graylog-docker: Graylog fails to run after updating docker image from 4.3.3 to 4.3.4

We’ve updated our Graylog docker image to latest version pushed on graylog/graylog:4.3 (which is 4.3.4), and since then the graylog container fails to start.

Inspecting docker logs shows that this seems to be the issue:

graylog_1        | adding environment opts
graylog_1        | mkdir: cannot create directory ‘/data’: Permission denied

Our elastic and mongo are running fine, but graylog container fails to start with the error message above.

We have two separate instances of Graylog (not linked, used separately by separate teams), and both have encountered this issue after upgrading. They were both working fine on v4.3.3.

We use a folder-mounted journal folder in our docker-compose file:

 graylog:
    image: graylog/graylog:4.3
    restart: always
    volumes:
      - /root/docker-data/graylog/graylog_journal:/usr/share/graylog/data/journal

Update (by @mpfz0r):

This only happens on docker versions older than 20.10.10 https://docs.docker.com/engine/release-notes/#201010 Because their default seccomp policy does not support clone3 syscalls.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 25 (12 by maintainers)

Most upvoted comments

Since you’re on Docker 20.10.5 (released 2021-03-02) and 20.10.8 (released 2021-08-03), I’d suggest trying to get that upgraded to at least 20.10.10 (released 2021-10-25; latest is 20.10.17 released 2022-06-06). Doing a bit of searching on the second issue, I found https://stackoverflow.com/a/72841934 (and therefore https://github.com/adoptium/containers/issues/215), which seems like it could be related (potentially to both issues) given 4.3.4 is now based upon the Jammy/22.0.4 variant of the eclipse-temurin images.

+2
coffee-squirrel on Aug 4, 2022

@MahdiGhiasi

Can you update your docker version? If not, you can try running it unconfined as workaround: https://stackoverflow.com/questions/46053672/set-secomp-to-unconfined-in-docker-compose

+1
mpfz0r on Aug 16, 2022

@mpfz0r I think the profile-script thing is a red herring. The root cause is the fact that the new eclipse-temurin base-image uses a new glibc version that uses the clone3 syscall, which is blocked by docker’s default seccomp policy, which was updated with 20.10.10. so all older docker versions will fail with the same issue.

If you are able to downgrade your docker version to 20.10.9 or older you should be able to reproduce this issue.

+1
pschichtel on Aug 16, 2022
Read more comments on GitHub
← Gravity-Bridge: panic when withdrawing rewards or commission from validator
graylog2-images: configured inputs do not persist →