[Question] How to make runc work on Lineage OS on Oneplus 6 #20650

kebien6020 · 2024-06-23T22:05:57Z

kebien6020
Jun 23, 2024

Hi, I'm trying to run docker on termux by roughly following the steps on this gist.

My environment is a Oneplus 6 (enchilada) phone, running Lineage OS 21 (Android 14), with a custom Lineage OS-based kernel to enable the features required by docker, it's of course rooted, the kernel version is this:

Linux localhost 4.9.337-ga3385771235c-dirty #3 SMP PREEMPT Tue Jun 18 18:56:44 -05 2024 aarch64 Android

I can't run a hello-world container, and narrowed it down to runc not being able to create the container. Here is my runc version:

# runc --version
runc version 1.1.13
spec: 1.0.2-dev
go: go1.22.3
libseccomp: 2.5.5

One of the things that seems weird is that the cgroup mounts do not align to what runc expects, these are my actual cgroup mounts, right after a clean reboot:

# findmnt -t cgroup,cgroup2
TARGET                                              SOURCE
                                                         FSTYPE  OPTIONS
/dev/blkio                                          none cgroup  rw,nosuid,nodev,noexec,relatime,blkio
/dev/cpuctl                                         none cgroup  rw,nosuid,nodev,noexec,relatime,cpu
/dev/cpuset                                         none cgroup  rw,nosuid,nodev,noexec,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent
/dev/memcg                                          none cgroup  rw,nosuid,nodev,noexec,relatime,memory
/dev/stune                                          none cgroup  rw,nosuid,nodev,noexec,relatime,schedtune
/dev/op_cgroup/freezer                              none cgroup  rw,relatime,freezer
/sys/fs/cgroup                                      none cgroup2 rw,nosuid,nodev,noexec,relatime

(Skipping over the copies of the same mounts inside /debug_ramdisk/.magisk/mirror/)

runc seems to expect either:

A pure v2 mount setup with only a cgroupv2 mount on /sys/fs/cgroup
A hybrid setup with no cgroupv2 mount on /sys/fs/cgroup, a cgroupv2 mount on /sys/fs/cgroup/unified and various cgroupv1 mounts anywhere (autodetected)
A pure v1 setup with no cgroupv2 mount on /sys/fs/cgroup and autodetected cgroupv1 mounts anywhere

My system seems to be setup as a hybrid, but it doesn't match the hybrid expectations because is does have a cgroupv2 mount point at /sys/fs/cgroup.

So when I try to run a container with runc, it fails because it's assuming a pure v2 system, but the v2 cgroups only has the pid controller available, all other controllers are mounted to the v1 hierarchy and are unavailable under v2.

On my PC:

$ docker create --name busybox --platform linux/arm64 busybox
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
213a27df5921: Pull complete
Digest: sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7
Status: Downloaded newer image for busybox:latest
e0f1c45454a71e9e62b0189a656a85cba2a6f41482963e505709782598fe64bb
$ docker export busybox > busybox-rootfs.tar
$ scp busybox-rootfs.tar oneplus:busybox-rootfs.tar
busybox-rootfs.tar
$

On my phone:

$ tsu
~ # cat /sys/fs/cgroup/cgroup.controllers
pids
~ # mkdir ~/tmp
~ # cd ~/tmp
~/tmp # cp $PREFIX/../home/busybox-rootfs.tar ./
~/tmp # mkdir rootfs
~/tmp # tar -xf busybox-rootfs.tar -C rootfs
~/tmp # runc spec
~/tmp # runc run test1
^C^C^C^CWARN[0117] unable to get oom kill count                  error="open /sys/fs/cgroup/test1/memory.events: no such file or directory"
ERRO[0117] runc run failed: unable to start container process: error during container init: read init-p: connection reset by peer
~/tmp #

At first the command runc run test1 just hanged there doing nothing. Since I couldn't kill it with Ctrl+C, I had to open a separate terminal and kill the child process of runc with this: pkill -9 -f "runc init". Note: If you kill the parent process instead (runc run), the container state isn't cleaned up properly and gets stuck in a state where you can't create a new one with the same id (test1 in this case), and runc delete can't delete it either.

The error message suggests that it failed trying to find the file memory.events that appears automatically whenever you create a new folder inside a cgroupsv2 mount, and the memory controller is available. Since the memory controller is not available, the file doesn't appear and this operation fails.

Just to validate that this approach makes sense, I do the same on my PC and this is the expected output:

# On my PC

$ mkdir -p ~/tmp/rootfs/
$ docker export $(docker create --platform linux/amd64 busybox) | tar -xf - -C ~/tmp/rootfs/
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
Digest: sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7
Status: Downloaded newer image for busybox:latest
$ cd ~/tmp
$ runc spec
$ sudo runc run test1
/ # uname -a
Linux runc 6.9.5-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 16 Jun 2024 19:06:37 +0000 x86_64 GNU/Linux

Additionally, here's runc run on both systems with --debug.

Click to expand

# On termux
~/tmp # runc --debug run test1
DEBU[0000]libcontainer/cgroups/file.go:96 libcontainer/cgroups.prepareOpenat2.func1() openat2 not available, falling back to securejoin
DEBU[0000] nsexec[21308]: => nsexec container setup
DEBU[0000] nsexec-0[21308]: ~> nsexec stage-0
DEBU[0000] nsexec-0[21308]: spawn stage-1
DEBU[0000] nsexec-0[21308]: -> stage-1 synchronisation loop
DEBU[0000] nsexec-1[21310]: ~> nsexec stage-1
DEBU[0000] nsexec-1[21310]: unshare remaining namespaces (except cgroupns)
DEBU[0000] nsexec-1[21310]: spawn stage-2
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-1[21310]: request stage-0 to forward stage-2 pid (21311)
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: stage-1 requested pid to be forwarded
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-2[1]: ~> nsexec stage-2
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: forward stage-1 (21310) and stage-2 (21311) pids to runc
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-1[21310]: signal completion to stage-0
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-1[21310]: <~ nsexec stage-1
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: stage-1 complete
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: <- stage-1 synchronisation loop
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: -> stage-2 synchronisation loop
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: signalling stage-2 to run
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-2[1]: unshare cgroup namespace
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-2[1]: signal completion to stage-0
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-2[1]: <= nsexec container setup
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-2[1]: booting up go runtime ...
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: stage-2 complete
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: <- stage-2 synchronisation loop
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21308]: <~ nsexec stage-0
<kill child process on a separate terminal since it's stuck>
WARN[0004] unable to get oom kill count                  error="open /sys/fs/cgroup/test1/memory.events: no such file or directory"
ERRO[0004] runc run failed: unable to start container process: error during container init: read init-p: connection reset by peer

# On my PC

$ sudo runc --debug run test1
DEBU[0000] nsexec[34628]: => nsexec container setup
DEBU[0000] nsexec-0[34628]: ~> nsexec stage-0
DEBU[0000] nsexec-0[34628]: spawn stage-1
DEBU[0000] nsexec-0[34628]: -> stage-1 synchronisation loop
DEBU[0000] nsexec-1[34630]: ~> nsexec stage-1
DEBU[0000] nsexec-1[34630]: unshare remaining namespaces (except cgroupns)
DEBU[0000] nsexec-1[34630]: spawn stage-2
DEBU[0000] nsexec-1[34630]: request stage-0 to forward stage-2 pid (34631)
DEBU[0000] nsexec-0[34628]: stage-1 requested pid to be forwarded
DEBU[0000] nsexec-0[34628]: forward stage-1 (34630) and stage-2 (34631) pids to runc
DEBU[0000] nsexec-1[34630]: signal completion to stage-0
DEBU[0000] nsexec-1[34630]: <~ nsexec stage-1
DEBU[0000] nsexec-0[34628]: stage-1 complete
DEBU[0000] nsexec-0[34628]: <- stage-1 synchronisation loop
DEBU[0000] nsexec-0[34628]: -> stage-2 synchronisation loop
DEBU[0000] nsexec-0[34628]: signalling stage-2 to run
DEBU[0000] nsexec-2[1]: ~> nsexec stage-2
DEBU[0000] nsexec-2[1]: unshare cgroup namespace
DEBU[0000] nsexec-2[1]: signal completion to stage-0
DEBU[0000] nsexec-2[1]: <= nsexec container setup
DEBU[0000] nsexec-2[1]: booting up go runtime ...
DEBU[0000] nsexec-0[34628]: stage-2 complete
DEBU[0000] nsexec-0[34628]: <- stage-2 synchronisation loop
DEBU[0000] nsexec-0[34628]: <~ nsexec stage-0
DEBU[0000] child process in init()
DEBU[0000] init: closing the pipe to signal completion
DEBU[0000]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition
/ # uname -a
DEBU[0012]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition

