docker in security.privileged=true containers cannot start containers: write /sys/fs/cgroup/devices/docker/.../devices.allow: operation not permitted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Hi,
Running Ubuntu xenial with current 4.4.0-22-generic kernel and lxd 2.0.2-0ubuntu1~
root@docker-
docker: Error response from daemon: Cannot start container 07f5ddd392059c6
Upgrading to yakkety's docker.
docker: Error response from daemon: rpc error: code = 2 desc = "oci runtime error: failed to write c 10:200 rwm to devices.allow: write /sys/fs/
Where:
lrwxrwxrwx 1 root root 0 Jun 16 18:28 /sys/dev/
It looks like containerd/runc per default wants to allow access to /dev/net/tun for containers:
Adding the tuntap device to the docker profile (and restarting the container):
lxc profile device add docker tuntap unix-char path=/dev/net/tun
allows the device within the devices cgroup hierarchy:
root@docker-
c *:* m
b *:* m
c 5:0 rwm
c 5:1 rwm
c 1:5 rwm
c 1:7 rwm
c 1:3 rwm
c 1:8 rwm
c 1:9 rwm
c 5:2 rwm
c 136:* rwm
c 10:229 rwm
c 10:200 rwm
and fixes docker run:
root@docker-
root@7ecba0a17
---
On the lxd host:
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy lxd
lxd:
Installed: 2.0.2-0ubuntu1~
Candidate: 2.0.2-0ubuntu1~
Version table:
*** 2.0.2-0ubuntu1~
500 http://
500 http://
100 /var/lib/
2.0.0-0ubuntu4 500
500 http://
Changed in lxd (Ubuntu): | |
status: | Confirmed → Invalid |
Status changed to 'Confirmed' because the bug affects multiple users.