Hide Forgot
Description of problem: When enabling userns-remap=default in docker 1.10 you are unable to start containers in Kubernetes because you may not share the net namespace of the pause container. You will receive an error from the daemon of 'Cannot share the host or a container's network namespace when user namespaces are enabled.' This is fixed in 1.11 with https://github.com/docker/docker/pull/21383 so this bug is for consideration for backport if we intend on supporting userns-remap with 1.10.
Will need to be back ported if we can not go to docker-1.12 in the next release. But for now I will close this as fixed in the next release. Fixed in docker-1.12
Could this be shifted to ON_QA for proper QE validation?
Tried with # openshift version openshift v3.7.9 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 # uname -a Linux host-172-16-120-75 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo) # docker info Containers: 253 Running: 0 Paused: 0 Stopped: 253 Images: 3 Server Version: 1.12.6 Storage Driver: overlay2 Backing Filesystem: xfs Logging Driver: journald Cgroup Driver: systemd Plugins: Volume: local Network: bridge overlay null host Authorization: rhel-push-plugin Swarm: inactive Runtimes: runc docker-runc Default Runtime: docker-runc Security Options: seccomp selinux Kernel Version: 3.10.0-693.el7.x86_64 Operating System: Red Hat Enterprise Linux Server 7.4 (Maipo) OSType: linux Architecture: x86_64 Number of Docker Hooks: 3 CPUs: 2 Total Memory: 3.702 GiB Name: host-172-16-120-75 ID: WTPP:DTVB:6Z4C:5AAZ:AVHJ:NVNC:ZVQG:R3JH:6PTJ:VPZP:KU6V:U3Z3 Docker Root Dir: /var/lib/docker/165536.165536 Debug Mode (client): false Debug Mode (server): true File Descriptors: 29 Goroutines: 48 System Time: 2017-11-22T02:53:35.946693152-05:00 EventsListeners: 0 Registry: https://registry.reg-aws.openshift.com:443/v1/ WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled Insecure Registries: virt-openshift-05.lab.eng.nay.redhat.com:5000 virt-openshift-05.lab.eng.nay.redhat.com:5001 asb-registry.usersys.redhat.com:5000 brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888 registry.reg-aws.openshift.com:443 127.0.0.0/8 Registries: registry.reg-aws.openshift.com:443 (insecure), registry.access.redhat.com (secure), registry.access.redhat.com (secure), docker.io (secure) And still can not make docker work well. 1. After append --userns-remap=default to the OPTION of /etc/sysconfig/docker, restart docker got issue https://github.com/moby/moby/issues/29659 2. After workaround with https://github.com/coreos/bugs/issues/1728, restart docker got error "Error starting daemon: error initializing graphdriver: Unable to take ownership of thin-pool (dockerVG-docker--pool) that already has used data blocks" 3. Then I switch to overlay2 to bypass the devicemapper, restart docker and got https://github.com/opencontainers/runc/issues/1130 4. Then I enable debug mode for docker, and found error message "nsenter: unable to unshare namespaces: Invalid argument" in the log
Can QA test with latest docker/setup?
Checked with # openshift version openshift v3.9.11 kubernetes v1.9.1+a0ce1bc657 etcd 3.2.16 Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 1.13.1 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: systemd Plugins: Volume: local Network: bridge host macvlan null overlay Authorization: rhel-push-plugin Swarm: inactive Runtimes: docker-runc runc Default Runtime: docker-runc Init Binary: docker-init containerd version: (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1) runc version: N/A (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f) init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574) Security Options: seccomp WARNING: You're not using the default seccomp profile Profile: /etc/docker/seccomp.json selinux userns Kernel Version: 3.10.0-860.el7.x86_64 Operating System: Red Hat Enterprise Linux Server 7.5 (Maipo) OSType: linux Architecture: x86_64 Number of Docker Hooks: 3 CPUs: 1 Total Memory: 3.455 GiB Name: qe-wjiang-master-container-etcd-1 ID: KXZX:DPVC:AKLU:W5QL:ADFZ:BUXQ:S5YI:O4C6:URFC:2ZCV:4R72:AJFF Docker Root Dir: /var/lib/docker/165536.165536 Debug Mode (client): false Debug Mode (server): false Registry: https://registry.reg-aws.openshift.com:443/v1/ WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled Experimental: false Insecure Registries: virt-openshift-05.lab.eng.nay.redhat.com:5001 asb-registry.usersys.redhat.com:5000 brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888 registry.reg-aws.openshift.com:443 virt-openshift-05.lab.eng.nay.redhat.com:5000 127.0.0.0/8 Live Restore Enabled: false Registries: registry.reg-aws.openshift.com:443 (insecure), registry.access.redhat.com (secure), registry.access.redhat.com (secure), docker.io (secure) And still can not make docker work well 1. After append --userns-remap=default to the OPTION of /etc/sysconfig/docker, restart docker still got issue https://github.com/moby/moby/issues/29659 2. 2. After workaround with https://github.com/coreos/bugs/issues/1728, restart docker got error Mar 19 05:10:53 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:53.032553151-04:00" level=error msg="Handler for POST /v1.26/containers/create returned error: Cannot share the host's network namespace when user namespaces are enabled" Mar 19 05:10:53 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:53.069662260-04:00" level=error msg="Handler for POST /v1.26/containers/create?name=atomic-openshift-master-api returned error: Privileged mode is incompatible with user names paces. You must run the container in the host namespace (--userns=host) when running privileged mode." Mar 19 05:10:53 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:53.071260210-04:00" level=error msg="Handler for POST /v1.26/containers/create returned error: Privileged mode is incompatible with user namespaces. You must run the container in the host namespace (--userns=host) when running privileged mode." Mar 19 05:10:53 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:53.090651136-04:00" level=error msg="Handler for POST /v1.26/containers/etcd_container/stop returned error: No such container: etcd_container" Mar 19 05:10:53 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:53.092206092-04:00" level=error msg="Handler for POST /v1.26/containers/etcd_container/stop returned error: No such container: etcd_container" Mar 19 05:10:55 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:55.446941109-04:00" level=error msg="Handler