Newbie question : ulimit: error setting limit (Operation not permitted)
4,073 views
Skip to first unread message
Sowlène
Aug 9, 2017, 5:18:42 AM8/9/17
to rkt-dev
Hi !
I'm learning how to use docker images (from docker hub) on RKT and now i've got this :
I also tried
I don't realy understand what it means, and i don't know how i can fix this kind of errors on RKT :/
I realized my own docker image (dockerfile ..) so i just started to learn how RKT works :)
More about my configuration :
OS : Debian 9 Stretch STABLE.
Docker version 17.06.0-ce, build 02c1d87
Thanks for helping me !
I'm learning how to use docker images (from docker hub) on RKT and now i've got this :
$ sudo ./rkt --insecure-options=image run docker://(myimage) --set-env=DATABASE_TYPE=mysql --set-env=DATABASE_USER=user --set-env=DATABASE_PASSWORD=password --set-env=DATABASE_HOST=(host) --set-env=DATABASE_NAME=db
[...]Starting redis-server: /etc/init.d/redis-server: 58: ulimit: error setting limit (Operation not permitted)
I also tried
$ sudo ./rkt --insecure-options=image run docker://(myimage) --set-env=DATABASE_TYPE=mysql --set-env=DATABASE_USER=user --set-env=DATABASE_PASSWORD=password --set-env=DATABASE_HOST=(host) --set-env=DATABASE_NAME=db --debug
[...][88405.702392] installtv2[5]: Starting redis-server: /etc/init.d/redis-server: 58: ulimit: error setting limit (Operation not permitted)
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
Container rkt-f195b59a-2c84-48d0-8d09-2747265a4dcf failed with error code 2.
I don't realy understand what it means, and i don't know how i can fix this kind of errors on RKT :/
I realized my own docker image (dockerfile ..) so i just started to learn how RKT works :)
More about my configuration :
OS : Debian 9 Stretch STABLE.
Docker version 17.06.0-ce, build 02c1d87
Thanks for helping me !
ia...@kinvolk.io
Aug 9, 2017, 6:08:32 AM8/9/17
to rkt-dev
Hi!
It seems the redis service inside the container is trying to use ulimit to increase resource limits. This is not allowed by rkt because we don't give the capability CAP_SYS_RESOURCE[1] to containers as a security measure.
Docker doesn't give that capability either[2] so I guess that image should be run with either "--cap-add SYS_RESOURCE" or "--privileged".
You can disable capability restriction in rkt with "--insecure-options=capabilities". However, a better solution is to add "CAP_SYS_RESOURCE" to the default capabilities given by rkt. To do that, you can use the flag "--caps-retain" after the image.
In your case:
$ sudo ./rkt --insecure-options=image run docker://(myimage) --set-env=DATABASE_TYPE=mysql --set-env=DATABASE_USER=user --set-env=DATABASE_PASSWORD=password --set-env=DATABASE_HOST=(host) --set-env=DATABASE_NAME=db --caps-retain=CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FSETID,CAP_FOWNER,CAP_MKNOD,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SETFCAP,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_SYS_CHROOT,CAP_KILL,CAP_AUDIT_WRITE,CAP_SYS_RESOURCE
Note that you need to list the capabilities given by default too because "--caps-retain" overrides the default ones.
For more documentation about capabilities in rkt check this page on the docs[3].
It seems the redis service inside the container is trying to use ulimit to increase resource limits. This is not allowed by rkt because we don't give the capability CAP_SYS_RESOURCE[1] to containers as a security measure.
Docker doesn't give that capability either[2] so I guess that image should be run with either "--cap-add SYS_RESOURCE" or "--privileged".
You can disable capability restriction in rkt with "--insecure-options=capabilities". However, a better solution is to add "CAP_SYS_RESOURCE" to the default capabilities given by rkt. To do that, you can use the flag "--caps-retain" after the image.
In your case:
$ sudo ./rkt --insecure-options=image run docker://(myimage) --set-env=DATABASE_TYPE=mysql --set-env=DATABASE_USER=user --set-env=DATABASE_PASSWORD=password --set-env=DATABASE_HOST=(host) --set-env=DATABASE_NAME=db --caps-retain=CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FSETID,CAP_FOWNER,CAP_MKNOD,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SETFCAP,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_SYS_CHROOT,CAP_KILL,CAP_AUDIT_WRITE,CAP_SYS_RESOURCE
Note that you need to list the capabilities given by default too because "--caps-retain" overrides the default ones.
For more documentation about capabilities in rkt check this page on the docs[3].
Let us know if it works for you now :)
Cheers.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://github.com/moby/moby/blob/c791138/oci/defaults.go#L14-L30
[3] https://github.com/rkt/rkt/blob/master/Documentation/capabilities-guide.md
Cheers.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://github.com/moby/moby/blob/c791138/oci/defaults.go#L14-L30
[3] https://github.com/rkt/rkt/blob/master/Documentation/capabilities-guide.md
Sowlène
Aug 9, 2017, 6:49:29 AM8/9/17
to rkt-dev
Hi,
Thanks a lot for your answer and I will read all docs you give me !
It works now and i can see how it works due to systemctl :D
Thanks again, you made my day !
Thanks a lot for your answer and I will read all docs you give me !
It works now and i can see how it works due to systemctl :D
Thanks again, you made my day !
Reply all
Reply to author
Forward
0 new messages