Open yubinhong opened 5 years ago
ghost
commented
5 years ago centos7 with docker-ce-17.09.1 get the same error when start a container:
Error response from daemon: oci runtime error: container_linux.go:265: starting container process caused "process_linux.go:270: running exec setns process for init caused \"exit status 17\""
ibuildthecloud
commented
5 years ago @yubinhong @aeiougo Can you share you specific kernel version which binary you downloaded build1, build2, or build3 and whether you used the no-memfd_create binary or not? Linux 3.x that don't have the memfd_create syscall must use the no-memfd_create binaries from build3.
yubinhong
commented
5 years ago @yubinhong @aeiougo Can you share you specific kernel version which binary you downloaded build1, build2, or build3 and whether you used the no-memfd_create binary or not? Linux 3.x that don't have the memfd_create syscall must use the no-memfd_create binaries from build3.
The kernel version is 3.10.0-862.3.2.el7.x86_64 and i use the runc-v1.12.6-amd64-no-memfd_create binary.
ghost
commented
5 years ago @yubinhong @aeiougo Can you share you specific kernel version which binary you downloaded build1, build2, or build3 and whether you used the no-memfd_create binary or not? Linux 3.x that don't have the memfd_create syscall must use the no-memfd_create binaries from build3.
kernel: 3.10.0-327.el7.x86_64 runc: runc-v17.09.1-arm64-no-memfd_create (build3)
when i used conmand docker logs containers, get this error:
nsenter: could not ensure we are a cloned binary: Is a directory
container_linux.go:265: starting container process caused "process_linux.go:270: running exec setns process for init caused \"exit status 17\""
niusmallnan
commented
5 years ago @yubinhong @aeiougo
Looks like you are using RHEL/CentOS kernel.
They have backported memfd to the 3.x kernel, so I think you should use the memfd_create binaries.
ghost
commented
5 years ago @yubinhong @aeiougo Looks like you are using RHEL/CentOS kernel. They have backported
memfdto the 3.x kernel, so I think you should use thememfd_createbinaries.
I tried, but it didn't work.
niusmallnan
commented
5 years ago I try it on GCP, it can work:
[root@centos-run-cve niusmallnan]# docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 1.12.6
Storage Driver: devicemapper
...
Kernel Version: 3.10.0-957.5.1.el7.x86_64
...
[root@centos-run-cve niusmallnan]# curl -sL -o runc-v1.12.6-amd64 https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3/runc-v1.12.6-amd64
[root@centos-run-cve niusmallnan]# chmod +x runc-v1.12.6-amd64
[root@centos-run-cve niusmallnan]# mv /bin/docker-runc /bin/docker-runc.orig
[root@centos-run-cve niusmallnan]# cp runc-v1.12.6-amd64 /bin/docker-runc
[root@centos-run-cve niusmallnan]# docker-runc --version
runc version 1.0.0-rc2
commit: 20c0351ba557183e6b54075e862f20a07f50aad3
spec: 1.0.0-rc2-dev
[root@centos-run-cve niusmallnan]# docker run -it --rm alpine
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
6c40cc604d8e: Pull complete
Digest: sha256:b3dbf31b77fd99d9c08f780ce6f5282aba076d70a513a8be859d8d3a4d0c92b8
Status: Downloaded newer image for alpine:latest
/ #
/ # exit
I tested on centos7.1/7.2/7.4/7.5, only centos7.5 worked. It seems that the kernel does not support, But for some reason, the kernel cannot be upgraded.
chadswen
commented
5 years ago Had the same issue on RHEL 7.4 but not on RHEL 7.5. Seems like it might be related to O_TMPFILE issues on RHEL 7.4. If so, this upstream PR should address it https://github.com/opencontainers/runc/pull/1984
I replace the docker-runc , and then restart the docker daemon.It throw a exception when start a container.There is the error: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:245: running exec setns process for init caused \\"exit status 19\\"\"\n"