop" namespace=moby pid=7550 runtime=io.containerd.runc.v2 time="2022-07-20T08:59:31Z" level=warning msg="failed to read init pid file" error="open /home/toor/.docker/run/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74/init.pid: no such file or directory" runtime=io.containerd.runc.v2 ERRO[2022-07-20T08:59:31.678005385Z] copy shim log error="read /proc/self/fd/13: file already closed" ERRO[2022-07-20T08:59:31.680066989Z] stream copy error: reading from a closed fifo DEBU[2022-07-20T08:59:31.681207035Z] attach: stdout: end
DEBU[2022-07-20T08:59:31.681238024Z] attach: stderr: end
DEBU[2022-07-20T08:59:31.681380523Z] attach: stdin: end
DEBU[2022-07-20T08:59:31.681685053Z] attach done
DEBU[2022-07-20T08:59:31.706578670Z] event published ns=moby topic=/containers/delete type=containerd.events.ContainerDelete DEBU[2022-07-20T08:59:31.720434273Z] Revoking external connectivity on endpoint serene_sanderson (41a7ecc3abfb2c501c912310683df1c8c2508ea7825039a41c0c7446b4bb0d4d) DEBU[2022-07-20T08:59:31.811405247Z] Releasing addresses for endpoint serene_sanderson's interface on network bridge DEBU[2022-07-20T08:59:31.811680922Z] ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.2) DEBU[2022-07-20T08:59:31.811912900Z] Released address PoolID:LocalDefault/172.17.0.0/16, Address:172.17.0.2 Sequence:App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65532, Sequence: (0xe0000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:3 DEBU[2022-07-20T08:59:31.817425319Z] garbage collected d=5.062837ms ERRO[2022-07-20T08:59:31.829803430Z] 90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74 cleanup: failed to delete container from containerd: no such container ERRO[2022-07-20T08:59:31.876182922Z] Handler for POST /v1.41/containers /90527e27a9f1fa917228278335b461ad6da1a6ad1caa6d03f80b3b2b5d662c74/start returned error: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "proc" to rootfs at "/proc": mount proc:/proc (via /proc/self/fd/7), flags: 0xe: operation not permitted: unknown DEBU[2022-07-20T08:59:31.878696607Z] Closing buffered stdin pipe

Format code blocks by wrapping them with pairs of ```

[G-M0N3Y-2503]

Looking at the last time I looked into rootlesskit It looks like I seemed to think that it depended on systemd. I don't recall why I thought that, but if that is still the case, since OpenWrt uses procd to replace systemd it looks like it might be an uphill battle to support it.

Also, not sure if it is relevant to this issue, but it looks https://get.docker.com/rootless downloads a binary, so maybe the binary needs to be compiled with the OpenWrt Buildsystem too.

[gheist]

I didn't see any direct or claimed dependency On systemd-based systems (checked on Ubuntu 18.04 LTS), systemd invokes rootlesskit and runs it as a service, otherwise rootlesskit can be run manually. I was able to get dockerd started, mount the container and set up container networking, however runc execution of the container image fails because the kernel in OpenWrt rejecting procfs mount in the runc init. It happens with both vfs and fuse-overlayfs storage drivers.

7885 mount("proc", "/proc/self/fd/7", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL <unfinished ...> 7885 <... mount resumed>) = -1 EPERM (Operation not permitted)

Rootlesskit tries and is denied sysfs mount on start, which maybe the reason that the kernel denies that procfs mount later: WARN[0000] The host root filesystem is mounted as "". Setting child propagation to "rslave" is not supported. WARN[0000] failed to mount sysfs, falling back to read-only mount: operation not permitted WARN[0000] failed to mount sysfs: operation not permitted _

It is not fully clear to me why 5.4.188 kernel under OpenWrt denies sysfs and procfs mounts Maybe the sysfs mount failure in rootlesskit causes procfs mount failure in containerd downstream

Per https://lists.linuxfoundation.org/pipermail/containers/2018-April/038840.html (not sure if this reflects the current kernel mount handling logic with user ns): _Since Linux v4.2 with commit 1b852bceb0d1 ("mnt: Refactor the logic for mounting sysfs and proc in a user namespace"), new mounts of proc or sysfs in non init userns are only allowed when there is at least one fully-visible proc or sysfs mount.nor why is denied

I'll try to set up rootlesskit as a non-privileged procd service, see if that makes a difference Not sure compiling rootkit as OpenWrt build process would make a difference, but ultimately it would have to be an OpenWrt package for sure

One key difference between Ubuntu (5.4.0-122) and OpenWrt (5.4.188) is that rootfs, sysfs and proc in Ubuntu are all mounted as shared
Ubuntu: 25 30 0:23 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw 26 30 0:5 / /proc rw,nosuid,nodev,noexec,relatime shared:14 - proc proc rw 30 1 8:7 / / rw,relatime shared:1 - ext4 /dev/sda7 rw,errors=remount-ro OpenWrt: 13 1 179:2 / / rw,noatime - ext4 /dev/root rw 14 13 0:5 / /proc rw,nosuid,nodev,noexec,noatime - proc proc rw 15 13 0:14 / /sys rw,nosuid,nodev,noexec,noatime - sysfs sysfs rw

Can this be done in OpenWrt and what are the possible implications?