moby: docker --userns-remap @ubuntu 16.04 fails

–>

Output of docker version:

root@ubuntu-xenial:~# docker version 
Client:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:43:49 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:43:49 2016
 OS/Arch:      linux/amd64

Output of docker info:

root@ubuntu-xenial:~# docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 1.11.1
Storage Driver: overlay
 Backing Filesystem: extfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: host bridge null
Kernel Version: 4.4.0-21-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 992.4 MiB
Name: ubuntu-xenial
ID: FDFO:55GV:K7E3:V4BO:REON:BZ2E:FRK7:XJEJ:XCC6:4CG3:PYSY:3LKW
Docker Root Dir: /var/lib/docker/231072.231072
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

Vagrant config.vm.box = “ubuntu/trusty64”

Steps to reproduce the issue:

Start: docker --userns-remap=default [-s overlay]
docker pull alpine
docker run --rm alpine date

Describe the results you received:

root@ubuntu-xenial:~# docker run --rm alpine date
docker: Error response from daemon: rpc error: code = 2 desc = "oci runtime error: could not synchronise with container process: device or resource busy".

Log:

ERRO[0201] containerd: start container                   error=oci runtime error: could not synchronise with container process: device or resource busy id=9bb642f9cf1e240f7291ce2235ce29324ad2d937a66ed83a945be0205ecf5524
ERRO[0202] Handler for POST /v1.23/containers/9bb642f9cf1e240f7291ce2235ce29324ad2d937a66ed83a945be0205ecf5524/start returned error: rpc error: code = 2 desc = "oci runtime error: could not synchronise with container process: device or resource busy"

Describe the results you expected:

The output from date

Additional information you deem important (e.g. issue happens only occasionally):

It works on docker-machine/fedora22? ubuntu 16.04 has cgroup namespace enabled. Looks like there is a problem.

About this issue

Original URL
State: closed
Created 8 years ago
Reactions: 1
Comments: 51 (36 by maintainers)

Most upvoted comments

linux-image-4.4.0-28-generic is now available on the xenial-updates/main repo.

Running a container with userns-remap without a volume works now, but it doesn’t when using a host directory volume.

Here the daemon log error

juin 28 09:24:36 steve-Latitude-E7440 docker[9433]: time="2016-06-28T09:24:36+02:00" level=error msg="containerd: start container" error="oci runtime error: could not synchronise with container process: stat /home/steve/tmp/test: permission denied" id=03782bfb053f7a222248dd7969b1eb3c72d8c4076de2af274c705c59beaf8f30

Command executed

$ docker run --rm -t -i -v $(pwd)/test:/test debian:8
docker: Error response from daemon: Container command '/bin/bash' could not be invoked..

Host directory info

$ ls -la test
total 24
drwxrwxr-x  2 steve steve  4096 juin  28 08:49 .
drwxrwxr-x 14 steve steve 20480 juin  28 08:49 ..

Also not working if I chown 100000:100000 the directory.

Docker daemon options

   CGroup: /system.slice/docker.service
           ├─9433 /usr/bin/docker daemon -H fd:// -s overlay --userns-remap=steve -D
           └─9439 docker-containerd -l /var/run/docker/libcontainerd/docker-containerd.sock --runtime docker-runc --start-timeout 2m --debug --metrics-interval=0

Docker info

$ docker info
Containers: 2
 Running: 0
 Paused: 0
 Stopped: 2
Images: 4
Server Version: 1.11.2
Storage Driver: overlay
 Backing Filesystem: extfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge null host
Kernel Version: 4.4.0-28-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.58 GiB
Name: steve-Latitude-E7440
ID: T4DL:DOAM:BRRC:EU4U:JYMW:B554:HGY6:7QJQ:UECD:DDZP:NXSH:M6SB
Docker Root Dir: /var/lib/docker/100000.100000
Debug mode (client): false
Debug mode (server): true
 File Descriptors: 12
 Goroutines: 32
 System Time: 2016-06-28T09:42:29.678950614+02:00
 EventsListeners: 0
Username: sdurrheimer
Registry: https://index.docker.io/v1/

subuid

$ cat /etc/subuid
steve:100000:65536

subgid

$ cat /etc/subgid
steve:100000:65536

sdurrheimer on Jun 28, 2016

Getting the same error under Arch Linux. A container with userns-remap without a volume works, but it doesn’t when using a host directory volume.

Here the daemon log error

Jul 06 13:47:58 sballert docker[542]: time="2016-07-06T13:47:58+02:00" level=error msg="containerd: start container" error="oci runtime error: could not synchronise with container process: stat /home/sballert/container-test/test: permission denied" id=05bb47c7bb60c61a20b7c2d3f1db69072cccfc04c48b2a45b19648bc522a9e46
Jul 06 13:47:58 sballert docker[542]: time="2016-07-06T13:47:58.895691078+02:00" level=error msg="Handler for POST /v1.23/containers/05bb47c7bb60c61a20b7c2d3f1db69072cccfc04c48b2a45b19648bc522a9e46/start returned error: Container command '/bin/sh' could not be invoked."

Command executed

docker run --rm -ti -v $(pwd)/test:/test alpine /bin/sh
docker: Error response from daemon: Container command '/bin/sh' could not be invoked..

Output of docker version

Client:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.6.2
 Git commit:   b9f10c9
 Built:        Tue Jun 21 00:43:14 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.6.2
 Git commit:   b9f10c9
 Built:        Tue Jun 21 00:43:14 2016
 OS/Arch:      linux/amd64

Output of docker info

Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 2
Server Version: 1.11.2
Storage Driver: devicemapper
 Pool Name: docker-254:2-657266-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 693.2 MB
 Data Space Total: 107.4 GB
 Data Space Available: 9.557 GB
 Metadata Space Used: 1.04 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.146 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/100000.100000/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
 Metadata loop file: /var/lib/docker/100000.100000/devicemapper/devicemapper/metadata
 Library Version: 1.02.128 (2016-06-25)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge null host
Kernel Version: 4.6.3-1-userns
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 4.468 GiB
Name: sballert
ID: LRT5:WT7M:WGEZ:WWOP:G5CY:NPXT:LIZN:5MOU:OJL3:7GTW:GW7Q:S5QY
Docker Root Dir: /var/lib/docker/100000.100000
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/

subuid

sballert:100000:65536

subgid

sballert:100000:65536

docker.service status

● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/docker.service.d
           └─noiptables.conf
   Active: active (running) since Wed 2016-07-06 11:56:15 CEST; 5min ago
     Docs: https://docs.docker.com
 Main PID: 542 (docker)
    Tasks: 16 (limit: 512)
   Memory: 52.8M
      CPU: 420ms
   CGroup: /system.slice/docker.service
           ├─542 /usr/bin/docker daemon -H fd:// --iptables=false --userns-remap sballert
           └─576 docker-containerd -l /var/run/docker/libcontainerd/docker-containerd.sock --runtime docker-runc --start-timeout 2m

Host directory info

drwxrwxrwx  2 sballert sballert 4096 Jul  6 13:45 test

sballert on Jul 6, 2016