cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation

Mario Marietto marietto2008 at gmail.com
Mon May 1 15:12:28 UTC 2023 

Hello.

I’ve just installed Ubuntu 22.04 on my Jetson nano. Docker does not work on
22.04,but it works on ubuntu 18.04 and 20.04. I used the same kernel
version for Ubuntu 18,20 and 22 (because the kernel 5.x is very
incompatible with the nvidia tools) :


Linux marietto-nano 4.9.299+ #0 SMP PREEMPT Wed Mar 29 14:22:17 CEST
2023 aarch64 aarch64 aarch64 GNU/Linux


so, I suppose there is some incompatibility between some components present
only on Ubuntu 22.04 and not on Ubuntu 18 and 20. The error is the
following :


# docker images

REPOSITORY    TAG       IMAGE ID       CREATED         SIZE
hello-world   latest    46331d942d63   13 months ago   9.14kB

# docker run hello-world

docker: Error response from daemon: failed to create shim task: OCI
runtime create failed: runc create failed: unable to start container
process: error during container init: error setting cgroup config for
procHooks process: bpf_prog_query(BPF_CGROUP_DEVICE) failed: function
not implemented: unknown.
ERRO[0004] error waiting for container: context canceled

I don’t know what to do. I even tried to upgrade the docker container files
following this guide :

https://www.server-world.info/en/note?os=Ubuntu_22.04&p=nvidia&f=2

so,this is what I did :


# curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | apt-key add -
OK

# curl -s -L https://nvidia.github.io/nvidia-docker/ubuntu22.04/nvidia-docker.list
> /etc/apt/sources.list.d/nvidia-docker.list

# apt upgrade

Before the upgrade I had these versions :

nvidia-docker2/stable,now 2.8.0-1 all
nvidia-container-toolkit/stable,now 1.7.0-1 arm64

after :

nvidia-docker2/bionic 2.13.0-1 all
nvidia-container-toolkit/bionic 1.13.1-1 arm64
nvidia-container-toolkit-base/bionic 1.13.1-1 arm64

they have been upgraded,but I still see that those packages come from
bionic,but I’ve used the repos of jammy


# curl -s -L https://nvidia.github.io/nvidia-docker/ubuntu22.04/nvidia-docker.list
> /etc/apt/sources.list.d/nvidia-docker.list

This is the content of the file /etc/docker/daemon.json :

{
    "runtimes": {
        "nvidia": {
            "path": "nvidia-container-runtime",
            "runtimeArgs": []
        }
    }
}

I’m using the JetPack 4.6.3 / L4T 32.7.3. runc version is :


# runc --version

runc version 1.1.4-0ubuntu1~22.04.1
spec: 1.0.2-dev
go: go1.18.1
libseccomp: 2.5.3

docker version is :


# docker --version
Docker version 20.10.21, build 20.10.21-0ubuntu1~22.04.3

And anyway,even with the packages upgraded,the error hasn’t been fixed.

As a further experiment,I have purged all the packages installed for ubuntu
22.04 and I have installed the versions of the same packages which works
for ubuntu 20.04. They are called like this :


cgroup-tools_0.41-10_arm64.deb
docker.io_20.10.21-0ubuntu1~20.04.1_arm64.deb
containerd_1.6.12-0ubuntu1~20.04.1_arm64.deb
runc_1.1.4-0ubuntu1~20.04.1_arm64.deb

but,I’ve got the same exact error as before :


root at marietto-nano:/home/marietto# docker run hello-world

docker: Error response from daemon: failed to create shim task: OCI
runtime create failed: runc create failed: unable to start container
process: error during container init: error setting cgroup config for
procHooks process: bpf_prog_query(BPF_CGROUP_DEVICE) failed: function
not implemented: unknown.
ERRO[0000] error waiting for container: context canceled

This is the output of the “check-config.sh” script :


root at marietto-nano:/home/marietto/Scaricati# ./check-config.sh

info: reading kernel config from /proc/config.gz ...

