-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't start container after system upgrade due to permission error #1414
Comments
Running the container with |
Not always, but it might be necessary depending on your options. A quick search finds containers/podman#2123 with podman if you are using that. I'm very much against running privileged (unless needed, for example by fail2ban) so if this needs changes I'm all for them. I'm running on a modern system without privileged though. |
I'm running docker. |
These are my settings:
I use |
Not 100% sure but I think you need privileged for fail2ban. It makes sense as you need to modify the firewall rules and they apply to the host as well. Doing that is certainly a root operation. If you like you can try without fail2ban and without network_mode temporarily to see if you still need privileged without them. |
I've disabled fail2ban but it has no effect. If you check the single stacktrace log I get in the former report, it happens with FWIW, I've disabled fail2ban for the moment as I think it doesn't make sense running bundled in the container while it's serving through a VPN with port forwarding. |
See TelegramMessenger/MTProxy#7. They have two better solutions than using privileged:
Not sure why this hits you specifically, I haven't seen it. May be related to Arch Linux or to your configuration (kernel settings). Anyway, test the changes above and see if one of them helps! |
@erik-wramner thx for the support. Sadly I had already tried SYS_RESOURCE as reported initially and it didn't work, I just tried it again while setting |
Right. I don't know what |
I won't negate that running it on Arch Linux on 64bit ARMv8 is quite exotic :) I may be the only one running this setup as that thread talks mostly about ARMv7 on standard Raspbian (Debian for RPi). |
OK, this is the test bench:
This makes me have a strong suspicion (like 90%) that this is a bug in old version of python, on this environment, similar to this. The three main reasons to think this is the cause are:
I think the solution here is that docker-mailserver needs to eventually have these deps upgraded to solve the problem. |
Have you checked the Unfortunately I can't manage our Docker builds, so I'm stuck with |
I have not, but want to. I'm almost certain it will evade this issue (unless it's still using the same python version). The only thing that stops me from doing that is whether I'll be missing any of the features I rely on in the current version. Can you say whether there will be something missing given my configuration above? Some tool that isn't working? |
The only thing I know to be absent in the new version is filebeat. That should be handled by an external container (simply mount the same logs folder in both). The ripole program is unfortunately gone as well, which means amavis can't handle ancient OLE2 .doc files (unless there is another mechanism for that, not sure). |
Okay. I already build filebeat separately in current version. I will try the |
Is it worth of having filebeat running in another docker instance instead of building it and running in the same instance? I was running it fine before in the same instance while building it from sources. |
Given the |
I'd rather focus on getting the next release stable and getting it out. Or getting it out and then getting it stable (the latest branch is assumed to be less stable than the stable branch after all). |
Note was not much about stability but more about concerning users in case you were open to rewrite. |
Anyway, I've picked buster changes customized in a single commit, they're ready, but I'm going to build it next week, b/c I'll get better broadband speed. Docker builds are not great on medium broadband. |
I have built my AArch64 buster image, and confirming, this indeed gets fixed there. |
Context
Today I upgraded my host system (it's an Arch Linux on ARM64 RPi3), it upgraded the kernel (to 5.5.6) and other stuff, this generally has not been an issue at all, but today after that I couldn't start the docker-mailserver anymore, it exits with this error:
I tried to add
- ALL
,- SYS_RESOURCE
, etc tocap_add
indocker-compose.yml
, to check whether it was due to any new capability I needed to list, but it didn't help.Expected Behavior
The container to start.
Actual Behavior
Container doesn't start due to permission error with
getrlimit
forRLIMIT_NOFILE
.Steps to Reproduce
Your Environment
The text was updated successfully, but these errors were encountered: