-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
singularity in docker <23.0.0: Requesting capability set 0x000001ffffffffff while permitted capability set is 0x0000003fffffffff #1466
Comments
Please could you try to provide a reproducer that doesn't depend on using GitHub actions. i.e. what local A complex GitHub actions flow as a reproducer is a bit of a stretch for us to work with. Thanks. |
Ahhh... what version of Docker is being used in GitHub actions? I think this may be caused by Docker < v23.0.0 on hosts with a new enough kernel to provide some new caps. Singularity 3.11 introduced handling of the new CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE capabilities. For a while, Docker didn't set these even with Singularity can tell, from the host information visible in the Docker container... that the host provides all those new capabilities.. so it is trying to set the full range. However, Docker has denied the 3 new caps due to this runc workaround. I'm betting that if you use Docker v23.0.0 or later, which has this patch... moby/moby@c1c973e ... then it will work. |
This? Docker Compose v1 1.29.2 |
Yes... arguably we could handle this better in Singularity, so that we gracefully accept the permitted set. We are hitting the same issue containerd had when running inside Docker: I can't promise that would be implemented quickly, though. |
Ok I think we can wait until the runners are updated. Any other workarounds, e.g. by listing all necessary permissions instead of using privileged? Not sure if this would make sense, I am not very familiar with linux privileges. |
I don't think so. That version of docker isn't aware of the existence of the newer capabilities... so you won't be able to ask it to provide them. |
Version of Singularity
What version of Singularity are you using?
3.11.0 on GitHub Actions using the following Dockerfile: https://github.com/singularityhub/singularity-docker/blob/v3.11.0/Dockerfile
Describe the bug
see title.
To Reproduce
Steps to reproduce the behavior:
clone https://github.com/OpenMS/dockerfiles/blob/master/library/Dockerfile
then
see https://github.com/OpenMS/OpenMS/actions/runs/4495601964/jobs/7909390460
Expected behavior
Build the container, as with 3.10
OS / Linux Distribution
Host (GitHub runner):
Docker:
Installation Method
wget https://github.com/sylabs/singularity/releases/download/v${SINGULARITY_VERSION}/singularity-ce-${SINGULARITY_VERSION}.tar.gz
Additional context
Anything else which might be relevant. E.g. if the bug only occurs on a specific filesystem, or kernel version etc.
The text was updated successfully, but these errors were encountered: