Rootless Docker fails at detecting root-requiring overlay support #836
Description
- This is a bug report
- This is a feature request
- I searched existing issues before opening this one
Expected behavior
Rootless Docker detection of filesystem support should exclude CentOS's implementation of overlay as it requires root to work
Actual behavior
Rootless Docker detects the overlay kernel module is loaded and assumes it will work causing runtime failures
Steps to reproduce the behavior
I worked with the docker:dind-rootless image team on docker-library/docker#193 to work this out.
Steps:
- sudo modprobe overlay
- ./dockerd-rootless.sh --experimental
- docker -H unix:///run/user/1000/docker.sock run -ti alpine
docker: Error response from daemon: error creating overlay mount to /home/brian/.local/share/docker/overlay/918283926d7ce7e89ed73b6b17034793980a11b4f07534ba411bd54ee177dece-init/merged: operation not permitted.
I believe the problem lies with https://github.com/docker/docker-ce/blob/6d1e64f40569cf42e2f684690d1e2f5cff9546d1/components/engine/daemon/graphdriver/overlay2/overlay.go#L286 which doesn't check the return of the mount attempt to see if there was an error.
Output of docker version:
Client: Docker Engine - Community
Version: 19.03.4
API version: 1.40
Go version: go1.12.10
Git commit: 9013bf583a
Built: Fri Oct 18 15:52:22 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.4
API version: 1.40 (minimum version 1.12)
Go version: go1.12.10
Git commit: 9013bf583a
Built: Fri Oct 18 15:50:54 2019
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
Output of docker info:
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 19.03.4
Storage Driver: overlay
Backing Filesystem: xfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: none
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 3.10.0-1062.4.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.701GiB
Name: localhost.localdomain
ID: V2R5:7CUM:WUBK:CMPZ:5CXD:NMNA:DDKF:W4GJ:YZBF:JJWW:DUHW:Z6LK
Docker Root Dir: /home/brian/.local/share/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
WARNING: the overlay storage-driver is deprecated, and will be removed in a future release.
Additional environment details (AWS, VirtualBox, physical, etc.)
This testing has been done entirely on CentOS 7 VMs using various hypervisors