apt upgrade on my Debian 11 I can no longer run any docker containers. They work well with containerd, but not docker. I tried following official documentation to reinstall it from scratch but it’s not enough.
I keep getting this error:
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: container_linux.go:349: starting container process caused "error adding seccomp filter rule for syscall clone3: permission denied": unknown.
ERRO error waiting for container: context canceled
No matter the container I try running. Nothing helpful in logs:
ERRO[2022-12-04T13:12:15.224643702+01:00] stream copy error: reading from a closed fifo
ERRO[2022-12-04T13:12:15.224644272+01:00] stream copy error: reading from a closed fifo
ERRO[2022-12-04T13:12:15.365268905+01:00] 03dc92f28a918a7d38ac931528a2fcc9456a69f8897e33f46f3b035ad5e0b9cd cleanup: failed to delete container from containerd: no such container
No nvidia-docker and anything I can find on google is about an nvidia-docker setup.
Client: Docker Engine - Community
API version: 1.41
Go version: go1.18.7
Git commit: baeda1f
Built: Tue Oct 25 18:02:28 2022
Server: Docker Engine - Community
API version: 1.41 (minimum version 1.12)
Go version: go1.18.7
Git commit: 3056208
Built: Tue Oct 25 18:00:19 2022
I think this is the same syscall that caused problems with oolder Docker versions before and the solution was to update Docker, but you are using the latest version.
apt upgrade change the kernel? Can you switch back to a previous kernel?
I’m using kernel version 5.10.0-19-amd64 it’s not the most recent…
It doesn’t have to be. I asked about the kernel so we can find out whether the change of the kernel caused the problem or something else. Without knowing what happend it would be hard to find a solution
Moved from kernel 5.10.0-8-amd64 to 5.10.0-19-amd64
Okay, that shouldn’t be a big difference for Docker, but I would still try to boot with the previous kernel for debugging if you still have that on your machine.
Was Docker upgraded as well?
yes docker was probably upgraded as well but I don’t remember the version I had previously.
To be honest, never thought docker would break like that for an upgrade. I’d be happy to choose the version that is “tested” for my kernel. Since I want to remain on this specific kernel version.
I tried booting with my old kernel and the problem persists.
For reference podman also works flawlessly.
It is a good practice to disable upgrading Docker so it os upgraded only when you manually do it and you can test it on an other machine before upgrading in production. Years ago I upgradded Docker acidentally on Centos when I ran
yum update and the update changed the storage driver so all of my containers seemd to be disappeared. I managed to restore everything, but Docker is not recommended to be upgraded with all the system packages. As far as I know, Docker intercepts syscalls so if Docker deson’t support a syscall, commands inside the container can fail. In this case I don’t know what happened, because it is about adding a seccomp filter rule but it could be related to the Docker version. If it is, it is still a bug which has to be fixed, but at least we would know what to report to the developers.
Maybe you could try the dpkg.log to find out what the previous version was. But I am not sure. I can’t test it right now.
Alright, I’m less careful with docker since I only use it for building images… For now I think I’ll use buildah instead, don’t have too much time to debug meticulously.