arion icon indicating copy to clipboard operation
arion copied to clipboard

Published 20 hours ago verified publisher icon hercules-ci

Failed to create /init.scope control group: Read-only file system

Open roberth opened this issue 3 years ago • 5 comments

To reproduce

  1. start a systemd-based container on NixOS 21.05
  2. observe the error message in the log
Failed to create /init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...

Cause

Systemd and docker have become incompatible since 21.05 and cgroupsv2.

Previously, the systemd and docker teams have disagreed about how the two should work together, so I don't expect the root cause to be resolved soon. Luckily, not the whole container ecosystem thinks about containers like docker does.

Solution

Arion >=0.1.3.0 creates containers in such a way that they do work in Podman. Podman is maintained by Red Hat, so its systemd support isn't going away anytime soon.

Start by installing podman in your NixOS configuration:

{
  virtualisation.podman.enable = true;
  virtualisation.podman.defaultNetwork.dnsname.enable = true;
  # Use your username instead of `myuser`
  users.extraUsers.myuser.extraGroups = ["podman"];
}

If you want to replace Docker by Podman entirely, use:

{
  virtualisation.podman.dockerSocket.enable = true;
  environment.systemPackages = [
     pkgs.docker-client
  ];
}

Or if you want to use them side by side, switch to Podman with:

export DOCKER_HOST=unix:///run/podman/podman.sock

and switch to local docker with:

unset DOCKER_HOST

Or add it to shell.nix for projects that need Podman.

pkgs.mkShell {  # using mkShell for example; most derivation-producing functions work the same
  # ...
  DOCKER_HOST = "unix:///run/podman/podman.sock";
}

roberth avatar Jun 07 '21 10:06 roberth

If you just want things to work again before finding a permanent solution, setting systemd.enableUnifiedCgroupHierarchy = false; and rebooting should also work around the issue.

zimbatm avatar Aug 30 '21 14:08 zimbatm

I want to add that if you are installing podman for NixOS first time you have to reboot, because otherwise docker compat socket is not accessible with some permission errors. Perhaps this should be added to the docs as well.

gbtb avatar Dec 20 '22 04:12 gbtb

I want to add that if you are installing podman for NixOS first time you have to reboot, because otherwise docker compat socket is not accessible with some permission errors. Perhaps this should be added to the docs as well.

Thank you thank you thank you, you saved me.
I have been debugging for ages why this wasnt working well and rebooting was teh solution.

Silver-Golden avatar May 18 '23 22:05 Silver-Golden

It's possible to do this rootless by setting DOCKER_HOST to /run/user/$(id -u)/podman/podman.sock .

deliciouslytyped avatar Oct 18 '23 13:10 deliciouslytyped