Docker doesn't work after upgrade to Debian Bullseye - cgroup problem

[nak]

I upgraded Proxmox to version 7 and on this server I have a container running Debian which hosts docker containers.

Before the upgrade, the container was working fine. The server was running Proxmox 6 and the container was running Debian Buster and was set to be "Unprivileged" and had keyctl=1 and nesting=1. Docker functioned fine within it.

Now, I upgraded the server to Proxmox 7 and the container to Debian Bullseye. No other options were changed. When I try to start a Docker container I get:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown.

I see there were changes to how cgroup2 works with Proxmox 7 but I thought that if I had a modern Linux (Debian Bullseye) this wouldn't be a problem. Does anyone know what is happening? Thanks.

 

[Stoiko Ivanov]

I upgraded Proxmox to version 7 and on this server I have a container running Debian which hosts docker containers.

I would suggest to run docker in a qemu-VM - qemu has a much higher isolation from the host - and thus far less potential for interaction with a changed kernel/systemd/cgroup/lxc implementation

else - you could try to switch back to the legacy hybrid cgroup layout :
https://pve.proxmox.com/wiki/Upgrade_from_6.x_to_7.0#Old_Container_and_CGroupv2
https://pve.proxmox.com/pve-docs/chapter-pct.html#pct_cgroup_compat

I hope this helps!

 

[nak]

I would suggest to run docker in a qemu-VM - qemu has a much higher isolation from the host - and thus far less potential for interaction with a changed kernel/systemd/cgroup/lxc implementation

else - you could try to switch back to the legacy hybrid cgroup layout :
https://pve.proxmox.com/wiki/Upgrade_from_6.x_to_7.0#Old_Container_and_CGroupv2
https://pve.proxmox.com/pve-docs/chapter-pct.html#pct_cgroup_compat

I hope this helps!

I didn't want to switch to the old CGroup method because of Proxmox's documentation "

Switch back to the legacy cgroup controller. Note that while it can be a valid solution, it’s not a permanent one. There’s a high likelihood that a future Proxmox VE major release, for example 8.0, cannot support the legacy controller anymore.

and other notes of trouble with this on the forum.

Likewise, I prefer to run in a container rather than a VM because of all the advantages containers have over VMs.

I did get this to work without doing these steps, though, by switching my Docker container to use Docker's apt repository instead of Debian's, by following https://docs.docker.com/engine/install/debian/ . Then I installed Docker 20.10.8 and it started working fine. It appears as though Docker made some changes to cgroup2 in version 20.10.7 and that is necessary for working with how Proxmox is currently using cgroups.

 

[AlexLup]

Have the same problem, swithing apt-repos didnt work

 

[d0x7]

Have the same problem, swithing apt-repos didnt work

Did you so anything exactly as described on the page (i.e. removing any old versions, etc.)? I found this thread after I found the solution myself (unfortunately ) and it's fixed in 20.10.7.
docker.io in the debian repository is still 20.10.5 and docker's debian repository is 20.10.11. You can also switch to Ubuntu >20, which also has docker.io=20.10.7

 

[LnxBil]

ikewise, I prefer to run in a container rather than a VM because of all the advantages containers have over VMs.

With respect to Docker, you will have less advantages compared to running Docker inside in a VM, e.g. ZFS cannot be used in LX(C) containers, so you will not be able to have proper ZFS volumes and less space consuming layers in Docker, that is a very big downside in my book.