Running docker in gvisor quickstart not working with --bridge=none #11883
Description
Description
Hi,
I was following along with the docker in gvisor quickstart guide. But when I try and build the whalesay container it doesn't work.
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
link/loopback 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 127.0.0.1/8 scope global dynamic
inet6 ::1/128 scope global dynamic
2: eth0: <UP,LOWER_UP> mtu 8980
link/ether 1a:fe:a1:37:66:a4 brd ff:ff:ff:ff:ff:ff
inet 172.29.88.163/32 scope global dynamic
inet6 fe80::18fe:a1ff:fe37:66a4/64 scope global dynamic
3: docker0: <UP,LOWER_UP> mtu 1486
link/ether 72:d4:1c:2e:9d:b9 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global dynamic
/ # mkdir whalesay && cd whalesay
/whalesay # cat > Dockerfile <<EOF
> FROM ubuntu
>
> RUN apt-get update && apt-get install -y cowsay curl
> RUN mkdir -p /usr/share/cowsay/cows/
> RUN curl -o /usr/share/cowsay/cows/docker.cow https://raw.githubusercontent.com/docker/whalesay/master/docker.cow
> ENTRYPOINT ["/usr/games/cowsay", "-f", "docker.cow"]
> EOF
/whalesay #
/whalesay # docker build -t whalesay .
[+] Building 8.2s (5/7) docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 309B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 1.6s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/4] FROM docker.io/library/ubuntu:latest@sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 3.4s
=> => resolve docker.io/library/ubuntu:latest@sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 0.0s
=> => sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 6.69kB / 6.69kB 0.0s
=> => sha256:dbdff34bb41cecdb07c79af373b44bb4c9ccba2520f014221fb95845f14bc6c1 424B / 424B 0.0s
=> => sha256:f9248aac10f2f82e0970222e36cc7b71215b88e974e001282e5cd89797a82218 2.30kB / 2.30kB 0.0s
=> => sha256:b08e2ff4391ef70ca747960a731d1f21a75febbd86edc403cd1514a099615808 29.72MB / 29.72MB 0.7s
=> => extracting sha256:b08e2ff4391ef70ca747960a731d1f21a75febbd86edc403cd1514a099615808 2.4s
=> ERROR [2/4] RUN apt-get update && apt-get install -y cowsay curl 3.1s
------
> [2/4] RUN apt-get update && apt-get install -y cowsay curl:
3.108 runc run failed: unable to start container process: error during container init: error running prestart hook #0: exit status 1, stdout: , stderr: failed to add interface vethe67ea93 to sandbox: failed to subscribe to link updates: permission denied
3.108
------
Dockerfile:3
--------------------
1 | FROM ubuntu
2 |
3 | >>> RUN apt-get update && apt-get install -y cowsay curl
4 | RUN mkdir -p /usr/share/cowsay/cows/
5 | RUN curl -o /usr/share/cowsay/cows/docker.cow https://raw.githubusercontent.com/docker/whalesay/master/docker.cow
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c apt-get update && apt-get install -y cowsay curl" did not complete successfully: exit code: 1
/whalesay #
--net-rawis enabled- I am using the following pod definition:
apiVersion: v1
kind: Pod
metadata:
name: docker-node011
spec:
runtimeClassName: gvisor
nodeName: node011
containers:
- name: docker
image: docker:dind
securityContext:
privileged: true
capabilities:
add: ["ALL"]
command:
- /bin/sh
- -c
- |
set -xe -o pipefail
# Grab the first default route interface
dev=$(ip route show default | awk '/default/ {print $5; exit}')
echo "Default interface: $dev"
# Get the IPv4 address associated with that interface
addr=$(ip -4 addr show dev "$dev" | awk '/inet / {print $2}' | cut -d/ -f1)
echo "Interface address: $addr"
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-legacy -t nat -A POSTROUTING -o "$dev" -j SNAT --to-source "$addr" -p tcp
iptables-legacy -t nat -A POSTROUTING -o "$dev" -j SNAT --to-source "$addr" -p udp
exec dockerd --iptables=false --ip6tables=false -D
volumeMounts:
- name: docker
mountPath: /var/lib/docker
volumes:
- name: docker
emptyDir: {}
restartPolicy: Never
EOF
Steps to reproduce
