On Thu, Jun 30, 2016 at 11:39 PM, Jean-Francois Dagenais < [email protected]> wrote:
> Hi all, > > Ive managed to build docker into my image using meta-virtualization. > > Ive used the master branch (c4a1711dd31659b027c70c07e4ef6da98591ac95) on > top of > which I had to make tiny hacks to get it to compile with fido. > > So Im using linux-yocto_3.19.bbappend which I dug out of branch fido. > > When I run docker daemon log-level=debug, I get: > > DEBU[0000] /usr/sbin/iptables, [--wait --version] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -D PREROUTING -m addrtype > --dst-type LOCAL -j DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -D OUTPUT -m addrtype > --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -D OUTPUT -m addrtype > --dst-type LOCAL -j DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -D PREROUTING] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -D OUTPUT] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -F DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -X DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -F DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -X DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -F DOCKER-ISOLATION] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -X DOCKER-ISOLATION] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -n -L DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t nat -N DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -n -L DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -N DOCKER] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -n -L DOCKER-ISOLATION] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -N DOCKER-ISOLATION] > DEBU[0000] /usr/sbin/iptables, [--wait -t filter -C DOCKER-ISOLATION -j > RETURN] > DEBU[0000] /usr/sbin/iptables, [--wait -I DOCKER-ISOLATION -j RETURN] > DEBU[0000] Registering ipam driver: "default" > DEBU[0000] Registering ipam driver: "null" > INFO[0000] Default bridge (docker0) is assigned with an IP address > 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP > address > DEBU[0000] Allocating IPv4 pools for network bridge > (6eeb9cc6567681c6e7f78a2e529db97eaf129ec2acfc4c5568ef74df1d2c1cab) > DEBU[0000] RequestPool(LocalDefault, 172.17.0.0/16, , map[], false) > DEBU[0000] RequestAddress(LocalDefault/172.17.0.0/16, <nil>, > map[RequestAddressType:com.docker.network.gateway]) > DEBU[0000] Failed to create bridge docker0 via netlink. Trying ioctl > DEBU[0000] releasing IPv4 pools from network bridge > (6eeb9cc6567681c6e7f78a2e529db97eaf129ec2acfc4c5568ef74df1d2c1cab) > DEBU[0000] ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1) > DEBU[0000] ReleasePool(LocalDefault/172.17.0.0/16) > DEBU[0000] Cleaning up old mountid : start. > FATA[0000] Error starting daemon: Error initializing network controller: > Error creating default "bridge" network: package not installed > > I am just guessing my kernel is missing something, so I ran [docker > source]/contribs/check-config.sh against my kernel config and got MANY > missing > config items: > > # ./check-config.sh > warning: /proc/config.gz does not exist, searching other paths for kernel > config ... > info: reading kernel config from /boot/config-3.19.8-yocto-standard ... > Generally Necessary: > - cgroup hierarchy: properly mounted [/sys/fs/cgroup] > - CONFIG_NAMESPACES: enabled > - CONFIG_NET_NS: enabled > - CONFIG_PID_NS: enabled > - CONFIG_IPC_NS: enabled > - CONFIG_UTS_NS: enabled > - CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled > - CONFIG_CGROUPS: missing > - CONFIG_CGROUP_CPUACCT: missing > - CONFIG_CGROUP_DEVICE: missing > - CONFIG_CGROUP_FREEZER: missing > - CONFIG_CGROUP_SCHED: missing > - CONFIG_CPUSETS: missing > - CONFIG_MEMCG: missing > - CONFIG_KEYS: enabled > - CONFIG_MACVLAN: missing > - CONFIG_VETH: missing > - CONFIG_BRIDGE: missing > - CONFIG_BRIDGE_NETFILTER: missing > - CONFIG_NF_NAT_IPV4: enabled (as module) > - CONFIG_IP_NF_FILTER: enabled (as module) > - CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module) > - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: missing > - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module) > - CONFIG_NF_NAT: enabled (as module) > - CONFIG_NF_NAT_NEEDED: enabled > - CONFIG_POSIX_MQUEUE: enabled > > Optional Features: > - CONFIG_USER_NS: enabled > - CONFIG_SECCOMP: enabled > - CONFIG_CGROUP_PIDS: missing > - CONFIG_MEMCG_KMEM: missing > - CONFIG_MEMCG_SWAP: missing > - CONFIG_MEMCG_SWAP_ENABLED: missing > - CONFIG_RESOURCE_COUNTERS: missing > - CONFIG_BLK_CGROUP: missing > - CONFIG_IOSCHED_CFQ: enabled > - CONFIG_BLK_DEV_THROTTLING: missing > - CONFIG_CGROUP_PERF: missing > - CONFIG_CGROUP_HUGETLB: missing > - CONFIG_NET_CLS_CGROUP: missing > - CONFIG_CGROUP_NET_PRIO: missing > - CONFIG_CFS_BANDWIDTH: missing > - CONFIG_FAIR_GROUP_SCHED: missing > - CONFIG_RT_GROUP_SCHED: missing > > > My question is: why isnt all the generally necessary" items being added by > the > kernel config files (scc) mentioned in meta-virtualization's linux-yocto > bbappend? > Most of those settings are covered in the core kernel type configurations, and aren't repeated in any docker specific configuration. If values are sprayed all across the meta data, it makes changing them and enforcing policy more difficult. I run the docker check scripts across linux-yocto* periodically, and my reports are clean. So there's could be something up with the mixing of the new docker and the older fido bbappend, or simply that 3.19 didn't get much love. Bruce > > Thanks for the help! > > > -- > _______________________________________________ > meta-virtualization mailing list > [email protected] > https://lists.yoctoproject.org/listinfo/meta-virtualization > -- "Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end"
-- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
