runsc doesn't work with rootless docker #12575
Description
Description
Well. Sorta. I expect it's similar to #311, where there's some quirk in something that rootless docker expects that gvisor isn't doing.
This daemon.json configuration works for me -- but it includes the --TESTONLY-unsafe-nonroot which seems undesirable?
{
"runtimes": {
"runsc": {
"path": "/path/to/gvisor/runsc/runsc",
"runtimeArgs": [
"--ignore-cgroups",
"--TESTONLY-unsafe-nonroot"
]
}
}
}
When that flag isn't included, I get errors like:
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
I tried using --privileged and that didn't fix it.
I asked claude to diagnose this, and it seems to think that /proc/self/exe isn't valid for some reason - there's an error message in the debug log FATAL ERROR: error executing umounter: fork/exec /proc/self/exe: no such file or directory error executing umounter: fork/exec /proc/self/exe: no such file or directory in the logs when it's setting up the chroot. Claude thinks that docker is copying the runsc runtime binary to a temporary location.
I'm mostly ok with using the test flag, since it's probably already in a namespace anyways. But maybe this flag does other things that make it a bad idea?
#4371 seems relevant too -- but it feels like the users at the end of that issue are basically just asking for the --TESTONLY-unsafe-nonroot flag?
Steps to reproduce
Install rootless docker. Modify daemon.json. Run container.
runsc version
Built with `0bd9aedd142c213b4c718156e1e1c6e68c91a17c`docker version (if using docker)
29.1.3uname
5.15.0-131-fips #141+fips1-Ubuntu SMP Wed Jan 15 17:31:27 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
kubectl (if using Kubernetes)
repo state (if built from source)
release-20260126.0-14150-g0bd9aedd1