Cannot use `--ulimit memlock=-1` option when using rootless docker

wazano318 · May 18, 2025, 7:46am

I recently switched to rootless docker. Then. I found that if --ulimit memlock=-1 is specified, the following error occurs and it does not work.

$ docker run --rm -it --ulimit memlock=-1 ubuntu bash
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting rlimits for ready process: error setting rlimit type 8: operation not permitted: unknown

Run 'docker run --help' for more information

If I give a specific number instead of -1, it can work.
Does anyone know how to fix this?

wazano318 · May 18, 2025, 7:50am

Here is an output of docker info.

$ docker info
Client: Docker Engine - Community
 Version:    28.1.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.35.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: 28.1.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.8.0-59-generic
 Operating System: Ubuntu 22.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 20
 Total Memory: 93.98GiB
 Name: hamstring
 ID: 24b69f0d-1a60-48bd-b55c-3e6c4f8f54d1
 Docker Root Dir: /home/tsukasa/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

rimelek · May 19, 2025, 10:06pm

Rootless Docker means you run the daemon as a non-root user. through rootlesskit. The user has limited privileges so it might not be possible. You could find similar reports in the podman repository as well

github.com/containers/podman

Issue with ulimits memlock -1:-1

opened 08:04AM - 23 Jul 23 UTC

closed 10:36AM - 29 Aug 23 UTC

leolivier

kind/bug stale-issue locked - please file new issue/PR

### Issue Description As requested by @rhatdan in #6389, I open this issue abou…t the following problem I encountered: I used a docker compose file from gravitee.io to create a set of brand new containers (never created before) When starting elasticsearch in rootless mode on RHEL 9.2, I got ``` Error: crun: setrlimit `RLIMIT_MEMLOCK`: Operation not permitted: OCI permission denied ``` although I have a quite big limit on memlock ``` $ podman unshare ulimit -l 8192 ``` Looking at the docker-compose file, it contains ``` ulimits: memlock: soft: -1 hard: -1 nofile: 65536 ``` In that context (rootless), shouldn't it take the highest possible value (8192 in my case) for -1 ie unlimited (maybe with a warning) ? ### Steps to reproduce the issue Steps to reproduce the issue 1. Not being root, start a container with option '--ulimit memlock=-1:-1' e.g. in my case ``` $ podman run --name=gio_apim_elasticsearch -d --label io.podman.compose.config-hash=123 --label io.podman.compose.project=gravitee --label io.podman.compose.version=0.0.1 --label com.docker.compose.project=gravitee --label com.docker.compose.project.working_dir=/ad_users/olivier_levillain/gravitee --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=elasticsearch -e http.host=0.0.0.0 -e transport.host=0.0.0.0 -e xpack.security.enabled=false -e xpack.monitoring.enabled=false -e cluster.name=elasticsearch -e bootstrap.memory_lock=true -e discovery.type=single-node -e ES_JAVA_OPTS=-Xms512m -Xmx512m -v gravitee_data-elasticsearch:/usr/share/elasticsearch/data --net storage --network-alias elasticsearch --restart always --ulimit memlock=-1:-1 --ulimit nofile=65536 docker.elastic.co/elasticsearch/elasticsearch:8.8.1 ``` ### Describe the results you received ``` Error: crun: setrlimit `RLIMIT_MEMLOCK`: Operation not permitted: OCI permission denied ``` ### Describe the results you expected No error, maybe a warning saying unlimited is actually limited to $(podman unshare ulimit -l) ### podman info output ```yaml Running latest podman on RHEL 9.2 No access to the server now to provide the podman version. ``` ### Podman in a container No ### Privileged Or Rootless Rootless ### Upstream Latest Release No ### Additional environment details Installed with `yum install` on RHEL 9 ### Additional information Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

Topic		Replies	Views
Cannot increase --ulimit memlock Docker Desktop	0	4050	April 28, 2016
Ulimit: error setting limit (Operation not permitted) on macOS Docker Hub docker	0	1452	July 6, 2024
Ulimit: open files: cannot modify limit: Operation not permitted Docker Desktop	2	14811	April 4, 2016
/etc/init.d/docker: 62: ulimit: error setting limit (Invalid argument) Problem General docker	6	21561	December 10, 2024
Error response from daemon: failed to create shim: OCI runtime create failed: runc create failed: unable to start container process: error during container init General	8	223967	July 29, 2022

Cannot use `--ulimit memlock=-1` option when using rootless docker

Related topics