for DELETE /v1.26/containers/openvswitch?force=1 returned error: No such container: openvswitch" Mar 19 05:10:55 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:55.448586694-04:00" level=error msg="Handler for DELETE /v1.26/containers/openvswitch returned error: No such container: openvswitch" Mar 19 05:10:55 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:55.484491405-04:00" level=error msg="Handler for POST /v1.26/containers/create?name=openvswitch returned error: Privileged mode is incompatible with user namespaces. You must run the container in the host namespace (--userns=host) when running privileged mode." Mar 19 05:10:55 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:55.485662507-04:00" level=error msg="Handler for POST /v1.26/containers/create returned error: Privileged mode is incompatible with user namespaces. You must run the container in the host namespace (--userns=host) when running privileged mode." Mar 19 05:10:57 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:57.379231820-04:00" level=error msg="Handler for POST /v1.26/containers/atomic-openshift-master-controllers/stop returned error: No such container: atomic-openshift-master-con trollers" Mar 19 05:10:57 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:57.379900582-04:00" level=error msg="Handler for POST /v1.26/containers/atomic-openshift-master-controllers/stop returned error: No such container: atomic-openshift-master-con trollers" Mar 19 05:10:58 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:58.188045787-04:00" level=error msg="Handler for DELETE /v1.26/containers/etcd_container?force=1 returned error: No such container: etcd_container" Mar 19 05:10:58 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:58.189624718-04:00" level=error msg="Handler for DELETE /v1.26/containers/etcd_container returned error: No such container: etcd_container" Mar 19 05:10:58 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:58.222641645-04:00" level=error msg="Handler for POST /v1.26/containers/create?name=etcd_container returned error: Cannot share the host's network namespace when user namespac es are enabled" Mar 19 05:10:58 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:58.224475742-04:00" level=error msg="Handler for POST /v1.26/containers/create returned error: Cannot share the host's network namespace when user namespaces are enabled" Mar 19 05:10:58 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:58.255013328-04:00" level=error msg="Handler for POST /v1.26/containers/etcd_container/stop returned error: No such container: etcd_container" Mar 19 05:10:58 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:10:58.256605431-04:00" level=error msg="Handler for POST /v1.26/containers/etcd_container/stop returned error: No such container: etcd_container" Mar 19 05:11:00 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:00.332883901-04:00" level=error msg="Handler for POST /v1.26/containers/atomic-openshift-node/stop returned error: No such container: atomic-openshift-node" Mar 19 05:11:00 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:00.333655624-04:00" level=error msg="Handler for POST /v1.26/containers/atomic-openshift-node/stop returned error: No such container: atomic-openshift-node" Mar 19 05:11:00 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:00.497236484-04:00" level=error msg="Handler for POST /v1.26/containers/openvswitch/stop returned error: No such container: openvswitch" Mar 19 05:11:00 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:00.498941551-04:00" level=error msg="Handler for POST /v1.26/containers/openvswitch/stop returned error: No such container: openvswitch" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.049015478-04:00" level=error msg="Handler for POST /v1.26/containers/atomic-openshift-master-api/stop returned error: No such container: atomic-openshift-master-api" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.050696905-04:00" level=error msg="Handler for POST /v1.26/containers/atomic-openshift-master-api/stop returned error: No such container: atomic-openshift-master-api" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.084982113-04:00" level=error msg="Handler for DELETE /v1.26/containers/atomic-openshift-master-controllers?force=1 returned error: No such container: atomic-openshift-maste r-controllers" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.086647545-04:00" level=error msg="Handler for DELETE /v1.26/containers/atomic-openshift-master-controllers returned error: No such container: atomic-openshift-master-contro llers" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.122513591-04:00" level=error msg="Handler for POST /v1.26/containers/create?name=atomic-openshift-master-controllers returned error: Privileged mode is incompatible with us er namespaces. You must run the container in the host namespace (--userns=host) when running privileged mode." Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.123856113-04:00" level=error msg="Handler for POST /v1.26/containers/create returned error: Privileged mode is incompatible with user namespaces. You must run the container in the host namespace (--userns=host) when running privileged mode." Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.438954374-04:00" level=error msg="Handler for DELETE /v1.26/containers/etcd_container?force=1 returned error: No such container: etcd_container" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.439487121-04:00" level=error msg="Handler for DELETE /v1.26/containers/etcd_container returned error: No such container: etcd_container" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.477596662-04:00" level=error msg="Handler for POST /v1.26/containers/create?name=etcd_container returned error: Cannot share the host's network namespace when user namespac es are enabled" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.479711673-04:00" level=error msg="Handler for POST /v1.26/containers/create returned error: Cannot share the host's network namespace when user namespaces are enabled" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.512951489-04:00" level=error msg="Handler for POST /v1.26/containers/etcd_container/stop returned error: No such container: etcd_container" Mar 19 05:11:03 qe-wjiang-master-container-etcd-1 dockerd-current[65611]: time="2018-03-19T05:11:03.514549544-04:00" level=error msg="Handler for POST /v1.26/containers/etcd_container/stop returned error: No such container: etcd_container"