s6-svscan: warning: unable to iopause: Operation not permitted

[jptrsn]

Describe the bug

After pulling the latest version of the docker image, I am unable to get the smb-armv7l container to start on a Raspberry Pi 3 B+ with an external drive attached. When launching the container, logs indicate s6-svscan: warning: unable to iopause: Operation not permitted and it begins a loop.

To Reproduce
Steps to reproduce the behavior:

1. Install docker and docker-compose on a Pi 3B+
2. Format and mount an external drive. I have mine formatted as ext4 and mounted to my home directory. Running the command df -Th | grep "^/dev" shows /dev/sda1 ext4 293G 126G 153G 46% /home/pi/external
3. Use the docker-compose.yml file as listed below
4. Launch the container using docker-compose up -d and view logs.

Expected behavior

The logs should show that it has launched successfully, but it loops over and over, as shown in the logs.

How you're launching your container

Run the container using docker-compose up -d

version: "3.3"
services:
  timemachine:
    image: mbentley/timemachine:smb-armv7l
    hostname: pimachine
    container_name: timemachine
    network_mode: host
    environment:
      - TM_USERNAME=pimachine
      - PASSWORD=pimeup
      - SMB_PORT=445
      - SET_PERMISSIONS=true
#      - VOLUME_SIZE_LIMIT=250G
    volumes:
      - /home/pi/external/timemachine:/opt/pimachine
      - /home/pi/external/samba-lib:/var/lib/samba
      - /home/pi/external/samba-cache:/var/cache/samba
      - /home/pi/external/samba-run:/run/samba
      - /etc/localtime:/etc/localtime:ro
    restart: always

Container Logs

INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...

INFO: Creating /var/log/samba/cores

INFO: Avahi - generating base configuration in /etc/avahi/services/smbd.service...

INFO: Avahi - adding the 'dk0', 'TimeMachine' share txt-record to /etc/avahi/services/smbd.service...

INFO: Group timemachine doesn't exist; creating...

INFO: User pimachine doesn't exist; creating...

INFO: Setting password from environment variable

chpasswd: clock_gettime(MONOTONIC) failed

INFO: INFO: CUSTOM_SMB_CONF=false; generating [TimeMachine] section of /etc/samba/smb.conf...

INFO: Samba - Created User pimachine password set to none.

INFO: Samba - Enabled user pimachine.

INFO: Samba - setting password

INFO: changed ownership of '/opt/pimachine' to 1000:1000

INFO: mode of '/opt/pimachine' changed to 0770 (rwxrwx---)

INFO: Avahi - completing the configuration in /etc/avahi/services/smbd.service...

INFO: running test for xattr support on your time machine persistent storage location...

INFO: xattr test successful - your persistent data store supports xattrs

INFO: entrypoint complete; executing 's6-svscan /etc/s6'

s6-svscan: warning: unable to iopause: Operation not permitted

s6-svscan: warning: executing into .s6-svscan/crash

Executing .s6-svscan/crash with arguments 

INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...

INFO: Avahi - generating base configuration in /etc/avahi/services/smbd.service...

INFO: Avahi - adding the 'dk0', 'TimeMachine' share txt-record to /etc/avahi/services/smbd.service...

INFO: Group timemachine exists; skipping creation

INFO: User pimachine exists; skipping creation

INFO: CUSTOM_SMB_CONF=false; generating [TimeMachine] section of /etc/samba/smb.conf...

INFO: Samba - Created User pimachine password set to none.

INFO: Samba - Enabled user pimachine.

INFO: Samba - setting password

INFO: changed ownership of '/opt/pimachine' to 1000:1000

INFO: mode of '/opt/pimachine' changed to 0770 (rwxrwx---)

INFO: Avahi - completing the configuration in /etc/avahi/services/smbd.service...

INFO: running test for xattr support on your time machine persistent storage location...

INFO: xattr test successful - your persistent data store supports xattrs

INFO: entrypoint complete; executing 's6-svscan /etc/s6'

s6-svscan: warning: unable to iopause: Operation not permitted

s6-svscan: warning: executing into .s6-svscan/crash

Executing .s6-svscan/crash with arguments 

INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...

INFO: Avahi - generating base configuration in /etc/avahi/services/smbd.service...

INFO: Avahi - adding the 'dk0', 'TimeMachine' share txt-record to /etc/avahi/services/smbd.service...

INFO: Group timemachine exists; skipping creation

INFO: User pimachine exists; skipping creation

INFO: CUSTOM_SMB_CONF=false; generating [TimeMachine] section of /etc/samba/smb.conf...

INFO: Samba - Created User pimachine password set to none.

INFO: Samba - Enabled user pimachine.

INFO: Samba - setting password

INFO: changed ownership of '/opt/pimachine' to 1000:1000

INFO: mode of '/opt/pimachine' changed to 0770 (rwxrwx---)

INFO: Avahi - completing the configuration in /etc/avahi/services/smbd.service...

INFO: running test for xattr support on your time machine persistent storage location...

