centos7 with docker 1.12.6

[yubinhong]

I replace the docker-runc , and then restart the docker daemon.It throw a exception when start a container.There is the error:
Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:245: running exec setns process for init caused \"exit status 19\""\n"

[ghost]

centos7 with docker-ce-17.09.1 get the same error when start a container:

Error response from daemon: oci runtime error: container_linux.go:265: starting container process caused "process_linux.go:270: running exec setns process for init caused "exit status 17""

[ibuildthecloud]

@yubinhong @aeiougo Can you share you specific kernel version which binary you downloaded build1, build2, or build3 and whether you used the no-memfd_create binary or not? Linux 3.x that don't have the memfd_create syscall must use the no-memfd_create binaries from build3.

[yubinhong]

@yubinhong @aeiougo Can you share you specific kernel version which binary you downloaded build1, build2, or build3 and whether you used the no-memfd_create binary or not? Linux 3.x that don't have the memfd_create syscall must use the no-memfd_create binaries from build3.

The kernel version is 3.10.0-862.3.2.el7.x86_64 and i use the runc-v1.12.6-amd64-no-memfd_create binary.

[ghost]

@yubinhong @aeiougo Can you share you specific kernel version which binary you downloaded build1, build2, or build3 and whether you used the no-memfd_create binary or not? Linux 3.x that don't have the memfd_create syscall must use the no-memfd_create binaries from build3.

kernel: 3.10.0-327.el7.x86_64
runc: runc-v17.09.1-arm64-no-memfd_create (build3)

when i used conmand docker logs containers, get this error:
nsenter: could not ensure we are a cloned binary: Is a directory
container_linux.go:265: starting container process caused "process_linux.go:270: running exec setns process for init caused "exit status 17""

[niusmallnan]

@yubinhong @aeiougo
Looks like you are using RHEL/CentOS kernel.
They have backported memfd to the 3.x kernel, so I think you should use the memfd_create binaries.

[ghost]

@yubinhong @aeiougo
Looks like you are using RHEL/CentOS kernel.
They have backported memfd to the 3.x kernel, so I think you should use the memfd_create binaries.

I tried, but it didn't work.

[niusmallnan]

I try it on GCP, it can work:

[root@centos-run-cve niusmallnan]# docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 1.12.6
Storage Driver: devicemapper
...
Kernel Version: 3.10.0-957.5.1.el7.x86_64
...


[root@centos-run-cve niusmallnan]# curl -sL -o runc-v1.12.6-amd64  https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3/runc-v1.12.6-amd64
[root@centos-run-cve niusmallnan]# chmod +x runc-v1.12.6-amd64
[root@centos-run-cve niusmallnan]# mv /bin/docker-runc /bin/docker-runc.orig
[root@centos-run-cve niusmallnan]# cp runc-v1.12.6-amd64 /bin/docker-runc

[root@centos-run-cve niusmallnan]# docker-runc --version
runc version 1.0.0-rc2
commit: 20c0351ba557183e6b54075e862f20a07f50aad3
spec: 1.0.0-rc2-dev

[root@centos-run-cve niusmallnan]# docker run -it --rm alpine
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
6c40cc604d8e: Pull complete
Digest: sha256:b3dbf31b77fd99d9c08f780ce6f5282aba076d70a513a8be859d8d3a4d0c92b8
Status: Downloaded newer image for alpine:latest
/ #
/ # exit

[ghost]

I tested on centos7.1/7.2/7.4/7.5, only centos7.5 worked.
It seems that the kernel does not support, But for some reason, the kernel cannot be upgraded.

[chadswen]

Had the same issue on RHEL 7.4 but not on RHEL 7.5. Seems like it might be related to O_TMPFILE issues on RHEL 7.4. If so, this upstream PR should address it opencontainers/runc#1984