Unable to installes mirage-firewall: this version of runc doesn't work on cgroups v2
44 views
Skip to first unread message
799
Aug 22, 2020, 7:51:11 PM8/22/20
to qubes-users
Hello,
I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into the following error:
OCI runtime create failed: this version of runc doesn't work on cgroups v2: unknown
Steps to reproduce:
MirageFWBuildVM=my-mirage-buildvm
TemplateVM=fedora-32
MirageFWAppVM=sys-mirage-fw
See also https://github.com/mirage/qubes-mirage-firewall
# create a new VM
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM
# Resize private disk to 10 GB
qvm-volume resize $MirageFWBuildVM:private 10GB
# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
'mkdir /home/user/docker && \
ln -s /home/user/docker /var/lib/docker'
# Install docker and git ~2min
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'qvm-sync-clock && \
dnf -y install docker git'
# Launch docker
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'systemctl start docker'
TemplateVM=fedora-32
MirageFWAppVM=sys-mirage-fw
See also https://github.com/mirage/qubes-mirage-firewall
# create a new VM
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM
# Resize private disk to 10 GB
qvm-volume resize $MirageFWBuildVM:private 10GB
# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
'mkdir /home/user/docker && \
ln -s /home/user/docker /var/lib/docker'
# Install docker and git ~2min
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'qvm-sync-clock && \
dnf -y install docker git'
# Launch docker
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'systemctl start docker'
# Download and build mirage for qubes ~11min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
'git clone https://github.com/mirage/qubes-mirage-firewall.git'
# build mirage for qubes
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'cd /home/user/qubes-mirage-firewall && \
sudo ./build-with-docker.sh'
qvm-run --pass-io --no-gui $MirageFWBuildVM \
'git clone https://github.com/mirage/qubes-mirage-firewall.git'
# build mirage for qubes
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'cd /home/user/qubes-mirage-firewall && \
sudo ./build-with-docker.sh'
Then I am seeing the following error:
> sudo ./build-with-docker.sh'
Building Docker image with dependencies..
Sending build context to Docker daemon 169.5kB
Step 1/8 : FROM ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde: Pulling from ocurrent/opam
21c83c524219: Pulling fs layer
400d4928ba6e: Pulling fs layer
0e00d6ca042c: Pulling fs layer
21c83c524219: Download complete
21c83c524219: Pull complete
400d4928ba6e: Verifying Checksum
400d4928ba6e: Download complete
0e00d6ca042c: Verifying Checksum
0e00d6ca042c: Download complete
400d4928ba6e: Pull complete
0e00d6ca042c: Pull complete
Digest: sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
Status: Downloaded newer image for ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
---> 6ff4f6014607
Step 2/8 : RUN cd ~/opam-repository && git fetch origin master && git reset --hard e81ab2996896b21cba74c43a903b305a5a6341ef && opam update
---> Running in 32587cf55364
OCI runtime create failed: this version of runc doesn't work on cgroups v2: unknown
Building Docker image with dependencies..
Sending build context to Docker daemon 169.5kB
Step 1/8 : FROM ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde: Pulling from ocurrent/opam
21c83c524219: Pulling fs layer
400d4928ba6e: Pulling fs layer
0e00d6ca042c: Pulling fs layer
21c83c524219: Download complete
21c83c524219: Pull complete
400d4928ba6e: Verifying Checksum
400d4928ba6e: Download complete
0e00d6ca042c: Verifying Checksum
0e00d6ca042c: Download complete
400d4928ba6e: Pull complete
0e00d6ca042c: Pull complete
Digest: sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
Status: Downloaded newer image for ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
---> 6ff4f6014607
Step 2/8 : RUN cd ~/opam-repository && git fetch origin master && git reset --hard e81ab2996896b21cba74c43a903b305a5a6341ef && opam update
---> Running in 32587cf55364
OCI runtime create failed: this version of runc doesn't work on cgroups v2: unknown
Any ideas how to workarround this problem or if I need to use another AppVM fedora-30 to build mirage
799
54th Parallel
Aug 22, 2020, 10:32:01 PM8/22/20
to qubes-users
On Sunday, 23 August 2020 at 07:51:11 UTC+8 one7...@gmail.com wrote:
Hello,I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into the following error:OCI runtime create failed: this version of runc doesn't work on cgroups v2: unknown
[...]