INFO: xattr test successful - your persistent data store supports xattrs

INFO: entrypoint complete; executing 's6-svscan /etc/s6'

s6-svscan: warning: unable to iopause: Operation not permitted

s6-svscan: warning: executing into .s6-svscan/crash

Executing .s6-svscan/crash with arguments 

INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...

INFO: Avahi - generating base configuration in /etc/avahi/services/smbd.service...

INFO: Avahi - adding the 'dk0', 'TimeMachine' share txt-record to /etc/avahi/services/smbd.service...

INFO: Group timemachine exists; skipping creation

INFO: User pimachine exists; skipping creation

INFO: CUSTOM_SMB_CONF=false; generating [TimeMachine] section of /etc/samba/smb.conf...

INFO: Samba - Created User pimachine password set to none.

INFO: Samba - Enabled user pimachine.

INFO: Samba - setting password

INFO: changed ownership of '/opt/pimachine' to 1000:1000

INFO: mode of '/opt/pimachine' changed to 0770 (rwxrwx---)

INFO: Avahi - completing the configuration in /etc/avahi/services/smbd.service...

INFO: running test for xattr support on your time machine persistent storage location...

INFO: xattr test successful - your persistent data store supports xattrs

INFO: entrypoint complete; executing 's6-svscan /etc/s6'

s6-svscan: warning: unable to iopause: Operation not permitted

s6-svscan: warning: executing into .s6-svscan/crash

Executing .s6-svscan/crash with arguments 

INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...

INFO: Avahi - generating base configuration in /etc/avahi/services/smbd.service...

INFO: Avahi - adding the 'dk0', 'TimeMachine' share txt-record to /etc/avahi/services/smbd.service...

INFO: Group timemachine exists; skipping creation

INFO: User pimachine exists; skipping creation

INFO: CUSTOM_SMB_CONF=false; generating [TimeMachine] section of /etc/samba/smb.conf...

INFO: Samba - Created User pimachine password set to none.

INFO: Samba - Enabled user pimachine.

INFO: Samba - setting password

Additional context

[mbentley]

Could you get me the full image digest? For example:

$ docker images --digests --format '{{.Repository}}:{{.Tag}}@{{.Digest}}' --filter=reference="mbentley/timemachine"
mbentley/timemachine:smb-armv7l@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7

I tried to reproduce this just now using the multi-arch runtime support on Docker for Mac and I don't get the same error so I wanted to just make sure it wasn't an issue with a specific image. I currently do not have a raspberry pi with the right architecture available for directly test on.

Also, any mount arguments being used for your disk? This one might be a bit challenging as I am not seeing any references to unable to iopause: Operation not permitted anywhere online. I might have to try to build the same image but just with an older version of Alpine to see if it is something in the newest version.

[jptrsn]

The drive is being mounted via fstab, here's the line:
PARTUUID=d6069d1f-d4d4-458f-9547-414aacad1564 /home/pi/external ext4 defaults 0 0

Here's the full image digest:
mbentley/timemachine:smb-armv7l@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7

It's probably something I've done wrong with permissions and fstab - permissions are always a challenge for me.

[mbentley]

Well, that's looking about as standard as it gets in terms of a fstab entry - no special mount options and we are running the same image digest so it's the same version.

Could you try this image: mbentley/timemachine:smb-armv7l-test-3.13
If that doesn't work, could you also try: mbentley/timemachine:smb-armv7l-test-3.12

There is nothing different in those two besides the base image being Alpine 3.13 and 3.12 (instead of latest which is currently 3.14).

[jptrsn]

With image mbentley/timemachine:smb-armv7l-test-3.13 I'm seeing these logs:

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

s6-supervise dbus: warning: can't happen: timeout while the service is up!

s6-supervise nmbd: warning: can't happen: timeout while the service is up!

s6-supervise avahi: warning: can't happen: timeout while the service is up!

s6-supervise smbd: warning: can't happen: timeout while the service is up!

With revision 3.12 it appears to be working.

[mbentley]

Ah shoot, I forgot about the s6 bug in Alpine 3.13. There might be yet another issue with s6 for armv7l in Alpine 3.14 then. I'll have to see if I can get a Raspberry Pi up and running with armv7l.

[jptrsn]

I'm more than happy to be your test platform. This is actually a secondary backup, so it's not mission critical, it's mostly because I had a pi running an a spare drive kicking around, so thought "why not?"

[mbentley]

Well right now, I am not sure what the problem is exactly. I do have a few older raspberry pis sitting around here somewhere and I probably need to keep one around to test anyway.

[mbentley]

Well the only good news is that I can reproduce this fairly easily with a basic run command so you're not doing something wrong:

$ docker run -it --rm mbentley/timemachine:smb-armv7l@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7
Unable to find image 'mbentley/timemachine:smb-armv7l@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7' locally
docker.io/mbentley/timemachine@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7: Pulling from mbentley/timemachine
136482bf81d1: Pull complete
89576036ec7a: Pull complete
4f80124188c2: Pull complete
15b6873f5ec8: Pull complete
Digest: sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7
Status: Downloaded newer image for mbentley/timemachine@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7
INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...
INFO: Creating /var/log/samba/cores
INFO: Avahi - generating base configuration in /etc/avahi/services/smbd.service...
INFO: Avahi - adding the 'dk0', 'TimeMachine' share txt-record to /etc/avahi/services/smbd.service...
INFO: Group timemachine doesn't exist; creating...
INFO: User timemachine doesn't exist; creating...
INFO: Using default password: timemachine
INFO: chpasswd: clock_gettime(MONOTONIC) failed
INFO: CUSTOM_SMB_CONF=false; generating [TimeMachine] section of /etc/samba/smb.conf...
INFO: Samba - Created Added user timemachine.
INFO: Samba - Enabled user timemachine.
INFO: Samba - setting password
INFO: SET_PERMISSIONS=false; not setting ownership and permissions for /opt/timemachine
INFO: Avahi - completing the configuration in /etc/avahi/services/smbd.service...
INFO: running test for xattr support on your time machine persistent storage location...
INFO: xattr test successful - your persistent data store supports xattrs
INFO: entrypoint complete; executing 's6-svscan /etc/s6'
s6-svscan: warning: unable to iopause: Operation not permitted
s6-svscan: warning: executing into .s6-svscan/crash
Executing .s6-svscan/crash with arguments

I'm probably going to have to file an upstream bug with Alpine I would guess or it is something specific with something in raspbian as I can't reproduce it when running on Docker for Mac using qemu.

[mbentley]

OK, so just keeping some running notes here. There appears to be something related to privileges as running with --privileged works just fine:

$ docker run -it --rm --privileged mbentley/timemachine:smb-armv7l@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7
INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...
...
Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
Successfully dropped root privileges.
avahi-daemon 0.8 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Loading service file /etc/avahi/services/smbd.service.
Joining mDNS multicast group on interface eth0.IPv4 with address 172.17.0.2.
New relevant interface eth0.IPv4 for mDNS.
Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
New relevant interface lo.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 172.17.0.2 on eth0.IPv4.
Registering new address record for 127.0.0.1 on lo.IPv4.
Server startup complete. Host name is a89394e51482.local. Local service cookie is 2807928856.
Service "a89394e51482" (/etc/avahi/services/smbd.service) successfully established.
*****

Samba name server A89394E51482 is now a local master browser for workgroup WORKGROUP on subnet 172.17.0.2

*****

[mbentley]

It's not privileges - it's libseccomp2 that is packaged in Raspbian. Specifically disabling the profile works fine:

$ docker run -it --rm --security-opt seccomp=unconfined mbentley/timemachine:smb-armv7l@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7
INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...
...
Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
Successfully dropped root privileges.
avahi-daemon 0.8 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Loading service file /etc/avahi/services/smbd.service.
Joining mDNS multicast group on interface eth0.IPv4 with address 172.17.0.2.
New relevant interface eth0.IPv4 for mDNS.
Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
New relevant interface lo.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 172.17.0.2 on eth0.IPv4.
Registering new address record for 127.0.0.1 on lo.IPv4.
Server startup complete. Host name is 4f602f964817.local. Local service cookie is 1060153513.
Service "4f602f964817" (/etc/avahi/services/smbd.service) successfully established.
*****

Samba name server 4F602F964817 is now a local master browser for workgroup WORKGROUP on subnet 172.17.0.2

*****

And if I pull the backported version of libseccomp2 from the Debian repos and install it, it's fine:

wget http://ftp.us.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_2.4.4-1~bpo10+1_armhf.deb
sudo dpkg -i libseccomp2_2.4.4-1~bpo10+1_armhf.deb

$ docker run -it --rm mbentley/timemachine:smb-armv7l@sha256:14e81a418a401698c8d517049c157d599a260d3229657f18dc42c0d7bcf676c7
INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...
...
Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
Successfully dropped root privileges.
avahi-daemon 0.8 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Loading service file /etc/avahi/services/smbd.service.
Joining mDNS multicast group on interface eth0.IPv4 with address 172.17.0.2.
New relevant interface eth0.IPv4 for mDNS.
Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
New relevant interface lo.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 172.17.0.2 on eth0.IPv4.
Registering new address record for 127.0.0.1 on lo.IPv4.
daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Failed to fetch record!
Server startup complete. Host name is c940a54e24af.local. Local service cookie is 3072484032.
Service "c940a54e24af" (/etc/avahi/services/smbd.service) successfully established.
*****

Samba name server C940A54E24AF is now a local master browser for workgroup WORKGROUP on subnet 172.17.0.2

*****

I also tried libseccomp2_2.3.3-4_armhf.deb from the Debian repos, which I imagine is either the exact package or really close to the same as what was packaged in Raspbian and it fails.

[mbentley]

So I normally would not suggest installing a package from the Debian repos but the backports libseccomp2 package shouldn't cause any issues. Let me know if you have any problems after upgrading to the backported libseccomp2 package.