[docker] docker run --privileged does not work

[csweichel]

Describe the bug

Running anything with docker run --privileged fails because

ERRO[2020-12-08T13:21:18.928108663Z] Handler for POST /v1.40/containers/c9b7752a0e1f3a23baa7739b591814eb368c109cb6d0fa480b89ac7f783613c7/start returned error: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"cgroup\\\" to rootfs \\\"/var/lib/docker/vfs/dir/6e5f280f3ba91c9e9478248f1e69c8136ba7b82186adb72e8eee14253c9790d8\\\" at \\\"/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\"": unknown 

This is in part because /sys is just a bind mount the workspace container's /sys, but also because we're using cgroups v1 (i.e. they're not namespaced).

Steps to reproduce

sudo docker-up
docker run --privileged --rm -it alpine:latest

Expected behavior

The container should start and run as root

[rfay]

This is really important. I'd like to use docker buildx build, but when you try to install the plugin, you get the issue described here. So docker can't be used to do multiplatform builds as described in docker/buildx#138

[csweichel]

With cgroups v1 we won't be able to fix this, because they are not namespace aware. That's why cgroup v2 were added.

To fix this, we would probably:

• investigate how we can get cgroup v2 support within workspace pods, this includes reading up on the state of cgroup v2 support within Kubernetes
• investigate the state of cgroup v2 support in rootless Docker

[rfay]

Current docker is fine with cgroup v2, https://www.docker.com/blog/introducing-docker-engine-20-10/ - but I don't know the gitpod architecture well enough to know if that's relevant.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[shaal]

Can we add the label meta: never-stale to this issue?

[chuck-alt-delete]

I'm running a docker-compose to do some ansible testing over the docker connection. I have this as a volume mapping:

    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro

This isn't permitted in gitpod. I am thinking this might never be allowed in gitpod for security reasons. Is that right? Or will we be able to do something like this in the future?

[yevon]

I was encountering many issues because of this, the flutter template provided in gitpod it is not working and gets this kind of errors.

[omenking]

I'm starting to record my free KCNA course and I was hoping to use Gitpod to show how to use Kubernetes.

I cannot run KIND on Gitpod because of this CGroups error:

Someone else attempting to run KIND on Gitpod

https://community.gitpod.io/t/kind-with-rootless-docker/3862 from Jun 2021 same issue.

[yevon]

I'm starting to record my free KCNA course and I was hoping to use Gitpod to show how to use Kubernetes.

I cannot run KIND on Gitpod because of this CGroups error:

Someone else attempting to run KIND on Gitpod

https://community.gitpod.io/t/kind-with-rootless-docker/3862 from Jun 2021 same issue.

Using kind would be one of the most common uses of gitpod and is not compatible with it because of this.

[sagor999]

@kylos101 @atduarte I realized that we don't have an epic that would track all work required to add cgroup v2 support. So we should probably add that.

[kylos101]

@csweichel @Furisto for consideration for the cgroup v2 epic