docker-formula
docker-formula copied to clipboard
saltstack-formulas
Privileged container Issue with python3-docker package on Ubuntu 22.04
I have the following system:
Salt Version:
Salt: 3005.1
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.8.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.0.3
libgit2: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.3
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: Not Installed
pycryptodome: 3.11.0
pygit2: Not Installed
Python: 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0]
python-gnupg: 0.4.8
PyYAML: 5.4.1
PyZMQ: 22.3.0
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.4
System Versions:
dist: ubuntu 22.04 Jammy Jellyfish
locale: utf-8
machine: x86_64
release: 5.15.0-1028-aws
system: Linux
version: Ubuntu 22.04 Jammy Jellyfish
I have come across an issue where using:
docker:
pkg:
docker:
# choice is 'archive' (default) or 'repo' (yum/apt)
use_upstream: repo
containers:
running:
- mycontainer
mycontainer:
privileged: true
cap_add:
- ALL
Results in not being able to run privileged containers. I have done the following things:
- Installed docker-ce manully from apt repository: container works
- Installed docker.io manually from apt repository: container works
- Use docker formula with the above configuration and I am getting:
Created container 'mycontainer'. Failed to start container 'mycontainer': 'Error 500: failed to create shim task: OCI runtime create failed: container_linux.go:349: starting container process caused "unknown capability \"CAP_PERFMON\"": unknown'.
I compared all the packages and I discovered that the python3-docker package is responsible for this issue which you will find below.
Manual install with apt install docker.io, mycontainer works:
ii containerd 1.5.9-0ubuntu3.1 amd64 daemon to control runC
ii docker.io 20.10.12-0ubuntu4 amd64 Linux container runtime
Manual install with apt install docker-ce, mycontainer works:
ii containerd.io 1.6.18-1 amd64 An open and reliable container runtime
ii docker-ce 5:23.0.1-1~ubuntu.22.04~jammy amd64 Docker: the open-source application container engine
Install with docker salt formula, mycontainer does not work:
ii containerd.io 1.6.18-1 amd64 An open and reliable container runtime
ii docker-ce 5:23.0.1-1~ubuntu.22.04~jammy amd64 Docker: the open-source application container engine
ii python3-docker 5.0.3-1 all Python 3 wrapper to access docker.io's control socket
If I remove the python3-docker package after the salt state has ran for the docker formula, I am presented with this error:
----------
ID: docker-containers-crowdstrike-running
Function: docker_container.running
Name: crowdstrike
Result: False
Comment: State 'docker_container.running' was not found in SLS 'docker.containers.running'
Reason: 'docker_container' __virtual__ returned False: 'docker.version' is not available.
Changes:
I wanted to know if anybody else has experienced this issue and if they have, what they've done to resolve it.
I have changed from repo to archive and came across a similar error:
Comment: Container 'mycontainer' is already configured as specified. Failed to start container 'mycontainer': 'Error 500: cgroups: cgroup mountpoint does not exist: unknown'.
Which has lead me to perform the following:
sudo mkdir /sys/fs/cgroup/systemd
sudo mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd
Which now allows the container to run.