Docker rootless / cgroups2: Read-only filesystem

[PentaPaetzold]

I would like to run freeipa in docker rootless mode, but am stuck at cgroups v2.

freeipa-1  | Configuration file /etc/systemd/system.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
freeipa-1  | Configuration file /usr/lib/systemd/system.conf.d/ipaplatform-override.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
freeipa-1  | systemd 252-18.el9 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
freeipa-1  | Detected virtualization container-other.
freeipa-1  | Detected architecture x86-64.
freeipa-1  | Failed to create /init.scope control group: Read-only file system
freeipa-1  | Failed to allocate manager object: Read-only file system
freeipa-1  | [!!!!!!] Failed to allocate manager object.
freeipa-1  | Exiting PID 1...
freeipa-1 exited with code 0

I read #429 (comment) and the thread #429 .

My system is cgroups v2 - so it seems, that { "userns-remap": "default" } should be the answer. But adding this to daemon.json, gives:

dockerd-rootless.sh[822]: time="2024-01-19T12:35:01.594279045+01:00" level=warning msg="Running experimental build"
dockerd-rootless.sh[822]: time="2024-01-19T12:35:01.594290437+01:00" level=warning msg="Running in rootless mode. This mode has feature limitations."
dockerd-rootless.sh[822]: could not create or set daemon root permissions: /srv/docker: chown /srv/docker: invalid argument
dockerd-rootless.sh[797]: [rootlesskit:child ] error: command [/usr/bin/dockerd-rootless.sh] exited: exit status 1

does userns-remap needs root permissions? i don't have them for docker runnig as user docker as its rootless.
/srv/docker is owned docker:docker

Shouldn't userns-remap be always be enabled on rootless dockers without that option in daemon.json? Doe it makes sense to have that option given when runnig docker rootless?

Without nsremap-option docker starts and info says:

Client:
 Version:    24.0.7-ce
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.12.0
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  2.23.3
    Path:     /usr/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 3
  Running: 2
  Paused: 0
  Stopped: 1
 Images: 4
 Server Version: 24.0.7-ce
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 4e1fe7492b9df85914c389d1f15a3ceedbb280ac
 runc version: v1.1.11-0-g4bccb38cc9cf
 init version: 
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 5.14.21-150500.55.39-default
 Operating System: openSUSE Leap 15.5
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 26.89GiB
 Name: servpenta23
 ID: 907bb307-3299-4195-97ee-325a81160bdc
 Docker Root Dir: /srv/docker
 Debug Mode: false
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

But freeipa is not starting (see top).

There seems to be a solution here: #429 (comment)
with "1. Use the --cgroupns host Docker option and a cgroupv2 sub-hierarchy volume binding for the container. Here is an example command:
[ ...] --cgroupns host -v /sys/fs/cgroup/freeipa.scope:/sys/fs/cgroup:rw [ ... ]"

But i don't have /sys/fs/cgroup/freeipa.scope - i do have (with docker user is of id 1001):

~ # ls -ld /sys/fs/cgroup/*/
drwxr-xr-x  2 root root 0 Jan 13 15:16 /sys/fs/cgroup/dev-hugepages.mount/
drwxr-xr-x  2 root root 0 Jan 13 15:16 /sys/fs/cgroup/dev-mqueue.mount/
drwxr-xr-x  2 root root 0 Jan 13 15:16 /sys/fs/cgroup/init.scope/
drwxr-xr-x  2 root root 0 Jan 13 15:16 /sys/fs/cgroup/sys-fs-fuse-connections.mount/
drwxr-xr-x  2 root root 0 Jan 13 15:16 /sys/fs/cgroup/sys-kernel-config.mount/
drwxr-xr-x  2 root root 0 Jan 13 15:16 /sys/fs/cgroup/sys-kernel-debug.mount/
drwxr-xr-x  2 root root 0 Jan 13 15:16 /sys/fs/cgroup/sys-kernel-tracing.mount/
drwxr-xr-x 45 root root 0 Jan 19 12:01 /sys/fs/cgroup/system.slice/
drwxr-xr-x  4 root root 0 Jan 13 16:19 /sys/fs/cgroup/user.slice/

tried some of the directories, but don't get it working... e.g.
- /sys/fs/cgroup/user.slice/user-1001.slice:/sys/fs/cgroup:rw
- /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service:/sys/fs/cgroup:rw
- /sys/fs/cgroup:/sys/fs/cgroup:rw
...

Can anybody help me with that?

[adelton]

The userns-remap guidance applies to a rootfull docker installation, to force it to act the user-namespaced way.

If you run the rootless docker as an unprivileged user (uid 1001), you should not need that.

If you don't have the freeipa.scope, just create it. Except as unprivileged user you cannot write to host's top level /sys/fs/cgroup. But you should be able to create it somewhere where your user can write. You can use systemd-cgls and check what cgroups look like and which have user.delegate: 1, or ls -l and check which cgroups are owned and writable by your unprivileged user. On my system where I have

$ ls -la /sys/fs/cgroup/user.slice/user-1001.slice/user\@1001.service
total 0
drwxr-xr-x. 8 test test 0 Jan 19 14:21 .
drwxr-xr-x. 4 root root 0 Jan 19 14:07 ..
drwxr-xr-x. 5 test test 0 Jan 19 14:10 app.slice
drwxr-xr-x. 2 test test 0 Jan 19 14:09 background.slice
-r--r--r--. 1 root root 0 Jan 19 14:04 cgroup.controllers
-r--r--r--. 1 root root 0 Jan 19 14:04 cgroup.events
-rw-r--r--. 1 root root 0 Jan 19 14:04 cgroup.freeze
--w-------. 1 root root 0 Jan 19 14:04 cgroup.kill
[...]

something like

$ mkdir /sys/fs/cgroup/user.slice/user-1001.slice/user\@1001.service/freeipa.scope

works.

I can then do

$ id -u
1001
$ docker run --rm -ti --cgroupns=host -v /sys/fs/cgroup/user.slice/user-$(id -u).slice/user\@$(id -u).service/freeipa.scope:/sys/fs/cgroup:rw --name freeipa-server-container -h ipa.example.test -e PASSWORD=Secret123  --sysctl net.ipv6.conf.all.disable_ipv6=0 quay.io/freeipa/freeipa-server:centos-9-stream -U -r EXAMPLE.TEST --no-ntp
systemd 252-18.el9 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization container-other.
Detected architecture x86-64.
Initializing machine ID from random generator.
Queued start job for default target Minimal target for containerized FreeIPA server.

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.11.0
[...]
FreeIPA server configured.

You mention you already tried

- /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service:/sys/fs/cgroup:rw

and it did not work for you ... which is weird because on my system, using

--cgroupns=host -v /sys/fs/cgroup/user.slice/user-$(id -u).slice/user\@$(id -u).service:/sys/fs/cgroup:rw

(without that freeipa.scope) works as well.

[PentaPaetzold]

Yes, that did it, dont know why it has not beend working before, thank you very much!

$ mkdir /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/freeipa.scope
(somehow whithout \ on my system)

    volumes:
       - /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/freeipa.scope:/sys/fs/cgroup:rw
    cgroup: host

My proposal to catch those docker/ cgroup v2 / rootless newbies like me ;) : Add some Words in the Docs, that

1. userns-remap is not needed on rootless docker
2. those two steps

Again, Thank you

[PentaPaetzold]

No, sorry i did not get it working.

1. Did as said:
   docker run -e DEBUG_NO_EXIT=1 --rm -ti --cgroupns=host -v /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/freeipa.scope:/sys/fs/cgroup:rw --name freeipa-server-container -h ipa.domain.tld -e PASSWORD=Secret123 --sysctl net.ipv6.conf.all.disable_ipv6=0 quay.io/freeipa/freeipa-server:centos-9-stream -U -r EXAMPLE.TEST --no-ntp
   -> Starts, but:

Jan 20 14:45:29 ipa.domain.tld systemd[1]: Created slice Slice /system/dirsrv.
Jan 20 14:45:29 ipa.domain.tld systemd[1]: Starting 389 Directory Server EXAMPLE-TEST....
Jan 20 14:45:29 ipa.domain.tld systemd[302]: dirsrv@EXAMPLE-TEST.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.
Jan 20 14:45:29 ipa.domain.tld systemd[307]: dirsrv@EXAMPLE-TEST.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.
Jan 20 14:45:29 ipa.domain.tld systemd[312]: dirsrv@EXAMPLE-TEST.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.495027794 +0000] - ERR - set_workingdir - detach: failed to chdir to /var/log/dirsrv/slapd-EXAMPLE-TEST
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.575896560 +0000] - ERR - set_workingdir - detach: set workingdir failed with "Working directory "/" is not writeable."
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.598857835 +0000] - INFO - main - 389-Directory/2.4.4 B2023.325.0000 starting up
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.620392018 +0000] - INFO - main - Setting the maximum file descriptor limit to: 1024
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.748368940 +0000] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 4000 rounds
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.787756841 +0000] - ERR - _spal_get_uint64_t_file - Unable to open file "/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/freeipa.scope/user.slice/user-1001.slice/user@1001.service/user.slice/docker-25ff2f96057f24ca49a3afac747dd3be9f85987cd4074b19e19b52ce52d6ed3c.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.current". errno=13
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.820529813 +0000] - WARN - spal_meminfo_get - Unable to retrieve /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/freeipa.scope/user.slice/user-1001.slice/user@1001.service/user.slice/docker-25ff2f96057f24ca49a3afac747dd3be9f85987cd4074b19e19b52ce52d6ed3c.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.current. There may be no cgroup support on this platform
Jan 20 14:45:29 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:45:29.842845491 +0000] - ERR - _spal_get_uint64_t_file - Unable to open file "/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/freeipa.scope/user.slice/user-1001.slice/user@1001.service/user.slice/docker-25ff2f96057f24ca49a3afac747dd3be9f85987cd4074b19e19b52ce52d6ed3c.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.high". errno=13

...in the container in
/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/
there now is no freeipa.scope

====
2. Test without freeipa.scope in Volume:
docker run -e DEBUG_NO_EXIT=1 --rm -ti --cgroupns=host -v /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service:/sys/fs/cgroup:rw --name freeipa-server-container -h ipa.domain.tld -e PASSWORD=Secret123 --sysctl net.ipv6.conf.all.disable_ipv6=0 quay.io/freeipa/freeipa-server:centos-9-stream -U -r EXAMPLE.TEST --no-ntp
is looking better, but has a path- problem:

Jan 20 14:54:50 ipa.domain.tld systemd[1]: Created slice Slice /system/dirsrv.
Jan 20 14:54:50 ipa.domain.tld systemd[1]: Starting 389 Directory Server EXAMPLE-TEST....
Jan 20 14:54:50 ipa.domain.tld systemd[302]: dirsrv@EXAMPLE-TEST.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.
Jan 20 14:54:50 ipa.domain.tld systemd[307]: dirsrv@EXAMPLE-TEST.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.
Jan 20 14:54:50 ipa.domain.tld systemd[312]: dirsrv@EXAMPLE-TEST.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.368491614 +0000] - ERR - set_workingdir - detach: failed to chdir to /var/log/dirsrv/slapd-EXAMPLE-TEST
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.472959420 +0000] - ERR - set_workingdir - detach: set workingdir failed with "Working directory "/" is not writeable."
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.495808111 +0000] - INFO - main - 389-Directory/2.4.4 B2023.325.0000 starting up
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.517297441 +0000] - INFO - main - Setting the maximum file descriptor limit to: 1024
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.647663489 +0000] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 4000 rounds
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.688969562 +0000] - ERR - _spal_get_uint64_t_file - Unable to open file "/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/user-1001.slice/user@1001.service/user.slice/docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.current". errno=2
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.713065630 +0000] - WARN - spal_meminfo_get - Unable to retrieve /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/user-1001.slice/user@1001.service/user.slice/docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.current. There may be no cgroup support on this platform
Jan 20 14:54:50 ipa.domain.tld ns-slapd[312]: [20/Jan/2024:14:54:50.735459985 +0000] - ERR - _spal_get_uint64_t_file - Unable to open file "/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/user-1001.slice/user@1001.service/user.slice/docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.high". errno=2

in container:

root@ipa user.slice]# pwd
/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice
[root@ipa user.slice]# ls -ld */
drwxr-xr-x 4 root root 0 Jan 20 14:54 docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope/

-> so there is
docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope
but no
user-1001.slice/user@1001.service/user.slice/docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope

...the part "user-1001.slice/user@1001.service/user.slice" is somehow twice in
/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/user-1001.slice/user@1001.service/user.slice/docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.high

========
3. Test without that part in Volume:

docker run -e DEBUG_NO_EXIT=1 --rm -ti --cgroupns=host -v /sys/fs/cgroup/user.slice:/sys/fs/cgroup:rw --name freeipa-server-container -h ipa.domain.tld -e PASSWORD=Secret123 --sysctl net.ipv6.conf.all.disable_ipv6=0 quay.io/freeipa/freeipa-server:centos-9-stream -U -r EXAMPLE.TEST --no-ntp
-> Failed to create /user.slice/user-1001.slice/user@1001.service/user.slice/docker-2090d950a7369f532532a26b6554be387034abf274d83fae584e98aadd942ec8.scope/init.scope control group: No such file or directory

======
And without cgroupns=host

docker run -e DEBUG_NO_EXIT=1 --rm -ti -v /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service:/sys/fs/cgroup:rw --name freeipa-server-container -h ipa.domain.tld -e PASSWORD=Secret123 --sysctl net.ipv6.conf.all.disable_ipv6=0 quay.io/freeipa/freeipa-server:centos-9-stream -U -r EXAMPLE.TEST --no-ntp
-> Failed to create /init.scope control group: No such file or directory

i am somehow stuck with that.

[adelton]

What does

$ cat /proc/self/cgroup
$ docker info --format "{{ .ClientInfo.Context }}"
$ docker run --rm --cgroupns=host -v /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service:/sys/fs/cgroup:rw --rm busybox cat /proc/self/cgroup

output?

[PentaPaetzold]

This is, what rootless docker looks here:

docker@servpenta23:~> systemd-cgls
Control group /:
-.slice
├─ 1633 bpfilter_umh
├─user.slice 
│ └─user-1001.slice 
│   ├─session-2.scope 
│   │ ├─ 2987 sshd: docker [priv]
│   │ ├─ 2990 sshd: docker@pts/0
│   │ ├─ 2991 -bash
│   │ ├─ 3037 systemd-cgls
│   │ └─ 3038 less
│   └─user@1001.service 
│     ├─user.slice 
│     │ ├─docker-9675e9be9d5e0d5dd0724c416301c94ae6715a82a0f0e51ac45eb137ffbd611c.scope 
│     │ │ └─ 2813 /portainer
│     │ └─docker-bdf772a40f0d3fcad25de55c507ad672a9dfe330407b98e09428d30b6c634369.scope 
│     │   └─ 2857 caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
│     ├─app.slice 
│     │ ├─docker.service 
│     │ │ ├─ 1742 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
│     │ │ ├─ 1753 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
│     │ │ ├─ 1852 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 1753 tap0
│     │ │ ├─ 1862 dockerd
│     │ │ ├─ 1917 containerd --config /run/user/1001/docker/containerd/containerd.toml --log-level warn
│     │ │ ├─ 2610 /usr/bin/rootlesskit-docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port xxx -container-ip a.b.c.d -container-port xxx
│     │ │ ├─ 2616 docker-proxy -container-ip a.b.c.d -container-port xxx -host-ip a.b.c.d -host-port xxx -proto tcp
[...]
│     │ │ ├─ 2789 /usr/sbin/containerd-shim-runc-v2 -namespace moby -id 9675e9be9d5e0d5dd0724c416301c94ae6715a82a0f0e51ac45eb137ffbd611c -address /run/user/1001/docker/containerd/containerd.sock
│     │ │ └─ 2828 /usr/sbin/containerd-shim-runc-v2 -namespace moby -id bdf772a40f0d3fcad25de55c507ad672a9dfe330407b98e09428d30b6c634369 -address /run/user/1001/docker/containerd/containerd.sock
│     │ └─dbus.service 
│     │   └─ 2806 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
│     └─init.scope 
│       ├─ 1666 /usr/lib/systemd/systemd --user
│       └─ 1669 (sd-pam)
├─init.scope 
│ └─ 1 /usr/lib/systemd/systemd --switched-root --system --deserialize 31
└─system.slice 
  ├─irqbalance.service 
  │ └─ 1447 /usr/sbin/irqbalance --foreground
[...]

So those are the values:

docker@servpenta23:~> cat /proc/self/cgroup
0::/user.slice/user-1001.slice/session-2.scope

docker@servpenta23:~> docker info --format "{{ .ClientInfo.Context }}"
default

docker@servpenta23:~> docker run --rm --cgroupns=host -v /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service:/sys/fs/cgroup:rw --rm busybox cat /proc/self/cgroup
0::/user.slice/user-1001.slice/user@1001.service/user.slice/docker-68a88a41e33b01b196bdd9419f6179af96efb3ef90f71c23115c0b67618203e8.scope

for me, this looks fine. So the 2nd approach would be ok if in the container dirsrv would use the path of the container (systemd seems to work fine at start). Where does the construction of
/sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/user-1001.slice/user@1001.service/user.slice/docker-9d097c2e12929715ccdf30f858efb46ab460186b75e47fd221f9ae5edbcb2b78.scope/system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-TEST.service/memory.current
happen?

