After an apt upgrade on my Debian 11 I can no longer run any docker containers. They work well with containerd, but not docker. I tried following official documentation to reinstall it from scratch but it’s not enough.
I keep getting this error:
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: container_linux.go:349: starting container process caused "error adding seccomp filter rule for syscall clone3: permission denied": unknown.
ERRO[0002] error waiting for container: context canceled
No matter the container I try running. Nothing helpful in logs:
ERRO[2022-12-04T13:12:15.224643702+01:00] stream copy error: reading from a closed fifo
ERRO[2022-12-04T13:12:15.224644272+01:00] stream copy error: reading from a closed fifo
ERRO[2022-12-04T13:12:15.365268905+01:00] 03dc92f28a918a7d38ac931528a2fcc9456a69f8897e33f46f3b035ad5e0b9cd cleanup: failed to delete container from containerd: no such container
No nvidia-docker and anything I can find on google is about an nvidia-docker setup.
Docker version:
Client: Docker Engine - Community
Version: 20.10.21
API version: 1.41
Go version: go1.18.7
Git commit: baeda1f
Built: Tue Oct 25 18:02:28 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.21
API version: 1.41 (minimum version 1.12)
Go version: go1.18.7
Git commit: 3056208
Built: Tue Oct 25 18:00:19 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.10
GitCommit: 770bd0108c32f3fb5c73ae1264f7e503fe7b2661
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.19.0
GitCommit: de40ad0
I think this is the same syscall that caused problems with oolder Docker versions before and the solution was to update Docker, but you are using the latest version.
Did that apt upgrade change the kernel? Can you switch back to a previous kernel?
It doesn’t have to be. I asked about the kernel so we can find out whether the change of the kernel caused the problem or something else. Without knowing what happend it would be hard to find a solution
Okay, that shouldn’t be a big difference for Docker, but I would still try to boot with the previous kernel for debugging if you still have that on your machine.
yes docker was probably upgraded as well but I don’t remember the version I had previously.
To be honest, never thought docker would break like that for an upgrade. I’d be happy to choose the version that is “tested” for my kernel. Since I want to remain on this specific kernel version.
I tried booting with my old kernel and the problem persists.
It is a good practice to disable upgrading Docker so it os upgraded only when you manually do it and you can test it on an other machine before upgrading in production. Years ago I upgradded Docker acidentally on Centos when I ran yum update and the update changed the storage driver so all of my containers seemd to be disappeared. I managed to restore everything, but Docker is not recommended to be upgraded with all the system packages. As far as I know, Docker intercepts syscalls so if Docker deson’t support a syscall, commands inside the container can fail. In this case I don’t know what happened, because it is about adding a seccomp filter rule but it could be related to the Docker version. If it is, it is still a bug which has to be fixed, but at least we would know what to report to the developers.
Maybe you could try the dpkg.log to find out what the previous version was. But I am not sure. I can’t test it right now.
Alright, I’m less careful with docker since I only use it for building images… For now I think I’ll use buildah instead, don’t have too much time to debug meticulously.
