-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker pull
inside rootless LXC: failed to register layer: ApplyLayer exit status 1 stdout: stderr: unlinkat
#45884
Comments
Could you please provide output from dmesg? I suspect that what is happening here is you've updated your kernel or Docker, and that the newer iteration of overlay2 that attempts to detect if a filesystem is suitable is hitting issues. Additionally, can you share the subuid/subgid maps and the image? It's possible, though unlikely (I don't the kernel will return |
More evidence it's not the subuid/subgid maps directly: that would make this a duplicate of #43576, and the version you're running has an improve error message for that specific case. |
dmesg is:
but this log happens and with rootfull container. I use zfs as a backend fs, and with RENAME_WHITEOUT I haven't seen any negative consequences, even for more complex Docker images such as Gitlab
Image from docker hub: On the host I allow this ids:
and in lxc config:
That should be enough to use high id inside lxc and allowed them on host.
I read that topic, there was pure uid issue. |
This is going to be the issue -- you're on an old enough version of ZFS that some of the system calls we use don't work in every scenario. Things might appear to work with root, but that should be an illusion; I need to find some time to download the Proxmox kernel sources and confirm the ZFS version, but it's almost guaranteed to be < 2.2 (see openzfs/zfs#8648 for more). We should consider adding a more functional test than "can it mount overlay with multiple lowerdirs?" to prevent incorrectly picking overlay2; I suspect that previously in this situation we would have fallen all the way back to vfs unless you made fuse-overlayfs available. I would suggest manually selecting one of those two storage drivers as overlay2 will not work here with a busted underlying filesystem. |
docker pull
inside rootless LXC: failed to register layer: ApplyLayer exit status 1 stdout: stderr: unlinkat
Yes, you're on an incompatible version of ZFS that's in the uncanny valley. Your kernel was built from This version of OpenZFS/ZoL self-reports as 2.1.9, which is missing We need a more functional test to detect these edge-case filesystems, as the current detection logic when combined with your kernel results in this uncanny valley situation. |
@neersighted Thanks you very much for detailed explanation and your time. |
running lxc in privileged mode can solve this problem. but this will cause security problem unless you TRUST YOUR DOCKER LXC MACHINE (not docker container, it still in unprivileged mode) |
I helped me with fuse-overlayfs.
Obvoiusly, this is not that performant than overlayfs2 and needs fuse cap inside the container but (I think) still better than vfs storage driver, privileged container or some loopback-ext4-workarounds. ( I read somewhere, that the lxc host also needs fuse-overlayfs installed...) |
@qupfer be very cautious with posting things like |
Still the same issue on proxmox 8.0.9 and zfs 2.2.0-pve3, with the same subuid/subgid and lxc.idmap as OP.
|
For me, the problem is now resolved with Proxmox 8.1 and ZFS 2.2.0. I could not reproduce it anymore. |
I also confirm this is resolved in Proxmox 8.1 with zfs 2.2.0-pve3. |
@weboide I'm also testing this with an unprivileged LXC container in PVE 8.1, seems to be working just fine, but I see this in the PVE node log
I've had any issues so far, but I'm wondering if you also get the same warnings? |
Has this regressed? |
Description
Proxmox lxc rootless container. I get:
failed to register layer: ApplyLayer exit status 1 stdout: stderr: unlinkat /tmp/v8-compile-cache-0/8.4.371.23-node.88: invalid argument
Other issues says that this uid/gid problem. I check image and seems there is no problems with uid/gid, but when
rm -rf
executing, that cause the problem I guess. Here is screenshot.I also change uid/gid range of lxc for the sake of experiment - problem still there. So I think again uid is not the reason here.
User inside image is root (0/0). Right permission looks ok.
Rootfull container works well. No idea what is wrong in this case.
What happening here ? What should I look for ?
Reproduce
Expected behavior
Pull image well
docker version
Client: Docker Engine - Community Version: 23.0.1 API version: 1.42 Go version: go1.19.5 Git commit: a5ee5b1 Built: Thu Feb 9 19:46:54 2023 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 23.0.1 API version: 1.42 (minimum version 1.12) Go version: go1.19.5 Git commit: bc3805a Built: Thu Feb 9 19:46:54 2023 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.18 GitCommit: 2456e983eb9e37e47538f59ea18f2043c9a73640 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Additional Info
pve-manager/7.4-3/9002ab8a (running kernel: 5.15.104-1-pve)
The text was updated successfully, but these errors were encountered: