rootless docker, mount volume /var/log:ro or /proc:ro -> operation not permitted: unknown

[schklom]

Description

Mounting /var/log or /proc in read-only results in error with rootless docker (might be the same issue as there ?).
Quick but dirty fix: remove read-only.
Question: is there a better way to solve this ?

Steps to reproduce the issue:

1. docker-compose.yml:

version: "3.8"
services:

  test_proc:
    image: hello-world
    volumes:
      - /proc:/procfolder:ro

  test_log:
    image: hello-world
    volumes:
      - /var/log:/logfolder:ro

3. $ docker-compose up -d test_proc test_log

Describe the results you received:

Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Creating docker_test_proc_1 ...
Creating docker_test_log_1  ... error

Creating docker_test_proc_1 ... error
 rootfs at "/home/schklom/.local/share/docker/fuse-overlayfs/848c0ffdb5c67c07929f3a7675bf38fc7e231db2207b0865a426956d48782d55/merged/logfolder" caused: operation not permitted: unknown

ERROR: for docker_test_proc_1  Cannot start service test_proc: OCI runtime create failed: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "/proc" to rootfs at "/home/schklom/.local/share/docker/fuse-overlayfs/b7e9bd9a5af27fd9327b3079251c1835afd4a39b2bd0df6628963b5af10a7cdd/merged/procfolder" caused: operation not permitted: unknown

ERROR: for test_log  Cannot start service test_log: OCI runtime create failed: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "/var/log" to rootfs at "/home/schklom/.local/share/docker/fuse-overlayfs/848c0ffdb5c67c07929f3a7675bf38fc7e231db2207b0865a426956d48782d55/merged/logfolder" caused: operation not permitted: unknown

ERROR: for test_proc  Cannot start service test_proc: OCI runtime create failed: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "/proc" to rootfs at "/home/schklom/.local/share/docker/fuse-overlayfs/b7e9bd9a5af27fd9327b3079251c1835afd4a39b2bd0df6628963b5af10a7cdd/merged/procfolder" caused: operation not permitted: unknown
ERROR: Encountered errors while bringing up the project.

Describe the results you expected:

Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Starting docker_test_proc_1 ... done
Starting docker_test_log_1 ... done

Additional information you deem important (e.g. issue happens only occasionally):
Can be solved by removing :ro, but this doesn't feel like a good practice.

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.3
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        48d30b5
 Built:             Fri Jan 29 14:29:43 2021
 OS/Arch:           linux/arm64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.3
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       46229ca
  Built:            Fri Jan 29 14:33:02 2021
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          v1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 16
 Server Version: 20.10.3
 Storage Driver: fuse-overlayfs
 Logging Driver: json-file
 Cgroup Driver: none
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 5.9.0-0.bpo.5-arm64
 Operating System: Debian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.631GiB
 Name: <hostname>
 ID: JEXP:SIXA:6AG6:CMB3:C6XY:MCMO:YITL:WT7V:NYBP:3PIB:3LPR:IDF6
 Docker Root Dir: /home/schklom/.local/share/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.):
Raspberry Pi 4 with Debian Buster for raspberry pi

$ uname -a
Linux <hostname> 5.9.0-0.bpo.5-arm64 #1 SMP Debian 5.9.15-1~bpo10+1 (2020-12-31) aarch64 GNU/Linux

[AkihiroSuda]

Should be fixed in #42230