Description of problem: In an attempt to harden my docker installation, I've set OPTIONS='--icc=false --log-driver=journald --userns-remap=default' appending the --userns-remap option (and removing --selinux-enabled to workaround bug 1401537). After restarting the daemon, I can no longer start systemd in the container, presumably due to some oci-systemd-hook interaction. Version-Release number of selected component (if applicable): docker-1.12.3-10.git7b5044b.fc25.x86_64 oci-systemd-hook-0.1.4-3.git41491a3.fc25.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Set /etc/sysconfig/docker option OPTIONS to OPTIONS='--icc=false --log-driver=journald --userns-remap=default' 2. systemctl restart docker 3. docker run --rm -ti -e container=docker fedora:rawhide /usr/sbin/init Actual results: # docker run --rm -ti -e container=docker fedora:rawhide /usr/sbin/init /usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 2 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n". Journal contains Dec 06 07:36:30 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:30.169832498-05:00" level=info msg="{Action=create, Username=root, LoginUID=0, PID=16709}" Dec 06 07:36:30 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='user=root auid=0 exe=? hostname=? reason=api op=create vm=? vm-pid=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Mounting V5 Filesystem Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Ending clean mount Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Unmounting Filesystem Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Mounting V5 Filesystem Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Ending clean mount Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Unmounting Filesystem Dec 06 07:36:31 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:31.244283614-05:00" level=info msg="{Action=attach, Username=root, LoginUID=0, PID=16709}" Dec 06 07:36:31 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=attach vm=? vm-pid=? user=root auid=0 exe=? hostname=? reason=api exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Dec 06 07:36:31 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:31.245330515-05:00" level=info msg="{Action=start, Username=root, LoginUID=0, PID=16709}" Dec 06 07:36:31 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=start vm=? vm-pid=? user=root auid=0 exe=? hostname=? reason=api exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Dec 06 07:36:31 machine.example.test kernel: XFS (dm-3): Mounting V5 Filesystem Dec 06 07:36:31 machine.example.test kernel: XFS (dm-3): Ending clean mount Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered blocking state Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state Dec 06 07:36:31 machine.example.test kernel: device veth27a7289 entered promiscuous mode Dec 06 07:36:31 machine.example.test audit: ANOM_PROMISCUOUS dev=veth27a7289 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Dec 06 07:36:31 machine.example.test kernel: IPv6: ADDRCONF(NETDEV_UP): veth27a7289: link is not ready Dec 06 07:36:31 machine.example.test systemd-udevd[16775]: Could not generate persistent MAC address for veth27a7289: No such file or directory Dec 06 07:36:31 machine.example.test systemd-udevd[16774]: Could not generate persistent MAC address for vethff5ae4d: No such file or directory Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.3205] manager: (vethff5ae4d): new Veth device (/org/freedesktop/NetworkManager/Devices/163) Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.3219] manager: (veth27a7289): new Veth device (/org/freedesktop/NetworkManager/Devices/164) Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16787-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16787-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. Dec 06 07:36:31 machine.example.test systemd[1]: Started docker container f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865. Dec 06 07:36:31 machine.example.test kernel: eth0: renamed from vethff5ae4d Dec 06 07:36:31 machine.example.test kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth27a7289: link becomes ready Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered blocking state Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered forwarding state Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.5905] device (vethff5ae4d): driver 'veth' does not support carrier detection. Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.5909] device (veth27a7289): link connected Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.5910] device (docker0): link connected Dec 06 07:36:31 machine.example.test oci-register-machine[16820]: 2016/12/06 07:36:31 Register machine: prestart f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865 16796 /var/lib/docker/886432.886432/devicemapper/mnt/03c0f793add27876e6d88ef098dd47c03cbe93dd65281bbbab1e081f6cf2b388/rootfs Dec 06 07:36:31 machine.example.test systemd-machined[3810]: New machine f6025e740db57b0219f509c24f973867. Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: Mount Label parsed as: Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 11:cpuset:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :cpuset:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 10:hugetlb:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :hugetlb:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 9:freezer:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :freezer:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 8:blkio:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :blkio:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 7:pids:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :pids:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 6:memory:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :memory:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: Found Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: PATH: /system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope/memory.limit_in_bytes Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: LIMIT: 9223372036854771712 Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: Limit in bytes: 9223372036854771712 Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <error>: Failed to mount /sys/fs/cgroup on /var/lib/docker/886432.886432/devicemapper/mnt/03c0f793add27876e6d88ef098dd47c03cbe93dd65281bbbab1e081f6cf2b388/rootfs/sys/fs/cgroup: Invalid argument Dec 06 07:36:31 machine.example.test systemd[1]: Stopped docker container f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865. Dec 06 07:36:31 machine.example.test oci-register-machine[16827]: 2016/12/06 07:36:31 Register machine: poststop f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865 0 /var/lib/docker/886432.886432/devicemapper/mnt/03c0f793add27876e6d88ef098dd47c03cbe93dd65281bbbab1e081f6cf2b388/rootfs Dec 06 07:36:31 machine.example.test systemd-machined[3810]: Machine f6025e740db57b0219f509c24f973867 terminated. Dec 06 07:36:31 machine.example.test oci-systemd-hook[16832]: systemdhook <debug>: Mount Label parsed as: Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16833-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. Dec 06 07:36:31 machine.example.test docker-containerd-current[2142]: time="2016-12-06T07:36:31.693478361-05:00" level=error msg="containerd: start container" error="oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 2 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n" id=f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865 Dec 06 07:36:31 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:31.710223766-05:00" level=error msg="Create container failed with error: invalid header field value \"oci runtime error: container_linux.go:247: starting container process caused \\\"process_linux.go:334: running prestart hook 2 caused \\\\\\\"error running hook: exit status 1, stdout: , stderr: \\\\\\\"\\\"\\n\"" Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16833-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16839-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16839-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state Dec 06 07:36:31 machine.example.test kernel: vethff5ae4d: renamed from eth0 Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.8120] manager: (vethff5ae4d): new Veth device (/org/freedesktop/NetworkManager/Devices/165) Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state Dec 06 07:36:31 machine.example.test kernel: device veth27a7289 left promiscuous mode Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state Dec 06 07:36:31 machine.example.test audit: ANOM_PROMISCUOUS dev=veth27a7289 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295 Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.8759] device (vethff5ae4d): driver 'veth' does not support carrier detection. Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info> [1481027791.8762] device (veth27a7289): driver 'veth' does not support carrier detection. Dec 06 07:36:32 machine.example.test kernel: XFS (dm-3): Unmounting Filesystem Dec 06 07:36:32 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:32.267923608-05:00" level=error msg="Handler for POST /v1.24/containers/f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865/start returned error: invalid header field value \"oci runtime error: container_linux.go:247: starting container process caused \\\"process_linux.go:334: running prestart hook 2 caused \\\\\\\"error running hook: exit status 1, stdout: , stderr: \\\\\\\"\\\"\\n\"" Dec 06 07:36:32 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:32.269196761-05:00" level=info msg="{Action=remove, Username=root, LoginUID=0, PID=16709}" Dec 06 07:36:32 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=? reason=api op=remove vm=? vm-pid=? user=root auid=0 exe=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Expected results: No error. Additional info: For the oci-systemd-hook logic to kick in, any command with basename equal to init will work as reproducer: docker run --rm -ti -e container=docker fedora:rawhide /anything/init Filing against docker first because it might not be something oci-systemd-hook is able to fix per se.
If you remove the OCI-systemd-hook can you get it to work mounting the devices on the Commandline --tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup ... I think the mount command inside of oci-systemd-hook for the cgroups is failing.
Right, manually mounting is what I tried to do but I hit bug 1401537 comment 13.
While $ docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:24 bash fails, $ docker run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -ti fedora:24 bash without the :ro passes. So I tried removing /usr/libexec/oci/hooks.d/oci-systemd-hook and I run $ docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup --tmpfs /run --tmpfs /tmp fedora:24 /usr/sbin/init and I get systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization docker. Detected architecture x86-64. Running with unpopulated /etc. Welcome to Fedora 24 (Twenty Four)! Set hostname to <650c8735a344>. Initializing machine ID from random generator. Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory Failed to populate /etc with preset unit settings, ignoring: No such file or directory Failed to create /system.slice/docker-650c8735a34469088aa207dab473783f53d7eeb879485c548119bd8091851d52.scope/init.scope control group: Permission denied Failed to allocate manager object: Permission denied [!!!!!!] Failed to allocate manager object, freezing. Freezing execution. Error response from daemon: No such container: 650c8735a34469088aa207dab473783f53d7eeb879485c548119bd8091851d52 Error response from daemon: devmapper: Unknown device e861345cb11388039769492dde3218b1a709c87ec503974c5fba1634116c42e6
I think we need to keep these bugzillas separate. Lets handle mounting of /sys/fs/cgroup:/sys/fs/cgroup:ro inside of a user namespace here. The systemd one needs to be handled separately.
Alright. So the steps to reproduce would be: With --userns-remap set for the docker daemon $ docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:24 bash fails, while $ docker run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -ti fedora:24 bash without the :ro passes.
I now spun off the systemd issue with /sys/fs/cgroup mounted without that :ro to bug 1402264.
https://github.com/opencontainers/runc/issues/1229
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This issue as clarified in comment 6 still fails on Fedora 26 with docker-1.13.1-40.git877b6df.fc26.x86_64 selinux-policy-3.13.1-260.14.fc26.noarch container-selinux-2.28-1.fc26.noarch oci-systemd-hook-0.1.13-1.gitafe4b4a.fc26.x86_64 with the -v /sys/fs/cgroup:/sys/fs/cgroup:ro and with OPTIONS='--selinux-enabled --log-driver=journald --userns-remap=default' and setsebool -P container_manage_cgroup 1
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
With docker-1.13.1-44.git584d391.fc26.x86_64 selinux-policy-3.13.1-260.20.fc26.noarch container-selinux-2.40-1.fc26.noarch oci-systemd-hook-0.1.15-1.git2d0b8a3.fc26.x86_64 running just docker run --rm fedora:26 /usr/sbin/init passes, with docker configured as OPTIONS='--selinux-enabled --log-driver=journald --userns-remap=default' and with setsebool -P container_manage_cgroup 1 On the other hand, docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:26 bash with the :ro still fails with /usr/bin/docker-current: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:364: container init caused \"rootfs_linux.go:54: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/docker/165536.165536/devicemapper/mnt/7d24eeecce023fd6c7c7c53e28a2e77431c37a814e10ca8d0725eec01dc995cf/rootfs\\\" at \\\"/var/lib/docker/165536.165536/devicemapper/mnt/7d24eeecce023fd6c7c7c53e28a2e77431c37a814e10ca8d0725eec01dc995cf/rootfs/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\"". while docker run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -ti fedora:26 bash passes. On Fedora 27 with docker-1.13.1-51.git4032bd5.fc27.x86_64 selinux-policy-3.13.1-283.34.fc27.noarch container-selinux-2.55-1.fc27.noarch oci-systemd-hook-0.1.15-1.git2d0b8a3.fc27.x86_64 the results are the same, so moving the version to 27.
Since https://github.com/opencontainers/runc/issues/1229 mentions the docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:26 bash failure might be a kernel issue, also noting that on Fedora 27 the kernel is kernel-4.16.6-202.fc27.x86_64 and on Fedora 28 where it fails as well, the version is kernel-4.16.7-300.fc28.x86_64.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Jan is this still and issue in F29?
Yes: docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -i fedora:29 id container_linux.go:247: starting container process caused "process_linux.go:364: container init caused \"rootfs_linux.go:54: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged\\\" at \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\"" /usr/bin/docker-current: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:364: container init caused \"rootfs_linux.go:54: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged\\\" at \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged/sys/fs/cgroup\\\" caused \\\"operation not
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
The issue still seems present on Fedora 30.
I think we should be concentrating on cgroup V2 here perhaps on Fedora 31.
We are never going to fix this on Docker, so switched to Podman.
Feel free to close this bugzilla as WONTFIX for docker. For podman, I'm not sure what the equivalent of adding -userns-remap=default to OPTIONS in /etc/sysconfig/docker would be. With podman-1.6.2-2.fc30.x86_64 I've tried podman run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -i --subuidname=dockremap --subgidname=dockremap registry.fedoraproject.org/fedora:30 id but I get Error: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/containers/storage/overlay/0864d3e223ad7849fd38a076e2c7960db0fdaf3d365cf305cd3c65f524d79cfc/merged\\\" at \\\"/var/lib/containers/storage/overlay/0864d3e223ad7849fd38a076e2c7960db0fdaf3d365cf305cd3c65f524d79cfc/merged/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\"": OCI runtime permission denied error
OTOH, podman run --systemd=always --rm -i --subuidname=dockremap --subgidname=dockremap registry.fedoraproject.org/fedora:30 sleep 60 runs fine.
Volume mounting in /sys/fs/cgroup would not be writable from a user namespace, Perhaps since we are mounting the cgroup from inside of podman, it gets different permissions.
Is this still an issue, we are not working on it.
Things look good with podman-2.0.6-1.fc32.x86_64.