for-linux
for-linux copied to clipboard
docker
Docker does not start in rootless mode [newuidmap: write to uid_map failed: Invalid argument]
Hello,
I'm running docker in user-ns remap mode, and i'm trying to change it to rootless mode following this procedure link But in can't start Docker as the dockremap user.
I have the following error :
dockerd-rootless.sh[980518]: [rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 980528 [0 500000 1 1 500000 65536] failed: newuidmap: write to uid_map failed: Invalid argument
I have uninstalled and reinstalled docker, just in the case of, with:
apt remove docker-ce docker-ce-cli docker-ce-rootless-extras docker-compose python3-docker --purge
I'm on Ubuntu 20.04.3 (ARM)
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
With Docker 20.10.12
$ docker --version
Docker version 20.10.12, build e91ed57
# docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.7.1-docker)
Server:
Containers: 3
Running: 2
Paused: 0
Stopped: 1
Images: 19
Server Version: 20.10.12
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc version: v1.0.2-0-g52b36a2
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
userns
Kernel Version: 5.11.0-1022-oracle
Operating System: Ubuntu 20.04.3 LTS
OSType: linux
Architecture: aarch64
CPUs: 1
Total Memory: 5.665GiB
Name: hyrule
ID: Z2FE:U77V:FU4T:JOHN:LAOL:XRJR:UJTW:NJZI:RPDR:MZRK:T3WM:5VF7
Docker Root Dir: /var/lib/docker/500000.500000
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
I have set /etcsubuid and /etc/subgid like this :
$ grep ^$(whoami): /etc/subuid
dockremap:500000:65536
$ grep ^$(whoami): /etc/subgid
dockremap:500000:65536
When i run dockerd-rootless-setuptool.sh, i have the following error :
$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/dockremap/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/dockremap/.config/systemd/user/docker.service; disabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2022-01-27 14:46:32 UTC; 821ms ago
Docs: https://docs.docker.com/go/rootless/
Process: 980498 ExecStart=/usr/bin/dockerd-rootless.sh (code=exited, status=1/FAILURE)
Main PID: 980498 (code=exited, status=1/FAILURE)
+ set +x
[ERROR] Failed to start docker.service. Run `journalctl -n 20 --no-pager --user --unit docker.service` to show the error log.
[ERROR] Before retrying installation, you might need to uninstall the current setup: `/usr/bin/dockerd-rootless-setuptool.sh uninstall -f ; /usr/bin/rootlesskit rm -rf /home/dockremap/.local/share/docker`
And journalctl give me the reason :
$ journalctl -n 20 --no-pager --user --unit docker.service
-- Logs begin at Thu 2022-01-27 14:04:04 UTC, end at Thu 2022-01-27 14:46:37 UTC. --
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: + [ -z 65520 ]
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: + [ -z ]
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: + _DOCKERD_ROOTLESS_CHILD=1
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: + export _DOCKERD_ROOTLESS_CHILD
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980521]: + id -u
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: + [ 500000 = 0 ]
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: + command -v selinuxenabled
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: + exec rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
**Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: [rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 980528 [0 500000 1 1 500000 65536] failed: newuidmap: write to uid_map failed: Invalid argument**
Jan 27 14:46:34 hyrule dockerd-rootless.sh[980518]: : exit status 1
Jan 27 14:46:34 hyrule systemd[980205]: docker.service: Main process exited, code=exited, status=1/FAILURE
Jan 27 14:46:34 hyrule systemd[980205]: docker.service: Killing process 980528 (exe) with signal SIGKILL.
Jan 27 14:46:34 hyrule systemd[980205]: docker.service: Killing process 980530 (exe) with signal SIGKILL.
Jan 27 14:46:34 hyrule systemd[980205]: docker.service: Killing process 980531 (exe) with signal SIGKILL.
Jan 27 14:46:34 hyrule systemd[980205]: docker.service: Failed with result 'exit-code'.
Jan 27 14:46:37 hyrule systemd[980205]: docker.service: Scheduled restart job, restart counter is at 3.
Jan 27 14:46:37 hyrule systemd[980205]: Stopped Docker Application Container Engine (Rootless).
Jan 27 14:46:37 hyrule systemd[980205]: docker.service: Start request repeated too quickly.
Jan 27 14:46:37 hyrule systemd[980205]: docker.service: Failed with result 'exit-code'.
Jan 27 14:46:37 hyrule systemd[980205]: Failed to start Docker Application Container Engine (Rootless).
Am i doing something wrong ?
Thanks for your replies !
userns
~~Seems you are trying to run rootless Docker inside LXD?~~
~~Please try security.privileged then, or at least allocate huge numbers of subuid https://linuxcontainers.org/lxd/docs/master/userns-idmap/~~
(EDIT: unrelated)
No i'm not under LXD (or i dont know that ?). I was (previously) running docker with subuids, and i have created /etc/docker/daemon.json like this: "userns-remap": "dockremap"
And it was working : containers were launched by dockremap user, but the docker main process was root. This was the reason why i wanted to use rootless docker mode as described in the official documentation.
But i have purged all of this (via apt remove --purge), and following the rootless documentation does not work for me.
As you can see in my original post; dockremap have 65536 uid, there is not enough ? and i can't start docker in rootless mode, i don't even start one container !
Hi,
after uninstalling it states to run /usr/bin/rootlesskit rm -rf /xx/.local/share/docker. I am assuming you ran it once and it worked and then uninstalled it without running this and then tried to install and run docker rootless again? At least this was the case for me. After running the above command and installing again I was able to run rootless successfully.
I have a similar issue
This is my diagnostic ID
E9BC823D-55D2-4A08-9988-5CB4DB1A34A2/20240922020148
running engine: waiting for the VM setup to be ready: running filesharing: starting virtiofsd for /home: setting up UID map: exec: "newuidmap": executable file not found in $PATH
I used to be able to get around it by manually changing the permissions of newuidmap and newgidmap, am recently unable to use the same means to use docker-desktop. Even when adding to my $PATH the app does not work.
