Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.24.2 docker image not working in rootless mode on Ubuntu 22.04 host #220

Closed
troed opened this issue Nov 18, 2023 · 16 comments
Closed

2.24.2 docker image not working in rootless mode on Ubuntu 22.04 host #220

troed opened this issue Nov 18, 2023 · 16 comments

Comments

@troed
Copy link

troed commented Nov 18, 2023

Downgrading to 2.24.0 works fine. I did not test 2.24.1

The issue presents as the following in the log:

+ exec gosu deconz /usr/bin/deCONZ --auto-connect=1 --appdata=/opt/deCONZ --dbg-info=2 --dbg-aps=2 --dbg-zcl=2 --dbg-ddf=0 --dbg-dev=0 --dbg-zdp=2 --dbg-ota=0 --dbg-error=0 --dbg-http=0 --http-port=8380 --ws-port=8381 -platform minimal
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-deconz'
libpng warning: iCCP: known incorrect sRGB profile
QThread::start: Thread creation error (Operation not permitted)
QThread::start: Thread creation error (Operation not permitted)

@senilio
Copy link
Collaborator

senilio commented Nov 18, 2023

Could you share your docker-compose file, and hopefully we'll be able to reproduce the error?

@troed
Copy link
Author

troed commented Nov 18, 2023

Sorry, sure. I did try looking into the actual reason (which could be Qt libs or seccomp problems) but didn't manage to find anything. The host is fully updated, on kernel 5.15.0-88 and uses cgroup2.

version: '3'

networks:
  external_network:
  internal_network:
    internal: true

services:
  deconz:
    image: deconzcommunity/deconz
    container_name: deconz
    restart: always
    volumes:
      - /home/hass/deconz/storage:/opt/deCONZ
    devices:
      - /dev/ttyACM0
    environment:
      - DECONZ_WEB_PORT=8380
      - DECONZ_WS_PORT=8381
      - DEBUG_INFO=1
      - DEBUG_APS=0
      - DEBUG_ZCL=0
      - DEBUG_ZDP=0
      - DEBUG_OTAU=0
      - DECONZ_VNC_MODE=1
      - DECONZ_VNC_DISPLAY=1
      - DECONZ_VNC_PORT=5901
      - DECONZ_VNC_PASSWORD=something
    networks:
      - internal_network
      - external_network
    ports:
      - "8180:80"
      - "8543:443"
      - "8380:8380"
      - "8381:8381"
      - "5901:5901"

(other containers removed)

@matthias-burgfried
Copy link

2.24.1 unfortunately did not work for me. I have not tested 2.24. I went back to 2.23.2.

@phdelodder
Copy link
Collaborator

@matthias-burgfried same issue as @troed ? If it is a different one please open a new issue.

@matthias-burgfried
Copy link

@phdelodder: yes, same issue.

@phdelodder
Copy link
Collaborator

When adding privilege:true does it work then?

@troed
Copy link
Author

troed commented Nov 24, 2023

When adding privilege:true does it work then?

Unfortunately it will be difficult for me to test that since it's not rootless anymore if adding that privilege. It risks messing up the installation, sorry.

@phdelodder
Copy link
Collaborator

@troed it seems to be a issue with permissions https://www.reddit.com/r/docker/comments/vc1rkn/problem_with_threads_in_container/
I'm open to suggestions

@phdelodder
Copy link
Collaborator

You could checkout https://docs.docker.com/engine/security/seccomp/ and docker-library/golang#467 (comment) as it seems to be related to your issue.

@troed
Copy link
Author

troed commented Nov 24, 2023

Alright, I'll look into using a seccomp profile. Any hint as to what has changed from 2.24.0 to 2.24.2 that could trip one of the permissions listed on the seccomp page?

@phdelodder
Copy link
Collaborator

Upgraded the Debian base image to the latest

@troed
Copy link
Author

troed commented Nov 27, 2023

Confirmed - changing to unconfined seccomp makes 2.24.2 start here. I might try to figure out exactly which permission is needed instead of just running unconfined.

services:
  deconz:
    security_opt:
      - seccomp:unconfined

@bhsolberg
Copy link

I found anything newer than image ID 38c2213ae52e (2.24.1) made the container startup "freezing"; i.e. perpetually listed in "health: starting"-status for docker, with the "QThread::start: Thread creation error (Operation not permitted)" error as the last entry in the log. Even the current 2.24.1 tag has the same problem. The 2.24.0 tag works fine. What changed after the 38c2213ae52e image ID to make this break? What is the recommended fix (or workaround), besides using the "unconfined" seccomp option as described above?

@bhsolberg
Copy link

Bump... or, is the conclusion that only setting the seccomp option to "unconfined" will make this work?

@phdelodder
Copy link
Collaborator

@bhsolberg introduced NON_ROOT env option, could see if it's fixed?

@senilio
Copy link
Collaborator

senilio commented Aug 29, 2024

Will close this issue in a couple of days due to it going stale

@senilio senilio closed this as not planned Won't fix, can't repro, duplicate, stale Sep 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants