runsc does not always honor TMPDIR env variable when operating on host filesystem #12476
Description
Description
I am hitting an issue attempting to use runsc on an idiosyncratic linux system where
- the usual temp dir with its associated tmpfs mount is located at /realtmp
- and advertised to users and system services by setting TMPDIR=/realtmp in the environment;
- /tmp is a symbolic link to something else entirely, which should not be touched (the latter detail is only partially relevant: the bug reproduces even when /tmp links to /realtmp – see steps to reproduce).
Even though docker run --rm hello-world works perfectly well, docker run --rm --runtime=runsc hello-world fails with the following message:
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
Inspecting the debug log (I pasted only create/boot logs in the field below because including other subcommands would exceed github's limit) shows that a subprocess of runsc invoked as runsc-sandbox is failing with the following message:
I0111 13:12:41.828446 1 cli.go:203] **************** gVisor ****************
I0111 13:12:41.828446 1 cli.go:204] Version release-20260105.0, go1.24.1, amd64, 12 CPUs, linux, PID 1, PPID 0, UID 0, GID 0
D0111 13:12:41.828446 1 cli.go:205] Page size: 0x1000 (4096 bytes)
I0111 13:12:41.828446 1 cli.go:206] Args: [runsc-sandbox --debug-log=/tmp/runsc-logs/ --systemd-cgroup=true --root=/var/run/docker/runtime-runc/moby --debug=true --log=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json --log-format=json --log-fd=3 --debug-log-fd=4 boot --bundle=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744 --gofer-mount-confs=lisafs:self,lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 16827731968 --cpu-num 12 --total-memory 16827731968 --io-fds=5 --io-fds=6 --io-fds=7 --io-fds=8 --dev-io-fd=-1 --gofer-filestore-fds=9 --mounts-fd=10 --start-sync-fd=11 --controller-fd=12 --spec-fd=13 --stdio-fds=14 --stdio-fds=15 --stdio-fds=16 cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744]
...
I0111 13:12:41.833462 1 chroot.go:162] Setting up sandbox chroot in "/tmp"
W0111 13:12:41.833462 1 util.go:64] FATAL ERROR: error setting up chroot: error mounting tmpfs in chroot: failed to safely mount: expected to open /tmp, but found /realtmp
The "/tmp" path string is obtained at runsc/cmd/chroot.go:160 by calling os.TempDir() which on linux systems does return the TMPDIR env variable when set.
I verified using a wrapper script (see steps to reproduce) that the TMPDIR variable has the expected value for every invocation of runsc by docker. However, the environment is completely cleared at runsc/sandbox/sandbox.go:913 before starting the sandbox, which causes os.TempDir() to return the default value /tmp within the sandbox process.
I was able to work around the issue by patching runsc/sandbox/sandbox.go to forward the TMPDIR variable to the sandbox command (see diff below), but I am by no means experienced enough to assess the risks that might arise from this approach. Another solution might be to add a global (or private) config flag for the chroot location, have it default to os.TempDir() and propagate it to all relevant subprocesses (or any other safe propagation mechanism).
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -913,7 +913,8 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn
// Clear environment variables, unless --TESTONLY-unsafe-nonroot is set.
if !conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
// Setting cmd.Env = nil causes cmd to inherit the current process's env.
- cmd.Env = []string{}
+ // Forward os.TempDir() as TMPDIR env variable to ensure it resolves to the same value for cmd.
+ cmd.Env = []string{"TMPDIR=" + os.TempDir()}
}
if config.CgoEnabled {
// Platforms that use stub processes are not compatible withNOTE: logs and tooling info below are from the ubuntu vm used to implement reproduction steps, not from the original system where I encountered the bug.
Steps to reproduce
- Set up a fresh disposable ubuntu VM (any distro will do as long as you know how to translate the steps below)
- Log in as root
- Move /tmp to /realtmp and make it a symbolic link:
shopt -s dotglob
mkdir /realtmp
sed -e 's#/tmp#/realtmp#g' /usr/lib/systemd/system/tmp.mount > /etc/systemd/system/realtmp.mount
mkdir -p /etc/systemd/system/{local-fs,basic}.target.wants
ln -s /etc/systemd/system/realtmp.mount /etc/systemd/system/local-fs.target.wants/
ln -s /etc/systemd/system/realtmp.mount /etc/systemd/system/basic.target.wants/
systemctl start realtmp.mount
cp -a /tmp/* /realtmp
umount /tmp # Brutal approach, it's racy and might fail but worked for me
rmdir /tmp
ln -s /realtmp /tmp- Install docker and wget
apt update
apt install docker.io wget- Configure the environment:
cat >> /etc/environment <<EOF
TMPDIR=/realtmp
TEMP=/realtmp
TMP=/realtmp
EOF
systemctl edit --stdin docker.service <<EOF
[Service]
EnvironmentFile=/etc/environment
EOF
systemctl edit --stdin containerd.service <<EOF
[Service]
EnvironmentFile=/etc/environment
EOF- Reboot
- Log in as root
- Check that everything works as intended:
echo $TMPDIR # should print /realtmp
readlink /tmp # should print /realtmp
mountpoint --nofollow /tmp # should print /tmp is not a mountpoint
mountpoint --nofollow /realtmp # should print /realtmp is a mountpoint
docker run --rm hello-world # should pull the image and print the hello world message- Install runsc (remember to reload docker afterwards:
systemctl reload docker) docker run --rm --runtime=runsc hello-worldshould fail as discussed above- Create a wrapper script to check the environment:
cat > /usr/local/bin/runsc-wrapper <<'EOF'
#!/bin/bash
set -e
cat <(echo "---- Invoked! ----") <(echo "Args:" "$@") <(echo "Environment:") <(env) >> /tmp/runsc-env.log
exec /usr/local/bin/runsc "$@"
EOF
chmod a+rx /usr/local/bin/runsc-wrapper- Edit
/etc/docker/daemon.jsonto invoke the wrapper and add debug flags:
{
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc-wrapper",
"runtimeArgs": [
"--debug-log=/tmp/runsc-logs/",
"--debug"
]
}
}
}- Reload docker:
systemctl reload docker docker run --rm --runtime=runsc hello-worldshould fail again- Inspect
/tmp/runsc-env.logand verify that TMPDIR is actually set to /realtmp. Output example:
---- Invoked! ----
Args: --debug-log=/tmp/runsc-logs/ --debug --root /var/run/docker/runtime-runc/moby --log /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744 --pid-file /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/init.pid cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744
Environment:
TTRPC_ADDRESS=/run/containerd/containerd.sock.ttrpc
MAX_SHIM_VERSION=2
PWD=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744
NAMESPACE=moby
SYSTEMD_EXEC_PID=265
LANG=en_US.UTF-8
TMPDIR=/realtmp
INVOCATION_ID=f09d9ab8909e42f196a6633b6c2dd6df
USER=root
TEMP=/realtmp
GOMAXPROCS=4
SHLVL=0
LD_LIBRARY_PATH=/opt/containerd/lib:
GRPC_ADDRESS=/run/containerd/containerd.sock
JOURNAL_STREAM=9:111421
OTEL_SERVICE_NAME=containerd-shim-cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744
TMP=/realtmp
PATH=/opt/containerd/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
_=/usr/bin/env
- Inspect debug logs at
/tmp/runsc-logs/
runsc version
runsc version release-20260105.0
spec: 1.1.0-rc.1docker version (if using docker)
Client:
Version: 28.2.2
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 28.2.2
Storage Driver: overlay2
Backing Filesystem: btrfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: runsc io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version:
runc version:
init version:
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.17.8-orbstack-00308-g8f9c941121b1
Operating System: Ubuntu 25.10
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 15.67GiB
Name: ubuntu
ID: a4b819aa-4fa0-489d-b382-d470abf3ae86
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: falseuname
Linux ubuntu 6.17.8-orbstack-00308-g8f9c941121b1 #1 SMP PREEMPT Thu Nov 20 09:34:02 UTC 2025 x86_64 GNU/Linux
kubectl (if using Kubernetes)
repo state (if built from source)
No response
runsc debug logs (if available)
---- runsc.log.20260111-131241.804372.create.txt ----
I0111 13:12:41.804372 1744 cli.go:203] **************** gVisor ****************
I0111 13:12:41.804372 1744 cli.go:204] Version release-20260105.0, go1.24.1, amd64, 12 CPUs, linux, PID 1744, PPID 1743, UID 0, GID 0
D0111 13:12:41.804372 1744 cli.go:205] Page size: 0x1000 (4096 bytes)
I0111 13:12:41.804372 1744 cli.go:206] Args: [/usr/local/bin/runsc --debug-log=/tmp/runsc-logs/ --debug --root /var/run/docker/runtime-runc/moby --log /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744 --pid-file /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/init.pid cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744]
I0111 13:12:41.804372 1744 config.go:464] Platform: systrap
I0111 13:12:41.804372 1744 config.go:465] RootDir: /var/run/docker/runtime-runc/moby
I0111 13:12:41.804372 1744 config.go:466] FileAccess: exclusive / Directfs: true / Overlay: root:self
I0111 13:12:41.804372 1744 config.go:467] Network: sandbox
I0111 13:12:41.804372 1744 config.go:468] UseCPUNums: false
I0111 13:12:41.804372 1744 config.go:470] Debug: true. Strace: false, max size: 1024, syscalls:
W0111 13:12:41.804372 1744 config.go:473] --allow-suid is disabled, SUID/SGID bits on executables will be ignored.
D0111 13:12:41.804372 1744 config.go:491] Config.RootDir (--root): /var/run/docker/runtime-runc/moby
D0111 13:12:41.804372 1744 config.go:491] Config.Traceback (--traceback): system
D0111 13:12:41.804372 1744 config.go:491] Config.Debug (--debug): true
D0111 13:12:41.804372 1744 config.go:491] Config.LogFilename (--log): /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json
D0111 13:12:41.804372 1744 config.go:491] Config.LogFormat (--log-format): json
D0111 13:12:41.804372 1744 config.go:491] Config.DebugLog (--debug-log): /tmp/runsc-logs/
D0111 13:12:41.804372 1744 config.go:491] Config.DebugToUserLog (--debug-to-user-log): false
D0111 13:12:41.804372 1744 config.go:491] Config.DebugCommand (--debug-command): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.PanicLog (--panic-log): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.CoverageReport (--coverage-report): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.DebugLogFormat (--debug-log-format): text
D0111 13:12:41.804372 1744 config.go:491] Config.FileAccess (--file-access): exclusive
D0111 13:12:41.804372 1744 config.go:491] Config.FileAccessMounts (--file-access-mounts): shared
D0111 13:12:41.804372 1744 config.go:491] Config.Overlay (--overlay): false
D0111 13:12:41.804372 1744 config.go:491] Config.Overlay2 (--overlay2): root:self
D0111 13:12:41.804372 1744 config.go:491] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D0111 13:12:41.804372 1744 config.go:491] Config.HostUDS (--host-uds): none
D0111 13:12:41.804372 1744 config.go:491] Config.HostFifo (--host-fifo): none
D0111 13:12:41.804372 1744 config.go:491] Config.HostSettings (--host-settings): check
D0111 13:12:41.804372 1744 config.go:491] Config.Network (--network): sandbox
D0111 13:12:41.804372 1744 config.go:491] Config.EnableRaw (--net-raw): false
D0111 13:12:41.804372 1744 config.go:491] Config.AllowPacketEndpointWrite (--allow-packet-socket-write): false
D0111 13:12:41.804372 1744 config.go:491] Config.HostGSO (--gso): true
D0111 13:12:41.804372 1744 config.go:491] Config.GVisorGSO (--software-gso): true
D0111 13:12:41.804372 1744 config.go:491] Config.GVisorGRO (--gvisor-gro): false
D0111 13:12:41.804372 1744 config.go:491] Config.TXChecksumOffload (--tx-checksum-offload): false
D0111 13:12:41.804372 1744 config.go:491] Config.RXChecksumOffload (--rx-checksum-offload): true
D0111 13:12:41.804372 1744 config.go:491] Config.QDisc (--qdisc): fifo
D0111 13:12:41.804372 1744 config.go:491] Config.LogPackets (--log-packets): false
D0111 13:12:41.804372 1744 config.go:491] Config.PCAP (--pcap-log): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.Platform (--platform): systrap
D0111 13:12:41.804372 1744 config.go:491] Config.PlatformDevicePath (--platform_device_path): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.MetricServer (--metric-server): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.FinalMetricsLog (--final-metrics-log): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.ProfilingMetrics (--profiling-metrics): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D0111 13:12:41.804372 1744 config.go:491] Config.Strace (--strace): false
D0111 13:12:41.804372 1744 config.go:491] Config.StraceSyscalls (--strace-syscalls): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.StraceLogSize (--strace-log-size): 1024
D0111 13:12:41.804372 1744 config.go:491] Config.StraceEvent (--strace-event): false
D0111 13:12:41.804372 1744 config.go:493] Config.DisableSeccomp: false
D0111 13:12:41.804372 1744 config.go:491] Config.EnableCoreTags (--enable-core-tags): false
D0111 13:12:41.804372 1744 config.go:491] Config.WatchdogAction (--watchdog-action): log
D0111 13:12:41.804372 1744 config.go:491] Config.PanicSignal (--panic-signal): -1
D0111 13:12:41.804372 1744 config.go:491] Config.ProfileEnable (--profile): false
D0111 13:12:41.804372 1744 config.go:491] Config.ProfileBlock (--profile-block): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.ProfileCPU (--profile-cpu): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.ProfileGCInterval (--profile-gc-interval): 0s
D0111 13:12:41.804372 1744 config.go:491] Config.ProfileHeap (--profile-heap): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.ProfileMutex (--profile-mutex): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.TraceFile (--trace): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.NumNetworkChannels (--num-network-channels): 1
D0111 13:12:41.804372 1744 config.go:491] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D0111 13:12:41.804372 1744 config.go:491] Config.Rootless (--rootless): false
D0111 13:12:41.804372 1744 config.go:491] Config.AlsoLogToStderr (--alsologtostderr): false
D0111 13:12:41.804372 1744 config.go:491] Config.ReferenceLeak (--ref-leak-mode): disabled
D0111 13:12:41.804372 1744 config.go:491] Config.CPUNumFromQuota (--cpu-num-from-quota): true
D0111 13:12:41.804372 1744 config.go:491] Config.AllowFlagOverride (--allow-flag-override): false
D0111 13:12:41.804372 1744 config.go:491] Config.OCISeccomp (--oci-seccomp): false
D0111 13:12:41.804372 1744 config.go:491] Config.IgnoreCgroups (--ignore-cgroups): false
D0111 13:12:41.804372 1744 config.go:491] Config.SystemdCgroup (--systemd-cgroup): true
D0111 13:12:41.804372 1744 config.go:491] Config.PodInitConfig (--pod-init-config): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.BufferPooling (--buffer-pooling): true
D0111 13:12:41.804372 1744 config.go:491] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D0111 13:12:41.804372 1744 config.go:491] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D0111 13:12:41.804372 1744 config.go:491] Config.FDLimit (--fdlimit): -1
D0111 13:12:41.804372 1744 config.go:491] Config.DCache (--dcache): -1
D0111 13:12:41.804372 1744 config.go:491] Config.IOUring (--iouring): false
D0111 13:12:41.804372 1744 config.go:491] Config.DirectFS (--directfs): true
D0111 13:12:41.804372 1744 config.go:491] Config.AppHugePages (--app-huge-pages): true
D0111 13:12:41.804372 1744 config.go:491] Config.NVProxy (--nvproxy): false
D0111 13:12:41.804372 1744 config.go:491] Config.NVProxyDocker (--nvproxy-docker): false
D0111 13:12:41.804372 1744 config.go:491] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D0111 13:12:41.804372 1744 config.go:491] Config.TPUProxy (--tpuproxy): false
D0111 13:12:41.804372 1744 config.go:491] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D0111 13:12:41.804372 1744 config.go:491] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D0111 13:12:41.804372 1744 config.go:493] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D0111 13:12:41.804372 1744 config.go:491] Config.ReproduceNAT (--reproduce-nat): false
D0111 13:12:41.804372 1744 config.go:491] Config.ReproduceNftables (--reproduce-nftables): false
D0111 13:12:41.804372 1744 config.go:491] Config.NetDisconnectOk (--net-disconnect-ok): true
D0111 13:12:41.804372 1744 config.go:491] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D0111 13:12:41.804372 1744 config.go:491] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D0111 13:12:41.804372 1744 config.go:491] Config.RestoreSpecValidation (--restore-spec-validation): enforce
D0111 13:12:41.804372 1744 config.go:491] Config.GVisorMarkerFile (--gvisor-marker-file): false
D0111 13:12:41.804372 1744 config.go:491] Config.SystrapDisableSyscallPatching (--systrap-disable-syscall-patching): false
D0111 13:12:41.804372 1744 config.go:491] Config.SaveRestoreNetstack (--save-restore-netstack): true
D0111 13:12:41.804372 1744 config.go:491] Config.Nftables (--TESTONLY-nftables): false
D0111 13:12:41.804372 1744 config.go:491] Config.AllowSUID (--allow-suid): false
D0111 13:12:41.804372 1744 config.go:491] Config.UseCPUNums (--kvm-use-cpu-nums): false
D0111 13:12:41.804372 1744 cli.go:210] Go started execution at 13:12:41.804372. Could not measure process spawn time (no /proc/self/status?)
I0111 13:12:41.804372 1744 cli.go:215] **************** gVisor ****************
D0111 13:12:41.805375 1744 specutils.go:114] Spec:
{
"ociVersion": "1.2.1",
"process": {
"user": {
"uid": 0,
"gid": 0,
"additionalGids": [
0
]
},
"args": [
"/hello"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=cdb3c5ae68ca"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"oomScoreAdj": 0
},
"root": {
"path": "/var/lib/docker/overlay2/614e24e4a2bd2d58ff0654d692d6d57f718f19026005dd85e3e5a72a85bb0722/merged"
},
"hostname": "cdb3c5ae68ca",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/cgroup",
"options": [
"ro",
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=67108864"
]
},
{
"destination": "/etc/resolv.conf",
"type": "bind",
"source": "/var/lib/docker/containers/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/resolv.conf",
"options": [
"rbind",
"rprivate"
]
},
{
"destination": "/etc/hostname",
"type": "bind",
"source": "/var/lib/docker/containers/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/hostname",
"options": [
"rbind",
"rprivate"
]
},
{
"destination": "/etc/hosts",
"type": "bind",
"source": "/var/lib/docker/containers/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/hosts",
"options": [
"rbind",
"rprivate"
]
}
],
"linux": {
"sysctl": {
"net.ipv4.ip_unprivileged_port_start": "0",
"net.ipv4.ping_group_range": "0 2147483647"
},
"resources": {
"blockIO": {}
},
"cgroupsPath": "system.slice:docker:cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744",
"namespaces": [
{
"type": "mount"
},
{
"type": "network"
},
{
"type": "uts"
},
{
"type": "pid"
},
{
"type": "ipc"
},
{
"type": "cgroup"
}
]
}
}
D0111 13:12:41.805375 1744 container.go:201] Create container, cid: cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744, rootDir: "/var/run/docker/runtime-runc/moby"
D0111 13:12:41.805375 1744 container.go:1914] Configuring container with a new userns with identity user mappings into current userns
