docker
Error in Docker Desktop on linux which does not happen on native docker
Description
I am tying to migrate to Docker Desktop on Ubutu 24.04.
Most images I have tried to run just fine, except for a couple of older once from keycloak (which run on jboss, the newer once running via quarkus run fine).
These are the two I tried and which fail to start via docker-desktop: 'quay.io/keycloak/keycloak:15.0.2' and 'quay.io/keycloak/keycloak:15.1.1'
Reproduce
-
Install docker-desktop on Ubuntu 24.04 as per the install guide: https://docs.docker.com/desktop/install/linux-install/
-
On Ubuntu 24.04 make sure you have run the following workaround:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0; systemctl --user restart docker-desktop -
make sure the docker context is set to docker-desktop and not default (on default if works just fine)
-
create a docker-compose.yml file with this content:
version: "3"
services:
postgres:
image: postgres
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
hostname: postgres
restart: 'no'
keycloak:
image: 'quay.io/keycloak/keycloak:15.1.1'
#image: 'quay.io/keycloak/keycloak:21.1.1
platform: linux/amd64
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: keycloak
DB_SCHEMA: public
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: Password
KEYCLOAK_LOGLEVEL: INFO
hostname: keycloak
ports:
- '8080:8080'
- '8643:8443'
depends_on:
- postgres
volumes:
- '/etc/timezone:/etc/timezone:ro'
- '/etc/localtime:/etc/localtime:ro'
restart: 'no'
-
start with from the directory where the docker-compose.yml file was created:
docker compose up -d -
Looking at the logs of they keycloak container that tried to start this will show:
2024-05-25 18:39:14 exec /opt/jboss/tools/docker-entrypoint.sh: exec format error
Expected behavior
When running with native docker the container starts just fine, which is what I also would expect should happen when running via docker-desktop.
This is part of the log of the keycloak container running on native docker rather than docker-desktop:
❯ docker context use default default Current context is now "default" ❯ docker compose up -d keycloak WARN[0000] /home/********/Documents/inswitch/docker/docker-compose.yml: versionis obsolete [+] Running 2/0 ✔ Container docker-postgres-1 Running 0.0s ✔ Container docker-keycloak-1 Running 0.0s ❯ docker compose logs keycloak WARN[0000] /home/*******/Documents/inswitch/docker/docker-compose.yml:versionis obsolete keycloak-1 | Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user keycloak-1 | -b 0.0.0.0 keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | Using PostgreSQL database keycloak-1 | keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | 18:52:08,610 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 1.11.0.Final keycloak-1 | 18:52:08,728 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.12.Final keycloak-1 | 18:52:08,742 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.4.0.Final keycloak-1 | 18:52:08,902 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) starting keycloak-1 | 18:52:09,030 INFO [org.jboss.vfs] (MSC service thread 1-6) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this keycloak-1 | 18:52:09,794 INFO [org.wildfly.security] (ServerService Thread Pool -- 20) ELY00001: WildFly Elytron version 1.15.3.Final keycloak-1 | 18:52:10,135 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 22) WFLYCTL0033: Extension 'security' is deprecated and may not be supported in future versions keycloak-1 | 18:52:10,263 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:10,335 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:10,397 WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank. keycloak-1 | 18:52:10,403 WARN [org.wildfly.extension.elytron] (MSC service thread 1-7) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost keycloak-1 | WARNING: An illegal reflective access operation has occurred keycloak-1 | WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-15.0.1.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS() keycloak-1 | WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions keycloak-1 | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations keycloak-1 | WARNING: All illegal access operations will be denied in a future release keycloak-1 | 18:52:10,412 INFO [org.jboss.as.patching] (MSC service thread 1-6) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none keycloak-1 | 18:52:10,420 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost keycloak-1 | 18:52:10,490 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server keycloak-1 | 18:52:10,491 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) started in 1864ms - Started 59 of 82 services (32 services are lazy, passive or on-demand) keycloak-1 | The batch executed successfully keycloak-1 | 18:52:10,605 INFO [org.jboss.as] (MSC service thread 1-5) WFLYSRV0050: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) stopped in 7ms keycloak-1 | 18:52:11,404 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 1.11.0.Final keycloak-1 | 18:52:11,443 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.12.Final keycloak-1 | 18:52:11,448 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.4.0.Final keycloak-1 | 18:52:11,513 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) starting keycloak-1 | 18:52:11,561 INFO [org.jboss.vfs] (MSC service thread 1-8) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this keycloak-1 | 18:52:11,901 INFO [org.wildfly.security] (ServerService Thread Pool -- 20) ELY00001: WildFly Elytron version 1.15.3.Final keycloak-1 | 18:52:12,115 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 13) WFLYCTL0033: Extension 'security' is deprecated and may not be supported in future versions keycloak-1 | 18:52:12,250 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:12,330 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:12,400 WARN [org.wildfly.extension.elytron] (MSC service thread 1-4) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank. keycloak-1 | 18:52:12,404 WARN [org.wildfly.extension.elytron] (MSC service thread 1-3) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost keycloak-1 | WARNING: An illegal reflective access operation has occurred keycloak-1 | WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-15.0.1.