Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker in Docker: 'unshare: operation not permitted' when running GitHub Actions Runner on Azure Container Apps" #513

Open
Shaannks opened this issue Sep 26, 2024 · 5 comments
Open

Docker in Docker: 'unshare: operation not permitted' when running GitHub Actions Runner on Azure Container Apps" #513

Shaannks opened this issue Sep 26, 2024 · 5 comments

Comments

@Shaannks
Copy link

I'm encountering an issue when running a self-hosted GitHub Actions runner inside Azure Container Apps, which utilizes Docker in Docker installation. The Docker daemon starts up successfully with the fuse-overlayfs storage driver, but when attempting to pull an image, I receive the following error:

failed to register layer: unshare: operation not permitted
Warning: Docker pull failed with exit code 1, back off 5.716 seconds before retry.

image

Docker Version: Version: 27.3.1

Seccomp Configuration: I tried setting the seccomp profile to unconfined.
Custom Seccomp Policy: Created a seccomp policy that allows the unshare syscall, but the issue persists.
User Namespace: Attempted to set up user namespace remapping for a non-root user, but this also did not resolve the issue.
(not configured any storage at azure- guess won't make any difference)

I would appreciate any guidance or solutions to resolve this issue. If there are specific configurations or permissions that need to be adjusted in the Docker setup for Azure Container Apps, please let me know.
@tianon
Copy link
Member

tianon commented Sep 26, 2024

fuse-overlayfs sounds like you're trying to use the -rootless variants, which are quite a bit fiddlier to get working properly in my experience -- is that accurate? Is there a reason you might be doing so? (and/or why you wouldn't simply be using the overlay2 driver if not?)

@Shaannks
Copy link
Author

@tianon - I tried both rootless and root but ended up facing the same error while trying with different storage drivers I saw only fuse-overlayfs working.
daemon won't start with any other storage driver

@Shaannks
Copy link
Author

Shaannks commented Sep 27, 2024
edited
Loading

daemon- dockerd --iptables=False --ip6tables=False

image
seccomp
image

seccomp
no luck with this

@Shaannks
Copy link
Author

failed to start daemon: error initializing graphdriver: driver not supported: overlay2

@tianon
Copy link
Member

tianon commented Sep 27, 2024

Your container is definitely running with privileged? (even for the rootless variant, that's required)

You'll also want to verify/validate that you've got actual local storage mounted at /var/lib/docker inside the container (something like NFS is going to be a bad time -- you need something that the overlay2 driver supports as an underlay like actual ext4).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tianon @Shaannks