Rock-5b Kernel Config CONFIG_BPF_SYSCALL=y

[StuartIanNaylor]

Struggling to get docker running on the debian image and from a google we seem to be missing the following.

iptables needs to be installed but also after install run

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

I can do that but stuck as it would seem I need the kernel conf with CONFIG_BPF_SYSCALL=y
but we have

# CONFIG_BPF_SYSCALL is not set
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y

Is it possible for the debian image to have kernel with CONFIG_BPF_SYSCALL=y ?

[milnepe]

This is how I got it running on ROCK 4C+ Radxa Debian Bullseye kernel 4.4 Order is significant! 1. Download image and update as usual https://github.com/radxa/debos-radxa/releases/download/20221109-1007/rock-4c-plus-debian-bullseye-xfce4-arm64-20221109-1514-gpt.img.xz sudo apt update && sudo apt upgrade Apply the following fixes before installing docker: 2. Enable packet forwarding in IPv4 by uncommenting this line in /etc/sysctl.conf net.ipv4.ip_forward = 1 3. sudo reboot 4. Update iptables sudo update-alternatives --set iptables /usr/sbin/iptables-legacy 5. Fix systemd cgroups by setting boot parameter in /boot/extlinux/extlinux.conf systemd.unified_cgroup_hierarchy=0 cat /boot/extlinux/extlinux.conf #timeout 10 #menu title select kernel label kernel-4.4.194-11-rk3399-rockchip-g1bb08d49cc40 kernel /vmlinuz-4.4.194-11-rk3399-rockchip-g1bb08d49cc40 initrd /initrd.img-4.4.194-11-rk3399-rockchip-g1bb08d49cc40 devicetreedir /dtbs/4.4.194-11-rk3399-rockchip-g1bb08d49cc40 append earlyprintk console=ttyFIQ0,1500000n8 rw init=/sbin/init rootfstype=ext4 rootwait root=UUID=63e973d2-653e-4174-9ac7-63bb03114e2b console=ttyS3,1500000n8 systemd.unified_cgroup_hierarchy=0 6. sudo reboot 7. Install docker according to Docker.com https://docs.docker.com/engine/install/debian/#prerequisites Remove any previous docker installation sudo apt remove docker docker.io containerd runc sudo apt install \ ca-certificates \ curl \ gnupg \ lsb-release sudo mkdir -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list

/dev/null

sudo apt update sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin 8. Check docker.service is running systemctl status docker.service ● docker.service - Docker Application Container Engine Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset> Active: active (running) since Thu 2022-11-10 18:05:26 GMT; 10min ago TriggeredBy: ● docker.socket Docs: https://docs.docker.com Main PID: 516 (dockerd) Tasks: 11 Memory: 77.5M CGroup: /system.slice/docker.service └─516 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/conta> 9. Add user to docker group sudo usermod -aG docker $USER 10. sudo reboot

…

On Fri, 18 Nov 2022 at 19:06, StuartIanNaylor ***@***.***> wrote: Struggling to get docker running on the debian image and from a google we seem to be missing the following. iptables needs to be installed but also after install run update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy I can do that but stuck as it would seem I need the kernel conf with CONFIG_BPF_SYSCALL=y but we have # CONFIG_BPF_SYSCALL is not set CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y Is it possible for the debian image to have kernel with CONFIG_BPF_SYSCALL=y ? — Reply to this email directly, view it on GitHub <#40>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAVWCUA62XHHT7T727KBLY3WI7HT7ANCNFSM6AAAAAASEZJLYQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[StuartIanNaylor]

I will give that a go as only thing I have not done is add systemd.unified_cgroup_hierarchy=0
to the /boot/extlinux/extlinux.conf append line

Install iptables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

/etc/sysctl.conf
net.ipv4.ip_forward = 1

reboot
install docker

rock@rock-5b:~$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
7050e35b49f5: Pull complete
Digest: sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (arm64v8)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

[danielpuka]

I applied the changes as proposed, but still getting the:

rock@rock-5b:~$ sudo docker run hello-world
[sudo] password for rock: 
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting cgroup config for procHooks process: bpf_prog_query(BPF_CGROUP_DEVICE) failed: function not implemented: unknown.
ERRO[0000] error waiting for container: context canceled 
rock@rock-5b:~$ 

[StuartIanNaylor]

You need to do the changes reboot and reinstall Docker maybe.
Purger docker 1st
Reboot and reinstall as works no probs for me on several installs

[danielpuka]

Tried the purge, the iptables, adding the extlinux.conf

rock@rock-5b:/boot/extlinux$ more extlinux.conf 
#timeout 10
#menu title select kernel

label kernel-5.10.66-27-rockchip-gea60d388902d
    kernel /vmlinuz-5.10.66-27-rockchip-gea60d388902d
    initrd /initrd.img-5.10.66-27-rockchip-gea60d388902d
    devicetreedir /dtbs/5.10.66-27-rockchip-gea60d388902d
    fdtoverlays  /dtbs/5.10.66-27-rockchip-gea60d388902d/rockchip/overlay/rk3588-uart7-m2.dtbo 
    append   root=UUID=29a94882-5add-4f09-8cc5-3f43918624fa earlycon=uart8250,mmio32,0xfeb50000 console=ttyFIQ0 console=tty1 consoleblank=0 loglevel=0 panic=10 rootwait rw init=/sbin/init rootfstype=ext4 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory swapaccount=1 irqchip.gicv3_pseudo_nmi=0 switolb=1 coherent_pool=2M systemd.unified_cgroup_hiearchy=0

Still getting the BPF_CGROUP_DEVICE fail.

[StuartIanNaylor]

Thats the only kernel label as dunno as apols but works for me guessing it something your side as standard Radxa image is no problem.