Linux runc 6.9.5-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 16 Jun 2024 19:06:37 +0000 x86_64 GNU/Linux
/ # exit
DEBU[0018]signals.go:92 main.(*signalHandler).forward() process exited                                pid=34631 status=0

Forcing cgroupv1

Since I'm root, I tried to forcefully unmount the cgroupsv2 mount so that runc detects the system as a cgroupsv1 system. This eventually destabilizes my system and causes a reboot, but before it reboots I try to run a container.

# On termux

~/tmp # umount -fl /sys/fs/cgroup
~/tmp # runc run test1
ERRO[0000] runc run failed: mountpoint for devices not found
~/tmp # mkdir /dev/devices
~/tmp # mount -t cgroup -o rw,nosuid,nodev,noexec,relatime,devices none /dev/devices
~/tmp # runc run test1
<stuck here, kill on a separate terminal>
ERRO[0005] runc run failed: unable to start container process: error during container init: read init-p: connection reset by peer

Output with --debug flag

~/tmp # runc --debug run test1
DEBU[0000]libcontainer/cgroups/file.go:96 libcontainer/cgroups.prepareOpenat2.func1() openat2 not available, falling back to securejoin
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec[21784]: => nsexec container setup
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21784]: ~> nsexec stage-0
DEBU[0000]libcontainer/logs/logs.go:55 libcontainer/logs.processEntry() nsexec-0[21784]: spawn stage-1
DEBU[0000] nsexec-0[21784]: -> stage-1 synchronisation loop
DEBU[0000] nsexec-1[21786]: ~> nsexec stage-1
DEBU[0000] nsexec-1[21786]: unshare remaining namespaces (except cgroupns)
DEBU[0000] nsexec-1[21786]: spawn stage-2
DEBU[0000] nsexec-1[21786]: request stage-0 to forward stage-2 pid (21787)
DEBU[0000] nsexec-0[21784]: stage-1 requested pid to be forwarded
DEBU[0000] nsexec-0[21784]: forward stage-1 (21786) and stage-2 (21787) pids to runc
DEBU[0000] nsexec-1[21786]: signal completion to stage-0
DEBU[0000] nsexec-1[21786]: <~ nsexec stage-1
DEBU[0000] nsexec-2[1]: ~> nsexec stage-2
DEBU[0000] nsexec-0[21784]: stage-1 complete
DEBU[0000] nsexec-0[21784]: <- stage-1 synchronisation loop
DEBU[0000] nsexec-0[21784]: -> stage-2 synchronisation loop
DEBU[0000] nsexec-0[21784]: signalling stage-2 to run
DEBU[0000] nsexec-2[1]: unshare cgroup namespace
DEBU[0000] nsexec-2[1]: signal completion to stage-0
DEBU[0000] nsexec-2[1]: <= nsexec container setup
DEBU[0000] nsexec-2[1]: booting up go runtime ...
DEBU[0000] nsexec-0[21784]: stage-2 complete
DEBU[0000] nsexec-0[21784]: <- stage-2 synchronisation loop
DEBU[0000] nsexec-0[21784]: <~ nsexec stage-0
<stuck here, kill on a separate terminal>
ERRO[0009] runc run failed: unable to start container process: error during container init: read init-p: connection reset by peer

