rootlesskit icon indicating copy to clipboard operation
rootlesskit copied to clipboard

Published 20 hours ago verified publisher icon rootless-containers

`Invalid argument` error occurs no matter what argument is specified (Debian 11) (`fork/exec /proc/self/exe: invalid argument`)

Open tokiwa-t opened this issue 3 years ago • 5 comments

When I installed Rootless Docker on Debian 11 and tried to start it, the daemon did not start. I noticed from the journal log that the error occurs when Rootlesskit tries to start a child process, so I tried to verify that Rootlesskit can be started with an arbitrary argument, but I get an Invalid argument error as follows. Could you please tell me if you have any idea what might be causing the error?

$ rootlesskit --debug bash
[rootlesskit:parent] error: fork/exec /proc/self/exe: invalid argument
failed to start the child
github.com/rootless-containers/rootlesskit/pkg/parent.Parent
        /tmp/tmp.LvtemBn9na/src/github.com/rootless-containers/rootlesskit/pkg/parent/parent.go:176
main.main.func2
        /tmp/tmp.LvtemBn9na/src/github.com/rootless-containers/rootlesskit/cmd/rootlesskit/main.go:220
github.com/urfave/cli/v2.(*App).RunContext
        /tmp/tmp.LvtemBn9na/pkg/mod/github.com/urfave/cli/[email protected]/app.go:322
github.com/urfave/cli/v2.(*App).Run
        /tmp/tmp.LvtemBn9na/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main
        /tmp/tmp.LvtemBn9na/src/github.com/rootless-containers/rootlesskit/cmd/rootlesskit/main.go:222
runtime.main
        /usr/local/go/src/runtime/proc.go:225
runtime.goexit
        /usr/local/go/src/runtime/asm_arm64.s:1130

Debian version:

$ cat /etc/debian_version
11.2

tokiwa-t avatar Feb 06 '22 14:02 tokiwa-t

If you are inside a container, you need to weaken seccomp and apparmor at least.

E.g., https://github.com/moby/buildkit/blob/a640b47cb19c4f0ff47f2444f3215ee851598a8e/examples/kubernetes/pod.rootless.yaml#L5-L7

AkihiroSuda avatar Feb 07 '22 13:02 AkihiroSuda

@AkihiroSuda No, I ran rootlesskit outside the container (host).

tokiwa-t avatar Feb 08 '22 00:02 tokiwa-t

Maybe you need to set sysctl value kernel.unprivileged_userns_clone=1

https://rootlesscontaine.rs/getting-started/common/sysctl/

AkihiroSuda avatar Feb 10 '22 17:02 AkihiroSuda

@AkihiroSuda Isn't the procedure you provide for Debian 10? I ran the procedure on Debian 11, but the error was not resolved.

tokiwa-t avatar Feb 17 '22 07:02 tokiwa-t

Isn't the procedure you provide for Debian 10?

Yes, but if you are using a variant of Debian 11, you may still need that sysctl.

Are you using a variant of Debian, or the official Debian? Could you also provide the uname -a result?

AkihiroSuda avatar Feb 17 '22 07:02 AkihiroSuda