[adelton]

docker@servpenta23:~> docker info --format "{{ .ClientInfo.Context }}"
default

This is not what I see on my Fedora 39 (VM) with a rootless docker installed using curl -fsSL https://get.docker.com/rootless | sh (per https://docs.docker.com/engine/security/rootless/):

$ docker info --format "{{ .ClientInfo.Context }}"
rootless

Are you sure your docker command talks to the rootless docker and not to the rootful one?

[PentaPaetzold]

Yes i am quite. That value seems to be the same:

docker@servpenta23:~> docker context ls
NAME        DESCRIPTION                               DOCKER ENDPOINT                     ERROR
default *   Current DOCKER_HOST based configuration   unix:///run/user/1001/docker.sock   
rootless    Rootless mode                             unix:///run/user/1001/docker.sock   
Warning: DOCKER_HOST environment variable overrides the active context. To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.

docker@servpenta23:~> env | grep DOCKER
DOCKER_HOST=unix:///run/user/1001/docker.sock

docker@servpenta23:~> docker context inspect default
[
    {
        "Name": "default",
        "Metadata": {},
        "Endpoints": {
            "docker": {
                "Host": "unix:///run/user/1001/docker.sock",
                "SkipTLSVerify": false
            }
        },
        "TLSMaterial": {},
        "Storage": {
            "MetadataPath": "\u003cIN MEMORY\u003e",
            "TLSPath": "\u003cIN MEMORY\u003e"
        }
    }
]

docker@servpenta23:~> docker context inspect rootless
[
    {
        "Name": "rootless",
        "Metadata": {
            "Description": "Rootless mode"
        },
        "Endpoints": {
            "docker": {
                "Host": "unix:///run/user/1001/docker.sock",
                "SkipTLSVerify": false
            }
        },
        "TLSMaterial": {},
        "Storage": {
            "MetadataPath": "/home/docker/.docker/contexts/meta/12b961af5feb3e9d39f93b2cefb9a1a944f18d02cca0cac2f04f5a982240605f",
            "TLSPath": "/home/docker/.docker/contexts/tls/12b961af5feb3e9d39f93b2cefb9a1a944f18d02cca0cac2f04f5a982240605f"
        }
    }
]

I had the environment DOCKER_HOST set to the location int /etc/environment as it was advised by setup, what changed default to point to that endpoint.

Removing DOCKER_HOST and adding DOCKER_CONTEXT=rootless results in

docker@servpenta23:~> docker context ls
NAME         DESCRIPTION                               DOCKER ENDPOINT                     ERROR
default      Current DOCKER_HOST based configuration   unix:///var/run/docker.sock         
rootless *   Rootless mode                             unix:///run/user/1001/docker.sock   

and the expected value

docker@servpenta23:~> docker info --format "{{ .ClientInfo.Context }}"
rootless

Still, no luck with dirsrv running Test 2, same error.

[adelton]

For the record, I made some attempts to test rootless docker on the GitHub Actions' Ubuntu 22.04 but the jobs have been failing, albeit not in the dirsrv step but much later:

  [7/8]: adding fallback group
  [8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.11.0

FreeIPA server configuration failed.
The container systemctl is-system-running [degraded].

[adelton]

Could you try --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw, and possibly use --skip-mem-check parameter to ipa-server-install if you get

DEBUG The ipa-server-install command failed, exception: ScriptError: Unable to determine the amount of available RAM

? These seem to work for me on the GitHub Actions' Ubuntu 22.04's with Docker 25.0.2 installed using

$ curl -fsSL https://get.docker.com/rootless | FORCE_ROOTLESS_INSTALL=1 sh

https://github.com/adelton/freeipa-container/actions/runs/8019125763/job/21907279041

[adelton]

This was now added to our GitHub Actions CI tests and to README.

[PentaPaetzold]

Only to make this complete: The mistake was on my hostside - the permissions of the container files on the host were changed after installation, which lead to the mounted filesystem beeing readonly on top-level instance. So if someone gets that error: check for permissions first and never change container/volume permissions on host- side.