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS() keycloak-1 | WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions keycloak-1 | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations keycloak-1 | WARNING: All illegal access operations will be denied in a future release keycloak-1 | 18:52:12,416 INFO [org.jboss.as.patching] (MSC service thread 1-1) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none keycloak-1 | 18:52:12,424 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost keycloak-1 | 18:52:12,492 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server keycloak-1 | 18:52:12,493 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) started in 1085ms - Started 59 of 89 services (39 services are lazy, passive or on-demand) keycloak-1 | The batch executed successfully keycloak-1 | 18:52:12,599 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) stopped in 7ms keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | JBoss Bootstrap Environment keycloak-1 | keycloak-1 | JBOSS_HOME: /opt/jboss/keycloak keycloak-1 | keycloak-1 | JAVA: java keycloak-1 | keycloak-1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED keycloak-1 | keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | 18:52:13,058 INFO [org.jboss.modules] (main) JBoss Modules version 1.11.0.Final keycloak-1 | 18:52:13,316 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.12.Final keycloak-1 | 18:52:13,321 INFO [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final keycloak-1 | 18:52:13,391 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) starting keycloak-1 | 18:52:13,450 INFO [org.jboss.vfs] (MSC service thread 1-6) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this keycloak-1 | 18:52:13,789 INFO [org.wildfly.security] (ServerService Thread Pool -- 22) ELY00001: WildFly Elytron version 1.15.3.Final keycloak-1 | 18:52:14,046 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 6) WFLYCTL0033: Extension 'security' is deprecated and may not be supported in future versions keycloak-1 | 18:52:14,193 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:14,210 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 23) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:14,311 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) keycloak-1 | 18:52:14,322 INFO [org.xnio] (MSC service thread 1-6) XNIO version 3.8.4.Final keycloak-1 | 18:52:14,328 INFO [org.xnio.nio] (MSC service thread 1-6) XNIO NIO Implementation Version 3.8.4.Final keycloak-1 | 18:52:14,343 INFO [org.wildfly.extension.health] (ServerService Thread Pool -- 38) WFLYHEALTH0001: Activating Base Health Subsystem keycloak-1 | 18:52:14,343 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 4.2.11 keycloak-1 | 18:52:14,344 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. keycloak-1 | 18:52:14,348 INFO [org.wildfly.extension.metrics] (ServerService Thread Pool -- 48) WFLYMETRICS0001: Activating Base Metrics Subsystem keycloak-1 | 18:52:14,349 INFO [org.jboss.as.security] (ServerService Thread Pool -- 53) WFLYSEC0002: Activating Security Subsystem keycloak-1 | 18:52:14,351 INFO [org.jboss.as.security] (MSC service thread 1-4) WFLYSEC0001: Current PicketBox version=5.0.3.Final-redhat-00007 keycloak-1 | 18:52:14,350 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 55) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.
docker version
❯ docker version
Client: Docker Engine - Community
Cloud integration: v1.0.35+desktop.13
Version: 26.1.3
API version: 1.45
Go version: go1.21.10
Git commit: b72abbb
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Context: desktop-linux
Server: Docker Desktop 4.30.0 (149282)
Engine:
Version: 26.1.1
API version: 1.45 (minimum version 1.24)
Go version: go1.21.9
Git commit: ac2de55
Built: Tue Apr 30 11:48:28 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.31
GitCommit: e377cd56a71523140ca6ae87e30244719194a521
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
❯ docker info
Client: Docker Engine - Community
Version: 26.1.3
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.14.0-desktop.1
Path: /usr/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.27.0-desktop.2
Path: /usr/lib/docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.29
Path: /usr/lib/docker/cli-plugins/docker-debug
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.2
Path: /usr/lib/docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.23
Path: /usr/lib/docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.4
Path: /usr/lib/docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.1.0
Path: /usr/lib/docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /usr/lib/docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.8.0
Path: /usr/lib/docker/cli-plugins/docker-scout
Server:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 9
Server Version: 26.1.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: e377cd56a71523140ca6ae87e30244719194a521
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
cgroupns
Kernel Version: 6.6.26-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 19.29GiB
Name: docker-desktop
ID: 952be8cf-7653-4360-b982-4f831dadb57c
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Username: ************
Labels:
com.docker.desktop.address=unix:///home/********/.docker/desktop/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: daemon is not using the default seccomp profile
Diagnostics ID
893D8F52-1E84-4A01-BA70-C70A1EC7E78C/20240525220130
Additional Info
Here's some extra info:
My OS info:
Any help with this would be appreciated. Thanks in advance, Andi