So the issue isn't just the cgroup setup, even when it's fully working with cgroupv1 (I went into /dev/memory/ and /dev/cpuctl/ and verified that while the prcess is stuck, the PID for the runc init process is properly placed in the expected cgroups), the container creation process still gets stuck.

Additional validations

For completeness' sake, here is the output of docker's check-config.sh script:

Click to expand

Note: I specifically disabled CONFIG_USER_NS, because it was one of the suggested workarounds on some comments in the original gist, but got the same results with and without this kernel option.

.../files/home # ./check-config.sh
info: reading kernel config from /proc/config.gz ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/dev]
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_MANGLE: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_NF_NAT_IPV4: enabled
- CONFIG_NF_NAT_NEEDED: enabled

Optional Features:
- CONFIG_USER_NS: missing
- CONFIG_SECCOMP: enabled
- CONFIG_SECCOMP_FILTER: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: missing
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled
- CONFIG_IP_VS: enabled
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled
- CONFIG_SECURITY_SELINUX: enabled
- CONFIG_SECURITY_APPARMOR: enabled
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled
    - CONFIG_BRIDGE_VLAN_FILTERING: missing
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled
      - CONFIG_CRYPTO_GCM: enabled
      - CONFIG_CRYPTO_SEQIV: enabled
      - CONFIG_CRYPTO_GHASH: enabled
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled
      - CONFIG_XFRM_ALGO: enabled
      - CONFIG_INET_ESP: enabled
      - CONFIG_NETFILTER_XT_MATCH_BPF: enabled
      - CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
  - "ipvlan":
    - CONFIG_IPVLAN: missing
  - "macvlan":
    - CONFIG_MACVLAN: missing
    - CONFIG_DUMMY: enabled
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled
    - CONFIG_NF_CONNTRACK_FTP: enabled
    - CONFIG_NF_NAT_TFTP: enabled
    - CONFIG_NF_CONNTRACK_TFTP: enabled
- Storage Drivers:
  - "btrfs":
    - CONFIG_BTRFS_FS: missing
    - CONFIG_BTRFS_FS_POSIX_ACL: missing
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled
  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

I also validated that the rootfs is ok by running a simple chroot off of it:

~/tmp # env -i chroot ./rootfs/ /bin/sh
/ # ls /
bin    dev    etc    home   lib    lib64  proc   root   sys    tmp    usr    var
/ # curl --version
/bin/sh: curl: not found
/ # exit

~/tmp # ls /
acct  bin             bugreports  config  data         debug_ramdisk  etc   init.environ.rc        linkerconfig  mnt  odm_dlkm  postinstall  product  second_stage_resources  sys     system_dlkm  vendor
apex  bootstrap-apex  cache       d       data_mirror  dev            init  init.recovery.qcom.rc  lost+found    odm  oem       proc         sdcard   storage                 system  system_ext   vendor_dlkm
~/tmp # curl --version
curl 8.8.0 (aarch64-unknown-linux-android) libcurl/8.8.0 OpenSSL/3.2.1 zlib/1.3.1 libssh2/1.11.0 nghttp2/1.62.1 nghttp3/1.4.0
Release-Date: 2024-05-22
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe UnixSockets

At this point I don't really know what else to test. Some help would be appreciated.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Question] How to make runc work on Lineage OS on Oneplus 6 #20650

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

[Question] How to make runc work on Lineage OS on Oneplus 6 #20650

kebien6020 Jun 23, 2024

Forcing cgroupv1

Additional validations

Replies: 0 comments

kebien6020
Jun 23, 2024