New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dind] Cannot get cgroups v2 working with rootless container #42910
Comments
Rootless cgroup v2 requires systemd, which is missing in the official dind, so you can’t enable rootless cgroup v2 with the official dind image. |
cc @tianon Would it make sense to create the systemd variant of the dind image like |
Ah, so this link - https://docs.docker.com/engine/security/rootless/#limiting-resources - is only for native non-docker install of rootless. Yes, a Debian image would be great for those of us running the rootless daemon as a docker container. |
Having a Docker container with running/functioning |
Is it a matter of time to do it or it's probably not possible technically ? Just wondering, if it's just not possible, then at least we can move ahead with this feature not being available for use by containers running in a rootless environment. |
It's possible, but it's definitely going to be complicated and likely going
to be really fragile.
|
Ah, @tianon I know you can do it! 😃 |
Wasn't there at one point a Debian build of the Docker container before it was moved to Alpine ? |
To be perfectly clear, I have no interest in, nor plans to work on (or maintain) such a thing. 😬 Re: Debian, see docker-library/docker#306 |
Ok. I'll take a look at the repo and see if I can somehow do something. Unless anyone else in the community has done the work already and I'm lucky enough that they see this post and help. Thanks. |
Hi @tianon, using your link here - docker-library/docker#306 (comment), I created an image based on rootless. I don't see - WARNING: Running in rootless-mode without cgroups. Systemd is required to enable cgroups in rootless-mode. A run of progrium/stress along with docker stats seems to verify resource limits are working ?
|
That's not running rootless -- you'll need to adapt/add more of the bits from https://github.com/docker-library/docker/blob/8b8d62e7eb791b060cc75cb2956724a1bdc5484b/20.10/dind-rootless/Dockerfile to get it running in rootless mode as well. |
Ah, thanks. Let me get that in as well. |
Was able to get an image built, but this happens when I run rootless:
Maybe @AkihiroSuda knows about this one... Dockerfile:
kernel unprivileged clone:
rootlesskit installed with the Docker package:
|
Update, see here - rootless-containers/rootlesskit#271 (comment) Updated workfing Dockerfile for Debian Bullseye:
|
If you're building a debian-based image, might as well install the regular (non-static) |
Ok, even with a successful build and run, docker stats reports incorrect data which I assume means that resource limiting is still not working.
|
Hi Sebastian, Looking at the official Dockerfiles, the only thing that I see that is not from the distro's repo is this: https://download.docker.com/linux/static/stable/x86_64/docker-rootless-extras-20.10.9.tgz and this:
Is there a deb package for the above ? |
The official Docker images install the static binaries; https://github.com/docker-library/docker/blob/8b8d62e7eb791b060cc75cb2956724a1bdc5484b/20.10/dind-rootless/Dockerfile#L25-L32
No, there's no deb package for the dind script; it's just a shell script (https://github.com/moby/moby/blob/v20.10.9/hack/dind) |
Ok, here is the working Dockerfile using packages from the Debian repo:
There is no VPNkit package for Debian/Ubuntu, so we need to install slirp4netns and use it. But, we get the same result = limiting resources still does not work. To run the above:
Another problem for me though is that Kubernetes currently does not support cgroups v2 -- kubernetes/enhancements#2254 |
Needs systemd |
Hi Akihiro, I added systemd to the install list, but still no luck with resource limiting. Do I need to do some configuration of it as well ? |
Not exactly sure what the full intent is, but If systemd is needed inside the container, it likely needs to be running as PID1 (main process of the container). IIRC Rootless docker (started with systemd) requires docker to be run with a user systemd unit. If that's correct, you'll need a "privileged" systemd running as the container's main process, and after that, a user session that starts docker as a user-systemd service. |
Hi Sebastian, The goal is to get a version of Docker Rootless with resource limiting working (https://docs.docker.com/engine/security/rootless/#limiting-resources). After chatting with Akihiro and Tianon, it seems like the only way to make this happen is with a Debian-based image (rather than the current Alpine image being used). Everything is setup as per the referenced documentation on the host side. The only issue now is getting Rootless Docker to do resource limiting. |
Right, but the reason Debian was mentioned, is because it requires a functional systemd (which Alpine doesn't provide). Systemd expects to be run as PID 1, so (for starters), the dockerd-entrypoint.sh cannot be used, as this is used to setup Which is quite likely why Tianon's reply further up was;
|
Ok, so I assume that the documentation for limiting resources with rootless only applies to using the rootless daemon as a host daemon and not within DinD ? |
Its not necessarily "on the host" versus "docker in docker", needs systemd. Setting up everything in a container will be complex (and would almost be nearing creating a full system / VM-like container) |
Yes, I'm trying to figure out how they tested what is documented. I'm assuming rootless directly on the host or is it just in theory that it should work ? |
Hi,
Followed instructions here to setup host - https://docs.docker.com/engine/security/rootless/#limiting-resources
Here is the host docker info:
Rootless info
The text was updated successfully, but these errors were encountered: