Join Log in
Score:1
user1531083 avatar Server

Rootless docker fails with `systemd error: Interactive authentication required`

ao flag
user1531083

I followed the guide on https://docs.docker.com/engine/security/rootless/ for running Docker on a Debian (testing) machine. After stumbling across some paths that are apparently not configured correctly in Debian (solved by sudo ln -s /usr/share/docker.io/contrib/dockerd-rootless* /usr/bin/), it seemed to work:

$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/tobias/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
     Loaded: loaded (/home/tobias/.config/systemd/user/docker.service; disabled; preset: enabled)
     Active: active (running) since Sun 2023-02-05 22:32:06 CET; 3s ago
       Docs: https://docs.docker.com/go/rootless/
   Main PID: 15248 (rootlesskit)
      Tasks: 47
     Memory: 55.4M
        CPU: 1.581s
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/docker.service
             ├─15248 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
             ├─15259 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
             ├─15281 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 15259 tap0
             ├─15288 dockerd
             └─15311 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info

Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.253518391+01:00" level=warning msg="Unable to find io controller"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.253631034+01:00" level=warning msg="Unable to find cpuset controller"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.254279197+01:00" level=info msg="Loading containers: start."
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.285126244+01:00" level=warning msg="Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'br_netfilter': Operation not permitted\ninsmod /lib/modules/6.1.0-3-amd64/kernel/net/bridge/br_netfilter.ko \n, error: exit status 1"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.285237875+01:00" level=info msg="skipping firewalld management for rootless mode"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.882271593+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.100180638+01:00" level=info msg="Loading containers: done."
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.168790703+01:00" level=info msg="Docker daemon" commit=6051f14 graphdriver(s)=fuse-overlayfs version=20.10.23+dfsg1
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.169051618+01:00" level=info msg="Daemon has completed initialization"
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.200846716+01:00" level=info msg="API listen on /run/user/1000/docker.sock"
+ DOCKER_HOST=unix:///run/user/1000/docker.sock /usr/bin/docker version
Client:
 Version:           20.10.23+dfsg1
 API version:       1.41
 Go version:        go1.19.5
 Git commit:        7155243
 Built:             Fri Jan 20 08:04:03 2023
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.23+dfsg1
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       6051f14
  Built:            Fri Jan 20 08:04:03 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.16~ds1
  GitCommit:        1.6.16~ds1-1
 runsc:
  Version:          0.0~20221219.0
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:        
+ systemctl --user enable docker.service
Created symlink /home/tobias/.config/systemd/user/default.target.wants/docker.service → /home/tobias/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger tobias`

[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Use CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1000/docker.sock

But I still cannot run containers:

$ docker run --rm hello-world
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: creating container: systemd error: Interactive authentication required.: unknown.

This is the corresponding syslog:

docker0: port 1(veth2258e10) entered blocking state
docker0: port 1(veth2258e10) entered disabled state
device veth2258e10 entered promiscuous mode
time="2023-02-05T22:36:35.627254114+01:00" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
time="2023-02-05T22:36:35.627392433+01:00" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
time="2023-02-05T22:36:35.627412786+01:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
time="2023-02-05T22:36:35.627737169+01:00" level=info msg="starting signal loop" namespace=moby path=/run/.ro724997694/user/1000/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42 pid=20080 runtime=io.containerd.runc.v2
time="2023-02-05T22:36:35.826413593+01:00" level=info msg="shim disconnected" id=4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42
time="2023-02-05T22:36:35.826596345+01:00" level=warning msg="cleaning up after shim disconnected" id=4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42 namespace=moby
time="2023-02-05T22:36:35.826645688+01:00" level=info msg="cleaning up dead shim"
time="2023-02-05T22:36:35.891971447+01:00" level=warning msg="cleanup warnings time=\"2023-02-05T22:36:35+01:00\" level=info msg=\"starting signal loop\" namespace=moby pid=20107 runtime=io.containerd.runc.v2\ntime=\"2023-02-05T22:36:35+01:00\" level=warning msg=\"failed to read init pid file\" error=\"open /run/.ro724997694/user/1000/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42/init.pid: no such file or directory\" runtime=io.containerd.runc.v2\n"
time="2023-02-05T22:36:35.893274705+01:00" level=error msg="copy shim log" error="read /proc/self/fd/13: file already closed"
time="2023-02-05T22:36:35.894254094+01:00" level=error msg="stream copy error: reading from a closed fifo"
time="2023-02-05T22:36:35.894632438+01:00" level=error msg="stream copy error: reading from a closed fifo"
docker0: port 1(veth2258e10) entered disabled state
device veth2258e10 left promiscuous mode
docker0: port 1(veth2258e10) entered disabled state
time="2023-02-05T22:36:36.076971530+01:00" level=error msg="4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42 cleanup: failed to delete container from containerd: no such container"
time="2023-02-05T22:36:36.093375114+01:00" level=error msg="Handler for POST /v1.41/containers/4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42/start returned error: failed to create shim task: OCI runtime create failed: creating container: systemd error: Interactive authentication required.: unknown"

I've tried both runc and runsc runtimes, but it doesn't make a difference.

$ docker info
Client:
 Context:    rootless
 Debug Mode: false

Server:
 Containers: 7
  Running: 0
  Paused: 0
  Stopped: 7
 Images: 2
 Server Version: 20.10.23+dfsg1
 Storage Driver: fuse-overlayfs
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc runsc
 Default Runtime: runsc
 Init Binary: docker-init
 containerd version: 1.6.16~ds1-1
 runc version: 
 init version: 
 Security Options:
  seccomp
   Profile: default
  rootless
  cgroupns
 Kernel Version: 6.1.0-3-amd64
 Operating System: Debian GNU/Linux bookworm/sid
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.52GiB
 Docker Root Dir: /home/tobias/.local/share/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
1801
1 + 3
ystark avatar
kr flag
ystark
Same problem with Ubuntu 22.04. Were you able to fix this?
0
Reply
user1531083 avatar
ao flag
user1531083
Sadly, I was not.
0
Reply
ystark avatar
kr flag
ystark
I posted an issue here: https://github.com/moby/moby/issues/45014
0
Reply
Score:0
v0idname avatar Server
fi flag
v0idname

I'm not sure about correct setup for cgroups2, so as a hotfix I switched to cgroup.

  1. Add GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0" into /etc/default/grub.
  2. update-grub
  3. systemctl reboot -i

After this "cgroupns" not appeared in "Security Options" from "docker info" command and it became possible to run the containers.

+ 1
user1531083 avatar
ao flag
user1531083
If I do that, `docker info` now says `Cgroup Driver: none` (before it said `systemd`) and running a container fails with `docker: Error response from daemon: failed to create shim task: OCI runtime create failed: creating container: cannot set up cgroup for root: configuring cgroup: mkdir /sys/fs/cgroup/hugetlb/47d7c4d833a6126d3e8eca170ce719d5c061bc9a186ba9aa988c41974452509b: permission denied: unknown.`.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.