D0111 13:12:41.805375 1744 container.go:1970] UID Mappings:
D0111 13:12:41.805375 1744 container.go:1972] Container ID: 0, Host ID: 0, Range Length: 4294967295
D0111 13:12:41.805375 1744 container.go:1970] GID Mappings:
D0111 13:12:41.805375 1744 container.go:1972] Container ID: 0, Host ID: 0, Range Length: 4294967295
D0111 13:12:41.805375 1744 container.go:266] Creating new sandbox for container, cid: cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744
D0111 13:12:41.808384 1744 cgroup.go:427] New cgroup for pid: self, *cgroup.cgroupSystemd: &{cgroupV2:{Mountpoint:/sys/fs/cgroup Path:/system.slice/docker-cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744.scope Controllers:[cpuset cpu io memory pids] Own:[]} Name:cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744 Parent:system.slice ScopePrefix:docker properties:[] dbusConn:0xc0000c8680}
D0111 13:12:41.808384 1744 systemd.go:98] Installing systemd cgroup resource controller under system.slice
D0111 13:12:41.808384 1744 systemd.go:154] Joining systemd cgroup docker-cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744.scope
I0111 13:12:41.813246 1744 namespace.go:198] Mapping host uid 0 to container uid 0 (size=4294967295)
I0111 13:12:41.813259 1744 namespace.go:206] Mapping host gid 0 to container gid 0 (size=4294967295)
D0111 13:12:41.813267 1744 donation.go:32] Donating FD 3: "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json"
D0111 13:12:41.813272 1744 donation.go:32] Donating FD 4: "/tmp/runsc-logs/runsc.log.20260111-131241.804372.gofer.txt"
D0111 13:12:41.813274 1744 donation.go:32] Donating FD 5: "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/config.json"
D0111 13:12:41.813277 1744 donation.go:32] Donating FD 6: "|1"
D0111 13:12:41.813279 1744 donation.go:32] Donating FD 7: "gofer-rpc"
D0111 13:12:41.813281 1744 donation.go:32] Donating FD 8: "gofer IO FD"
D0111 13:12:41.813283 1744 donation.go:32] Donating FD 9: "gofer IO FD"
D0111 13:12:41.813285 1744 donation.go:32] Donating FD 10: "gofer IO FD"
D0111 13:12:41.813287 1744 donation.go:32] Donating FD 11: "gofer IO FD"
D0111 13:12:41.813288 1744 donation.go:32] Donating FD 12: "chroot sync gofer FD"
D0111 13:12:41.813290 1744 container.go:1485] Starting gofer: /proc/self/exe [runsc-gofer --debug-log=/tmp/runsc-logs/ --systemd-cgroup=true --root=/var/run/docker/runtime-runc/moby --debug=true --log=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json --log-format=json --log-fd=3 --debug-log-fd=4 gofer --bundle /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744 --gofer-mount-confs=lisafs:self,lisafs:none,lisafs:none,lisafs:none --spec-fd=5 --mounts-fd=6 --rpc-fd=7 --io-fds=8 --io-fds=9 --io-fds=10 --io-fds=11 --sync-chroot-fd=12]
I0111 13:12:41.815664 1744 container.go:1489] Gofer started, PID: 1756
D0111 13:12:41.815855 1744 container.go:1106] Created filestore file at "/proc/1756/root/var/lib/docker/overlay2/614e24e4a2bd2d58ff0654d692d6d57f718f19026005dd85e3e5a72a85bb0722/merged/.gvisor.filestore.cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744" for mount source "/var/lib/docker/overlay2/614e24e4a2bd2d58ff0654d692d6d57f718f19026005dd85e3e5a72a85bb0722/merged"
D0111 13:12:41.815944 1744 urpc.go:422] urpc: registering client with FD 20
D0111 13:12:41.816086 1744 sandbox.go:96] Attempting to create socket file "/var/run/docker/runtime-runc/moby/runsc-cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744.sock"
D0111 13:12:41.816113 1744 sandbox.go:99] Using socket file "/var/run/docker/runtime-runc/moby/runsc-cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744.sock"
I0111 13:12:41.816118 1744 sandbox.go:967] Control socket path: "/var/run/docker/runtime-runc/moby/runsc-cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744.sock"
I0111 13:12:41.816142 1744 sandbox.go:1018] Sandbox will be started in new mount, IPC and UTS namespaces
I0111 13:12:41.816152 1744 sandbox.go:1038] Sandbox will be started in the container's network namespace: {Type:network Path:}
I0111 13:12:41.816168 1744 sandbox.go:1060] Sandbox will be started in container's user namespace: {Type:user Path:}
I0111 13:12:41.816184 1744 namespace.go:198] Mapping host uid 0 to container uid 0 (size=4294967295)
I0111 13:12:41.816189 1744 namespace.go:206] Mapping host gid 0 to container gid 0 (size=4294967295)
I0111 13:12:41.816221 1744 sandbox.go:1097] Sandbox will be started in minimal chroot
D0111 13:12:41.816238 1744 sandbox.go:1824] Changing "/dev/stdin" ownership to 0/0
D0111 13:12:41.816244 1744 sandbox.go:1824] Changing "/dev/stdout" ownership to 0/0
D0111 13:12:41.816249 1744 sandbox.go:1824] Changing "/dev/stderr" ownership to 0/0
D0111 13:12:41.816333 1744 donation.go:32] Donating FD 3: "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json"
D0111 13:12:41.816340 1744 donation.go:32] Donating FD 4: "/tmp/runsc-logs/runsc.log.20260111-131241.804372.boot.txt"
D0111 13:12:41.816343 1744 donation.go:32] Donating FD 5: "sandbox IO FD"
D0111 13:12:41.816345 1744 donation.go:32] Donating FD 6: "sandbox IO FD"
D0111 13:12:41.816347 1744 donation.go:32] Donating FD 7: "sandbox IO FD"
D0111 13:12:41.816349 1744 donation.go:32] Donating FD 8: "sandbox IO FD"
D0111 13:12:41.816351 1744 donation.go:32] Donating FD 9: "/proc/1756/root/var/lib/docker/overlay2/614e24e4a2bd2d58ff0654d692d6d57f718f19026005dd85e3e5a72a85bb0722/merged/.gvisor.filestore.cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744"
D0111 13:12:41.816359 1744 donation.go:32] Donating FD 10: "|0"
D0111 13:12:41.816361 1744 donation.go:32] Donating FD 11: "|1"
D0111 13:12:41.816363 1744 donation.go:32] Donating FD 12: "control_server_socket"
D0111 13:12:41.816365 1744 donation.go:32] Donating FD 13: "/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/config.json"
D0111 13:12:41.816368 1744 donation.go:32] Donating FD 14: "/dev/stdin"
D0111 13:12:41.816370 1744 donation.go:32] Donating FD 15: "/dev/stdout"
D0111 13:12:41.816372 1744 donation.go:32] Donating FD 16: "/dev/stderr"
D0111 13:12:41.816374 1744 sandbox.go:1294] Starting sandbox: /proc/self/exe [runsc-sandbox --debug-log=/tmp/runsc-logs/ --systemd-cgroup=true --root=/var/run/docker/runtime-runc/moby --debug=true --log=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json --log-format=json --log-fd=3 --debug-log-fd=4 boot --bundle=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744 --gofer-mount-confs=lisafs:self,lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 16827731968 --cpu-num 12 --total-memory 16827731968 --io-fds=5 --io-fds=6 --io-fds=7 --io-fds=8 --dev-io-fd=-1 --gofer-filestore-fds=9 --mounts-fd=10 --start-sync-fd=11 --controller-fd=12 --spec-fd=13 --stdio-fds=14 --stdio-fds=15 --stdio-fds=16 cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744]
D0111 13:12:41.816394 1744 sandbox.go:1295] SysProcAttr: &{Chroot: Credential:0xc0002109c0 Ptrace:false Setsid:true Setpgid:false Setctty:false Noctty:false Ctty:0 Foreground:false Pgid:0 Pdeathsig:signal 0 Cloneflags:0 Unshareflags:0 UidMappings:[{ContainerID:0 HostID:0 Size:4294967295}] GidMappings:[{ContainerID:0 HostID:0 Size:4294967295}] GidMappingsEnableSetgroups:false AmbientCaps:[] UseCgroupFD:false CgroupFD:0 PidFD:<nil>}
I0111 13:12:41.818026 1744 sandbox.go:1323] Sandbox started, PID: 1762
D0111 13:12:41.831846 1744 urpc.go:433] urpc: unregistering client with FD 20
D0111 13:12:41.836396 1744 sandbox.go:1441] Destroying sandbox "cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744"
D0111 13:12:41.836487 1744 sandbox.go:1451] Killing sandbox "cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744"
D0111 13:12:41.836565 1744 cgroup_v2.go:176] Deleting cgroup "/sys/fs/cgroup/system.slice/docker-cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744.scope"
D0111 13:12:41.836603 1744 container.go:809] Destroy container, cid: cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744
D0111 13:12:41.836686 1744 container.go:1171] Killing gofer for container, cid: cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744, PID: 1756
W0111 13:12:41.837475 1744 util.go:64] FATAL ERROR: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
W0111 13:12:41.837475 1744 cli.go:244] Failure to execute command, err: 1
---- runsc.log.20260111-131241.804372.boot.txt ----
I0111 13:12:41.828446 1 cli.go:203] **************** gVisor ****************
I0111 13:12:41.828446 1 cli.go:204] Version release-20260105.0, go1.24.1, amd64, 12 CPUs, linux, PID 1, PPID 0, UID 0, GID 0
D0111 13:12:41.828446 1 cli.go:205] Page size: 0x1000 (4096 bytes)
I0111 13:12:41.828446 1 cli.go:206] Args: [runsc-sandbox --debug-log=/tmp/runsc-logs/ --systemd-cgroup=true --root=/var/run/docker/runtime-runc/moby --debug=true --log=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json --log-format=json --log-fd=3 --debug-log-fd=4 boot --bundle=/run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744 --gofer-mount-confs=lisafs:self,lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 16827731968 --cpu-num 12 --total-memory 16827731968 --io-fds=5 --io-fds=6 --io-fds=7 --io-fds=8 --dev-io-fd=-1 --gofer-filestore-fds=9 --mounts-fd=10 --start-sync-fd=11 --controller-fd=12 --spec-fd=13 --stdio-fds=14 --stdio-fds=15 --stdio-fds=16 cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744]
I0111 13:12:41.828446 1 config.go:464] Platform: systrap
I0111 13:12:41.828446 1 config.go:465] RootDir: /var/run/docker/runtime-runc/moby
I0111 13:12:41.828446 1 config.go:466] FileAccess: exclusive / Directfs: true / Overlay: root:self
I0111 13:12:41.828446 1 config.go:467] Network: sandbox
I0111 13:12:41.828446 1 config.go:468] UseCPUNums: false
I0111 13:12:41.828446 1 config.go:470] Debug: true. Strace: false, max size: 1024, syscalls:
W0111 13:12:41.828446 1 config.go:473] --allow-suid is disabled, SUID/SGID bits on executables will be ignored.
D0111 13:12:41.828446 1 config.go:491] Config.RootDir (--root): /var/run/docker/runtime-runc/moby
D0111 13:12:41.828446 1 config.go:491] Config.Traceback (--traceback): system
D0111 13:12:41.828446 1 config.go:491] Config.Debug (--debug): true
D0111 13:12:41.828446 1 config.go:491] Config.LogFilename (--log): /run/containerd/io.containerd.runtime.v2.task/moby/cdb3c5ae68ca86e9fc983dafc3537d4ce553a13cfd2fea95a7b48b32185b0744/log.json
D0111 13:12:41.828446 1 config.go:491] Config.LogFormat (--log-format): json
D0111 13:12:41.828446 1 config.go:491] Config.DebugLog (--debug-log): /tmp/runsc-logs/
D0111 13:12:41.828446 1 config.go:491] Config.DebugToUserLog (--debug-to-user-log): false
D0111 13:12:41.828446 1 config.go:491] Config.DebugCommand (--debug-command): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.PanicLog (--panic-log): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.CoverageReport (--coverage-report): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.DebugLogFormat (--debug-log-format): text
D0111 13:12:41.828446 1 config.go:491] Config.FileAccess (--file-access): exclusive
D0111 13:12:41.828446 1 config.go:491] Config.FileAccessMounts (--file-access-mounts): shared
D0111 13:12:41.828446 1 config.go:491] Config.Overlay (--overlay): false
D0111 13:12:41.828446 1 config.go:491] Config.Overlay2 (--overlay2): root:self
D0111 13:12:41.828446 1 config.go:491] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D0111 13:12:41.828446 1 config.go:491] Config.HostUDS (--host-uds): none
D0111 13:12:41.828446 1 config.go:491] Config.HostFifo (--host-fifo): none
D0111 13:12:41.828446 1 config.go:491] Config.HostSettings (--host-settings): check
D0111 13:12:41.828446 1 config.go:491] Config.Network (--network): sandbox
D0111 13:12:41.828446 1 config.go:491] Config.EnableRaw (--net-raw): false
D0111 13:12:41.828446 1 config.go:491] Config.AllowPacketEndpointWrite (--allow-packet-socket-write): false
D0111 13:12:41.828446 1 config.go:491] Config.HostGSO (--gso): true
D0111 13:12:41.828446 1 config.go:491] Config.GVisorGSO (--software-gso): true
D0111 13:12:41.828446 1 config.go:491] Config.GVisorGRO (--gvisor-gro): false
D0111 13:12:41.828446 1 config.go:491] Config.TXChecksumOffload (--tx-checksum-offload): false
D0111 13:12:41.828446 1 config.go:491] Config.RXChecksumOffload (--rx-checksum-offload): true
D0111 13:12:41.828446 1 config.go:491] Config.QDisc (--qdisc): fifo
D0111 13:12:41.828446 1 config.go:491] Config.LogPackets (--log-packets): false
D0111 13:12:41.828446 1 config.go:491] Config.PCAP (--pcap-log): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.Platform (--platform): systrap
D0111 13:12:41.828446 1 config.go:491] Config.PlatformDevicePath (--platform_device_path): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.MetricServer (--metric-server): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.FinalMetricsLog (--final-metrics-log): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.ProfilingMetrics (--profiling-metrics): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D0111 13:12:41.828446 1 config.go:491] Config.Strace (--strace): false
D0111 13:12:41.828446 1 config.go:491] Config.StraceSyscalls (--strace-syscalls): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.StraceLogSize (--strace-log-size): 1024
D0111 13:12:41.828446 1 config.go:491] Config.StraceEvent (--strace-event): false
D0111 13:12:41.828446 1 config.go:493] Config.DisableSeccomp: false
D0111 13:12:41.828446 1 config.go:491] Config.EnableCoreTags (--enable-core-tags): false
D0111 13:12:41.828446 1 config.go:491] Config.WatchdogAction (--watchdog-action): log
D0111 13:12:41.828446 1 config.go:491] Config.PanicSignal (--panic-signal): -1
D0111 13:12:41.828446 1 config.go:491] Config.ProfileEnable (--profile): false
D0111 13:12:41.828446 1 config.go:491] Config.ProfileBlock (--profile-block): (empty)
D0111 13:12:41.828446 1 config.go:491] Config.ProfileCPU (--profile-cpu): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.ProfileGCInterval (--profile-gc-interval): 0s
D0111 13:12:41.829450 1 config.go:491] Config.ProfileHeap (--profile-heap): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.ProfileMutex (--profile-mutex): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.TraceFile (--trace): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.NumNetworkChannels (--num-network-channels): 1
D0111 13:12:41.829450 1 config.go:491] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D0111 13:12:41.829450 1 config.go:491] Config.Rootless (--rootless): false
D0111 13:12:41.829450 1 config.go:491] Config.AlsoLogToStderr (--alsologtostderr): false
D0111 13:12:41.829450 1 config.go:491] Config.ReferenceLeak (--ref-leak-mode): disabled
D0111 13:12:41.829450 1 config.go:491] Config.CPUNumFromQuota (--cpu-num-from-quota): true
D0111 13:12:41.829450 1 config.go:491] Config.AllowFlagOverride (--allow-flag-override): false
D0111 13:12:41.829450 1 config.go:491] Config.OCISeccomp (--oci-seccomp): false
D0111 13:12:41.829450 1 config.go:491] Config.IgnoreCgroups (--ignore-cgroups): false
D0111 13:12:41.829450 1 config.go:491] Config.SystemdCgroup (--systemd-cgroup): true
D0111 13:12:41.829450 1 config.go:491] Config.PodInitConfig (--pod-init-config): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.BufferPooling (--buffer-pooling): true
D0111 13:12:41.829450 1 config.go:491] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D0111 13:12:41.829450 1 config.go:491] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D0111 13:12:41.829450 1 config.go:491] Config.FDLimit (--fdlimit): -1
D0111 13:12:41.829450 1 config.go:491] Config.DCache (--dcache): -1
D0111 13:12:41.829450 1 config.go:491] Config.IOUring (--iouring): false
D0111 13:12:41.829450 1 config.go:491] Config.DirectFS (--directfs): true
D0111 13:12:41.829450 1 config.go:491] Config.AppHugePages (--app-huge-pages): true
D0111 13:12:41.829450 1 config.go:491] Config.NVProxy (--nvproxy): false
D0111 13:12:41.829450 1 config.go:491] Config.NVProxyDocker (--nvproxy-docker): false
D0111 13:12:41.829450 1 config.go:491] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D0111 13:12:41.829450 1 config.go:491] Config.TPUProxy (--tpuproxy): false
D0111 13:12:41.829450 1 config.go:491] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D0111 13:12:41.829450 1 config.go:491] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D0111 13:12:41.829450 1 config.go:493] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D0111 13:12:41.829450 1 config.go:491] Config.ReproduceNAT (--reproduce-nat): false
D0111 13:12:41.829450 1 config.go:491] Config.ReproduceNftables (--reproduce-nftables): false
D0111 13:12:41.829450 1 config.go:491] Config.NetDisconnectOk (--net-disconnect-ok): true
D0111 13:12:41.829450 1 config.go:491] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D0111 13:12:41.829450 1 config.go:491] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D0111 13:12:41.829450 1 config.go:491] Config.RestoreSpecValidation (--restore-spec-validation): enforce
D0111 13:12:41.829450 1 config.go:491] Config.GVisorMarkerFile (--gvisor-marker-file): false
D0111 13:12:41.829450 1 config.go:491] Config.SystrapDisableSyscallPatching (--systrap-disable-syscall-patching): false
D0111 13:12:41.829450 1 config.go:491] Config.SaveRestoreNetstack (--save-restore-netstack): true
D0111 13:12:41.829450 1 config.go:491] Config.Nftables (--TESTONLY-nftables): false
D0111 13:12:41.829450 1 config.go:491] Config.AllowSUID (--allow-suid): false
D0111 13:12:41.829450 1 config.go:491] Config.UseCPUNums (--kvm-use-cpu-nums): false
D0111 13:12:41.829450 1 cli.go:212] runsc process spawned at 13:12:41.828446, Go started execution at 13:12:41.827443. Startup overhead: -1.003117ms
I0111 13:12:41.829450 1 cli.go:215] **************** gVisor ****************
W0111 13:12:41.832459 1 boot.go:288] Not setting product_name: open /sys/devices/virtual/dmi/id/product_name: no such file or directory
I0111 13:12:41.832459 1 boot.go:302] Setting host-thp-shmem-enabled: "never"
I0111 13:12:41.832459 1 boot.go:312] Setting host-thp-defrag: "madvise"
I0111 13:12:41.833462 1 chroot.go:162] Setting up sandbox chroot in "/tmp"
W0111 13:12:41.833462 1 util.go:64] FATAL ERROR: error setting up chroot: error mounting tmpfs in chroot: failed to safely mount: expected to open /tmp, but found /realtmp
error setting up chroot: error mounting tmpfs in chroot: failed to safely mount: expected to open /tmp, but found /realtmp