Create a pod with gvisor using the following pod definition:
apiVersion: v1
kind: Pod
metadata:
name: docker-node011
spec:
runtimeClassName: gvisor
nodeName: node011
containers:
- name: docker
image: docker:dind
securityContext:
privileged: true
capabilities:
add: ["ALL"]
command:
- /bin/sh
- -c
- |
set -xe -o pipefail
# Grab the first default route interface
dev=$(ip route show default | awk '/default/ {print $5; exit}')
echo "Default interface: $dev"
# Get the IPv4 address associated with that interface
addr=$(ip -4 addr show dev "$dev" | awk '/inet / {print $2}' | cut -d/ -f1)
echo "Interface address: $addr"
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-legacy -t nat -A POSTROUTING -o "$dev" -j SNAT --to-source "$addr" -p tcp
iptables-legacy -t nat -A POSTROUTING -o "$dev" -j SNAT --to-source "$addr" -p udp
exec dockerd --iptables=false --ip6tables=false -D
volumeMounts:
- name: docker
mountPath: /var/lib/docker
volumes:
- name: docker
emptyDir: {}
restartPolicy: Never
EOF
And try and build the whalesay container:
/ # mkdir whalesay && cd whalesay
/whalesay # cat > Dockerfile <<EOF
> FROM ubuntu
>
> RUN apt-get update && apt-get install -y cowsay curl
> RUN mkdir -p /usr/share/cowsay/cows/
> RUN curl -o /usr/share/cowsay/cows/docker.cow https://raw.githubusercontent.com/docker/whalesay/master/docker.cow
> ENTRYPOINT ["/usr/games/cowsay", "-f", "docker.cow"]
> EOF
/whalesay #
/whalesay # docker build -t whalesay .
[+] Building 8.2s (5/7) docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 309B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 1.6s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/4] FROM docker.io/library/ubuntu:latest@sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 3.4s
=> => resolve docker.io/library/ubuntu:latest@sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 0.0s
=> => sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 6.69kB / 6.69kB 0.0s
=> => sha256:dbdff34bb41cecdb07c79af373b44bb4c9ccba2520f014221fb95845f14bc6c1 424B / 424B 0.0s
=> => sha256:f9248aac10f2f82e0970222e36cc7b71215b88e974e001282e5cd89797a82218 2.30kB / 2.30kB 0.0s
=> => sha256:b08e2ff4391ef70ca747960a731d1f21a75febbd86edc403cd1514a099615808 29.72MB / 29.72MB 0.7s
=> => extracting sha256:b08e2ff4391ef70ca747960a731d1f21a75febbd86edc403cd1514a099615808 2.4s
=> ERROR [2/4] RUN apt-get update && apt-get install -y cowsay curl 3.1s
------
> [2/4] RUN apt-get update && apt-get install -y cowsay curl:
3.108 runc run failed: unable to start container process: error during container init: error running prestart hook #0: exit status 1, stdout: , stderr: failed to add interface vethe67ea93 to sandbox: failed to subscribe to link updates: permission denied
3.108
------
Dockerfile:3
--------------------
1 | FROM ubuntu
2 |
3 | >>> RUN apt-get update && apt-get install -y cowsay curl
4 | RUN mkdir -p /usr/share/cowsay/cows/
5 | RUN curl -o /usr/share/cowsay/cows/docker.cow https://raw.githubusercontent.com/docker/whalesay/master/docker.cow
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c apt-get update && apt-get install -y cowsay curl" did not complete successfully: exit code: 1
/whalesay #
runsc version
root@node011:/var/log/runsc/203d7ede0ecb087ae67e46421b4824a873a0419890acdef92a80223a25a0c0a2# runsc --version
runsc version release-20250625.0
spec: 1.2.0docker version (if using docker)
uname
Linux node011 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
kubectl (if using Kubernetes)
root@node011:/var/log/runsc/203d7ede0ecb087ae67e46421b4824a873a0419890acdef92a80223a25a0c0a2# kubectl version
Client Version: v1.31.5
Kustomize Version: v5.4.2
Server Version: v1.31.5repo state (if built from source)
No response
runsc debug logs (if available)
I have enabled debug logging but there are loads of logs, happy to add them if people have better ideas of what is needed/useful for resolution