Error in Docker Desktop on linux which does not happen on native docker

[kahennig]

Description

I am tying to migrate to Docker Desktop on Ubutu 24.04.

Most images I have tried to run just fine, except for a couple of older once from keycloak (which run on jboss, the newer once running via quarkus run fine).

These are the two I tried and which fail to start via docker-desktop:
'quay.io/keycloak/keycloak:15.0.2' and
'quay.io/keycloak/keycloak:15.1.1'

Reproduce

1. Install docker-desktop on Ubuntu 24.04 as per the install guide: https://docs.docker.com/desktop/install/linux-install/

2. On Ubuntu 24.04 make sure you have run the following workaround:
   sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0; systemctl --user restart docker-desktop

3. make sure the docker context is set to docker-desktop and not default (on default if works just fine)

4. create a docker-compose.yml file with this content:

version: "3"
services:
  postgres:
    image: postgres
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    hostname: postgres
    restart: 'no'
  keycloak:
    image: 'quay.io/keycloak/keycloak:15.1.1'
    #image: 'quay.io/keycloak/keycloak:21.1.1
    platform: linux/amd64
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
      DB_DATABASE: keycloak
      DB_USER: keycloak
      DB_SCHEMA: public
      DB_PASSWORD: password
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: Password
      KEYCLOAK_LOGLEVEL: INFO
    hostname: keycloak
    ports:
      - '8080:8080'
      - '8643:8443'
    depends_on:
      - postgres
    volumes:
      - '/etc/timezone:/etc/timezone:ro'
      - '/etc/localtime:/etc/localtime:ro'
    restart: 'no'

5. start with from the directory where the docker-compose.yml file was created:
   docker compose up -d

6. Looking at the logs of they keycloak container that tried to start this will show:
   2024-05-25 18:39:14 exec /opt/jboss/tools/docker-entrypoint.sh: exec format error

Expected behavior

When running with native docker the container starts just fine, which is what I also would expect should happen when running via docker-desktop.

This is part of the log of the keycloak container running on native docker rather than docker-desktop:

❯ docker context use default default Current context is now "default" ❯ docker compose up -d keycloak WARN[0000] /home/********/Documents/inswitch/docker/docker-compose.yml: versionis obsolete [+] Running 2/0 ✔ Container docker-postgres-1 Running 0.0s ✔ Container docker-keycloak-1 Running 0.0s ❯ docker compose logs keycloak WARN[0000] /home/*******/Documents/inswitch/docker/docker-compose.yml:versionis obsolete keycloak-1 | Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user keycloak-1 | -b 0.0.0.0 keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | Using PostgreSQL database keycloak-1 | keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | 18:52:08,610 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 1.11.0.Final keycloak-1 | 18:52:08,728 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.12.Final keycloak-1 | 18:52:08,742 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.4.0.Final keycloak-1 | 18:52:08,902 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) starting keycloak-1 | 18:52:09,030 INFO [org.jboss.vfs] (MSC service thread 1-6) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this keycloak-1 | 18:52:09,794 INFO [org.wildfly.security] (ServerService Thread Pool -- 20) ELY00001: WildFly Elytron version 1.15.3.Final keycloak-1 | 18:52:10,135 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 22) WFLYCTL0033: Extension 'security' is deprecated and may not be supported in future versions keycloak-1 | 18:52:10,263 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:10,335 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:10,397 WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank. keycloak-1 | 18:52:10,403 WARN [org.wildfly.extension.elytron] (MSC service thread 1-7) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost keycloak-1 | WARNING: An illegal reflective access operation has occurred keycloak-1 | WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-15.0.1.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS() keycloak-1 | WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions keycloak-1 | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations keycloak-1 | WARNING: All illegal access operations will be denied in a future release keycloak-1 | 18:52:10,412 INFO [org.jboss.as.patching] (MSC service thread 1-6) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none keycloak-1 | 18:52:10,420 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost keycloak-1 | 18:52:10,490 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server keycloak-1 | 18:52:10,491 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) started in 1864ms - Started 59 of 82 services (32 services are lazy, passive or on-demand) keycloak-1 | The batch executed successfully keycloak-1 | 18:52:10,605 INFO [org.jboss.as] (MSC service thread 1-5) WFLYSRV0050: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) stopped in 7ms keycloak-1 | 18:52:11,404 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 1.11.0.Final keycloak-1 | 18:52:11,443 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.12.Final keycloak-1 | 18:52:11,448 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.4.0.Final keycloak-1 | 18:52:11,513 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) starting keycloak-1 | 18:52:11,561 INFO [org.jboss.vfs] (MSC service thread 1-8) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this keycloak-1 | 18:52:11,901 INFO [org.wildfly.security] (ServerService Thread Pool -- 20) ELY00001: WildFly Elytron version 1.15.3.Final keycloak-1 | 18:52:12,115 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 13) WFLYCTL0033: Extension 'security' is deprecated and may not be supported in future versions keycloak-1 | 18:52:12,250 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:12,330 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:12,400 WARN [org.wildfly.extension.elytron] (MSC service thread 1-4) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank. keycloak-1 | 18:52:12,404 WARN [org.wildfly.extension.elytron] (MSC service thread 1-3) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost keycloak-1 | WARNING: An illegal reflective access operation has occurred keycloak-1 | WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-15.0.1.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS() keycloak-1 | WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions keycloak-1 | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations keycloak-1 | WARNING: All illegal access operations will be denied in a future release keycloak-1 | 18:52:12,416 INFO [org.jboss.as.patching] (MSC service thread 1-1) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none keycloak-1 | 18:52:12,424 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost keycloak-1 | 18:52:12,492 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server keycloak-1 | 18:52:12,493 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) started in 1085ms - Started 59 of 89 services (39 services are lazy, passive or on-demand) keycloak-1 | The batch executed successfully keycloak-1 | 18:52:12,599 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) stopped in 7ms keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | JBoss Bootstrap Environment keycloak-1 | keycloak-1 | JBOSS_HOME: /opt/jboss/keycloak keycloak-1 | keycloak-1 | JAVA: java keycloak-1 | keycloak-1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED keycloak-1 | keycloak-1 | ========================================================================= keycloak-1 | keycloak-1 | 18:52:13,058 INFO [org.jboss.modules] (main) JBoss Modules version 1.11.0.Final keycloak-1 | 18:52:13,316 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.12.Final keycloak-1 | 18:52:13,321 INFO [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final keycloak-1 | 18:52:13,391 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 15.1.1 (WildFly Core 15.0.1.Final) starting keycloak-1 | 18:52:13,450 INFO [org.jboss.vfs] (MSC service thread 1-6) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this keycloak-1 | 18:52:13,789 INFO [org.wildfly.security] (ServerService Thread Pool -- 22) ELY00001: WildFly Elytron version 1.15.3.Final keycloak-1 | 18:52:14,046 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 6) WFLYCTL0033: Extension 'security' is deprecated and may not be supported in future versions keycloak-1 | 18:52:14,193 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:14,210 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 23) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. keycloak-1 | 18:52:14,311 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) keycloak-1 | 18:52:14,322 INFO [org.xnio] (MSC service thread 1-6) XNIO version 3.8.4.Final keycloak-1 | 18:52:14,328 INFO [org.xnio.nio] (MSC service thread 1-6) XNIO NIO Implementation Version 3.8.4.Final keycloak-1 | 18:52:14,343 INFO [org.wildfly.extension.health] (ServerService Thread Pool -- 38) WFLYHEALTH0001: Activating Base Health Subsystem keycloak-1 | 18:52:14,343 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 4.2.11 keycloak-1 | 18:52:14,344 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. keycloak-1 | 18:52:14,348 INFO [org.wildfly.extension.metrics] (ServerService Thread Pool -- 48) WFLYMETRICS0001: Activating Base Metrics Subsystem keycloak-1 | 18:52:14,349 INFO [org.jboss.as.security] (ServerService Thread Pool -- 53) WFLYSEC0002: Activating Security Subsystem keycloak-1 | 18:52:14,351 INFO [org.jboss.as.security] (MSC service thread 1-4) WFLYSEC0001: Current PicketBox version=5.0.3.Final-redhat-00007 keycloak-1 | 18:52:14,350 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 55) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.

docker version

❯ docker version
Client: Docker Engine - Community
 Cloud integration: v1.0.35+desktop.13
 Version:           26.1.3
 API version:       1.45
 Go version:        go1.21.10
 Git commit:        b72abbb
 Built:             Thu May 16 08:33:35 2024
 OS/Arch:           linux/amd64
 Context:           desktop-linux

Server: Docker Desktop 4.30.0 (149282)
 Engine:
  Version:          26.1.1
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.9
  Git commit:       ac2de55
  Built:            Tue Apr 30 11:48:28 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.31
  GitCommit:        e377cd56a71523140ca6ae87e30244719194a521
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

❯ docker info
Client: Docker Engine - Community
 Version:    26.1.3
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.14.0-desktop.1
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.27.0-desktop.2
    Path:     /usr/lib/docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.29
    Path:     /usr/lib/docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /usr/lib/docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.23
    Path:     /usr/lib/docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /usr/lib/docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.1.0
    Path:     /usr/lib/docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /usr/lib/docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.8.0
    Path:     /usr/lib/docker/cli-plugins/docker-scout

Server:
 Containers: 2
  Running: 1
  Paused: 0
  Stopped: 1
 Images: 9
 Server Version: 26.1.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e377cd56a71523140ca6ae87e30244719194a521
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.6.26-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 19.29GiB
 Name: docker-desktop
 ID: 952be8cf-7653-4360-b982-4f831dadb57c
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Username: ************
 Labels:
  com.docker.desktop.address=unix:///home/********/.docker/desktop/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

893D8F52-1E84-4A01-BA70-C70A1EC7E78C/20240525220130

Additional Info

Here's some extra info:

My OS info:

Any help with this would be appreciated.
Thanks in advance,
Andi