Generally Necessary:

- cgroup hierarchy: cgroupv2
  Controllers:
  **- cpu: missing
  - cpuset: missing**
  - io: available
  - memory: available
  - pids: available
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled


on the logs I see these errors :


cgroup: cgroup2: unknown option "nsdelegate,memory_recursiveprot"
cgroup: cgroup2: unknown option "nsdelegate"
cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or
net_cls activation


Furthermore,according with this post :


https://unix.stackexchange.com/questions/467362/how-to-fix-file-service-configures-an-ip-firewall-ipaddressdeny-any-but

I tried to enable some kernel items related to cgroup and bpf like follows :

root at marietto-nano:/linux-tegra-4.9# make -j2
scripts/kconfig/conf --silentoldconfig Kconfig
*
* Restart config...
*
*
* Control Group support
*
Control Group support (CGROUPS) [Y/n/?] y
Example debug cgroup subsystem (CGROUP_DEBUG) [Y/n/?] y
Freezer cgroup subsystem (CGROUP_FREEZER) [Y/n/?] y
PIDs cgroup subsystem (CGROUP_PIDS) [Y/n/?] y
Device controller for cgroups (CGROUP_DEVICE) [Y/n/?] y
Cpuset support (CPUSETS) [Y/n/?] y
Include legacy /proc/<pid>/cpuset file (PROC_PID_CPUSET) [Y/n] y
Simple CPU accounting cgroup subsystem (CGROUP_CPUACCT) [Y/n/?] y
Memory controller (MEMCG) [Y/n/?] y
Swap controller (MEMCG_SWAP) [Y/n/?] y
Swap controller enabled by default (MEMCG_SWAP_ENABLED) [Y/n/?] y
IO controller (BLK_CGROUP) [Y/n/?] y
IO controller debugging (DEBUG_BLK_CGROUP) [Y/n/?] y
PIDs controller (CGROUP_PIDS) [Y/n/?] y
Freezer controller (CGROUP_FREEZER) [Y/n/?] y
HugeTLB controller (CGROUP_HUGETLB) [Y/n/?] y
Cpuset controller (CPUSETS) [Y/n/?] y
Include legacy /proc/<pid>/cpuset file (PROC_PID_CPUSET) [Y/n] y
Device controller (CGROUP_DEVICE) [Y/n/?] y
Simple CPU accounting controller (CGROUP_CPUACCT) [Y/n/?] y
Perf controller (CGROUP_PERF) [Y/n/?] y
Support for eBPF programs attached to cgroups (CGROUP_BPF) [N/y/?] (NEW) y
Example controller (CGROUP_DEBUG) [Y/n/?] y
*
* General setup
*
Cross-compiler tool prefix (CROSS_COMPILE) []
Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n
Local version - append to kernel release (LOCALVERSION) []
Automatically append version information to the version string
(LOCALVERSION_AUTO) [N/y/?] n
Default hostname (DEFAULT_HOSTNAME) [(none)] (none)
Support for paging of anonymous memory (swap) (SWAP) [Y/n/?] y
System V IPC (SYSVIPC) [Y/n/?] y
POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y
Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y
open by fhandle syscalls (FHANDLE) [Y/n/?] y
uselib syscall (USELIB) [N/y/?] n
Auditing support (AUDIT) [Y/n/?] y
Kernel .config support (IKCONFIG) [Y/n/m/?] y
Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y
Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [15] 15
CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB)
(LOG_CPU_MAX_BUF_SHIFT) [15] 15
Temporary per-CPU printk log buffer size (12 => 4KB, 13 => 8KB)
(PRINTK_SAFE_LOG_BUF_SHIFT) [13] 13
Checkpoint/restore support (CHECKPOINT_RESTORE) [N/y/?] n
Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n
Boosting for CFS tasks (EXPERIMENTAL) (SCHED_TUNE) [N/y/?] n
Default to enabling the Energy Aware Scheduler feature
(DEFAULT_USE_ENERGY_AWARE) [N/y/?] n
Enable deprecated sysfs features to support old userspace tools
(SYSFS_DEPRECATED) [N/y/?] n
Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y
Initial RAM filesystem and RAM disk (initramfs/initrd) support
(BLK_DEV_INITRD) [Y/n/?] y
Initramfs source file(s) (INITRAMFS_SOURCE) []
Support initial ramdisks compressed using gzip (RD_GZIP) [Y/n/?] y
Support initial ramdisks compressed using bzip2 (RD_BZIP2) [Y/n/?] y
Support initial ramdisks compressed using LZMA (RD_LZMA) [Y/n/?] y
Support initial ramdisks compressed using XZ (RD_XZ) [Y/n/?] y
Support initial ramdisks compressed using LZO (RD_LZO) [Y/n/?] y
Support initial ramdisks compressed using LZ4 (RD_LZ4) [Y/n/?] y
Compiler optimization level
> 1. Optimize for performance (CC_OPTIMIZE_FOR_PERFORMANCE)
2. Optimize for size (CC_OPTIMIZE_FOR_SIZE)
choice[1-2]: 1
Enable bpf() system call (BPF_SYSCALL) [Y/n/?] y
Permanently enable BPF JIT and remove BPF interpreter (BPF_JIT_ALWAYS_ON)
[N/y/?] (NEW) y
Use full shmem filesystem (SHMEM) [Y/n/?] y
Allow shmem to use all RAM (SHMEM_ALL_RAM) [N/y/?] n
Enable AIO support (AIO) [Y/n/?] y
Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y
Enable userfaultfd() system call (USERFAULTFD) [N/y/?] n
Enable PCI quirk workarounds (PCI_QUIRKS) [Y/n/?] y
Enable membarrier() system call (MEMBARRIER) [Y/n/?] y
Embedded system (EMBEDDED) [Y/n/?] y
Enable VM event counters for /proc/vmstat (VM_EVENT_COUNTERS) [Y/n/?] y
Enable SLUB debugging support (SLUB_DEBUG) [Y/n/?] y
Disable heap randomization (COMPAT_BRK) [N/y/?] n
Choose SLAB allocator
1. SLAB (SLAB)
> 2. SLUB (Unqueued Allocator) (SLUB)
3. SLOB (Simple Allocator) (SLOB)
choice[1-3?]: 2
SLAB freelist randomization (SLAB_FREELIST_RANDOM) [N/y/?] n
SLUB per cpu partial cache (SLUB_CPU_PARTIAL) [Y/n/?] y
Profiling support (PROFILING) [Y/n/?] y
Kprobes (KPROBES) [N/y/?] n
Optimize very unlikely/likely branches (JUMP_LABEL) [Y/n/?] y
Static key selftest (STATIC_KEYS_SELFTEST) [N/y/?] n
Stack Protector buffer overflow detection
> 1. None (CC_STACKPROTECTOR_NONE)
2. Regular (CC_STACKPROTECTOR_REGULAR)
3. Strong (CC_STACKPROTECTOR_STRONG)
choice[1-3?]: 1
Link-Time Optimization (LTO) (EXPERIMENTAL)
> 1. None (LTO_NONE)
2. Use clang Link Time Optimization (LTO) (EXPERIMENTAL) (LTO_CLANG)
choice[1-2?]: 1
Number of bits to use for ASLR of mmap base address (ARCH_MMAP_RND_BITS)
[18] 18
Number of bits to use for ASLR of mmap base address for compatible
applications (ARCH_MMAP_RND_COMPAT_BITS) [16] 16

Docker still does not work. What's missing ? thanks.


-- 
Mario.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20230501/e6d35c93/attachment-0001.html>

More information about the ubuntu-users mailing list