Any ideas how to workarround this problem or if I need to use another AppVM fedora-30 to build mirage799
Long story short: Docker doesn't install properly on Fedora versions >30 because they have cgroups v2. While it's possible to downgrade cgroups in Fedora >30, I think it's simpler to just use fedora-30 or its minimal version. I wasn't able to get past the Docker installation step in Fedora 32 without knowing about the cgroup v2 issue, so I don't know how the first you read of it was during the building process.
799
Aug 23, 2020, 2:43:50 PM8/23/20
to 54th Parallel, qubes-users
Hello,
On Sun, 23 Aug 2020 at 04:32, 54th Parallel <fiftyfour...@gmail.com> wrote:
On Sunday, 23 August 2020 at 07:51:11 UTC+8 one7...@gmail.com wrote:
[...]
I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into the following error:OCI runtime create failed: this version of runc doesn't work on cgroups v2: unknown
[...]Any ideas how to workarround this problem or if I need to use another AppVM fedora-30 to build mirage
Long story short: Docker doesn't install properly on Fedora versions >30 because they have cgroups v2.
While it's possible to downgrade cgroups in Fedora >30, I think it's simpler to just use fedora-30 or its minimal version.
I run into a problem installing packages in fedora-30-minimal but was successful using the fedora 30 template.
As others requested, I would love seeing it in the qubes repositories, anyhow happy to have it working again.
In order to simplify the build process this are steps to setup everything from dom0.
# Setup names & templates to be used.
MirageFWBuildVM=my-mirage-buildvm
TemplateVM=fedora-30
MirageFWAppVM=sys-mirage-fw
# create a new VM to build the Mirage kernel in that VM
TemplateVM=fedora-30
MirageFWAppVM=sys-mirage-fw
# create a new VM to build the Mirage kernel in that VM
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM
# Resize private disk to 10 GB
qvm-volume resize $MirageFWBuildVM:private 10GB
# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
'mkdir /home/user/docker && \
ln -s /home/user/docker /var/lib/docker'
# Install docker and git ~2min
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'qvm-sync-clock && \
dnf -y install docker git'
# Launch docker
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'systemctl start docker'
# Download and build mirage for qubes ~11min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
'git clone https://github.com/mirage/qubes-mirage-firewall.git'
# build mirage for qubes
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'cd /home/user/qubes-mirage-firewall && \
sudo ./build-with-docker.sh'
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'systemctl start docker'
# Download and build mirage for qubes ~11min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
'git clone https://github.com/mirage/qubes-mirage-firewall.git'
# build mirage for qubes
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
'cd /home/user/qubes-mirage-firewall && \
sudo ./build-with-docker.sh'
# Copy the new kernel to dom0
cd /var/lib/qubes/vm-kernels
qvm-run --pass-io $MirageFWBuildVM 'cat qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf -
cd /var/lib/qubes/vm-kernels
qvm-run --pass-io $MirageFWBuildVM 'cat qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf -
# create a new mirage fw appvm
qvm-create \
--property kernel=mirage-firewall \
--property kernelopts=None \
--property memory=32 \
--property maxmem=32 \
--property netvm=sys-net \
--property provides_network=True \
--property vcpus=1 \
--property virt_mode=pv \
--label=green \
--class StandaloneVM \
$MirageFWAppVM
# Change default NetVM to Mirage FW
qvm-start $MirageFWAppVM
qubes-prefs --set default_netvm $MirageFWAppVM
regards.
799
c1e0
Aug 24, 2020, 10:45:42 AM8/24/20
to qubes-users
Reply all
Reply to author
Forward
0 new messages