[qubes-users] Re: Unable to installes mirage-firewall: this version of runc doesn't work on cgroups v2

[c1e0]

A similar issue was reported here 
. Maybe the *podman* 
workaround 
 
will solve your problem. 

On Sunday, August 23, 2020 at 12:51:11 AM UTC+1 one7...@gmail.com wrote:

> Hello,
>
> I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into 
> the following error:
>
> OCI runtime create failed: this version of runc doesn't work on cgroups 
> v2: unknown
>
>
> Steps to reproduce:
> MirageFWBuildVM=my-mirage-buildvm
> TemplateVM=fedora-32
> MirageFWAppVM=sys-mirage-fw
>
> See also https://github.com/mirage/qubes-mirage-firewall
>
> # create a new VM
> qvm-create $MirageFWBuildVM --class=AppVM --label=red 
> --template=$TemplateVM
>
>
> # Resize private disk to 10 GB
> qvm-volume resize $MirageFWBuildVM:private 10GB
>
> # Create a symbolic link to safe docker into the home directory
> qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
>   'mkdir /home/user/docker && \
>ln -s /home/user/docker /var/lib/docker'
>
> # Install docker and git ~2min
> qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
>   'qvm-sync-clock && \
>dnf -y install docker git'
>
> # Launch docker
> qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
>   'systemctl start docker'
>
> # Download and build mirage for qubes ~11min
> qvm-run --pass-io --no-gui $MirageFWBuildVM \
>   'git clone https://github.com/mirage/qubes-mirage-firewall.git'
>
>
> # build mirage for qubes
> qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
>'cd /home/user/qubes-mirage-firewall && \
>sudo ./build-with-docker.sh'
>
> Then I am seeing the following error:
>
> >sudo ./build-with-docker.sh'
> Building Docker image with dependencies..
> Sending build context to Docker daemon  169.5kB
> Step 1/8 : FROM 
> ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
> sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde: 
> Pulling from ocurrent/opam
> 21c83c524219: Pulling fs layer
> 400d4928ba6e: Pulling fs layer
> 0e00d6ca042c: Pulling fs layer
> 21c83c524219: Download complete
> 21c83c524219: Pull complete
> 400d4928ba6e: Verifying Checksum
> 400d4928ba6e: Download complete
> 0e00d6ca042c: Verifying Checksum
> 0e00d6ca042c: Download complete
> 400d4928ba6e: Pull complete
> 0e00d6ca042c: Pull complete
> Digest: 
> sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
> Status: Downloaded newer image for 
> ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
>  ---> 6ff4f6014607
> Step 2/8 : RUN cd ~/opam-repository && git fetch origin master && git 
> reset --hard e81ab2996896b21cba74c43a903b305a5a6341ef && opam update
>  ---> Running in 32587cf55364
> OCI runtime create failed: this version of runc doesn't work on cgroups 
> v2: unknown
>
> Any ideas how to workarround this problem or if I need to use another 
> AppVM fedora-30 to build mirage
>
> 799
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f2729b1-96f9-43b2-b785-ce4da1479502n%40googlegroups.com.

Re: [qubes-users] Re: Unable to installes mirage-firewall: this version of runc doesn't work on cgroups v2

[799]

Hello,

On Sun, 23 Aug 2020 at 04:32, 54th Parallel 
wrote:

>
> On Sunday, 23 August 2020 at 07:51:11 UTC+8 one7...@gmail.com wrote:
>
>> [...]
>> I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into
>> the following error:
>> OCI runtime create failed: this version of runc doesn't work on cgroups
>> v2: unknown
>>
> [...]
>>
> Any ideas how to workarround this problem or if I need to use another
>> AppVM fedora-30 to build mirage
>>
>> Long story short: Docker doesn't install properly on Fedora versions >30
> because they have cgroups v2.
>
While it's possible to downgrade cgroups in Fedora >30, I think it's
> simpler to just use fedora-30 or its minimal version.
>

I run into a problem installing packages in fedora-30-minimal but was
successful using the fedora 30 template.
As others requested, I would love seeing it in the qubes repositories,
anyhow happy to have it working again.
In order to simplify the build process this are steps to setup everything
from dom0.
See also https://github.com/mirage/qubes-mirage-firewall

# Setup names & templates to be used.
MirageFWBuildVM=my-mirage-buildvm
TemplateVM=fedora-30
MirageFWAppVM=sys-mirage-fw

# create a new VM to build the Mirage kernel in that VM
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM

# Resize private disk to 10 GB
qvm-volume resize $MirageFWBuildVM:private 10GB

# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
  'mkdir /home/user/docker && \
   ln -s /home/user/docker /var/lib/docker'

# Install docker and git ~2min
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
  'qvm-sync-clock && \
   dnf -y install docker git'

# Launch docker
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
  'systemctl start docker'

# Download and build mirage for qubes ~11min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
  'git clone https://github.com/mirage/qubes-mirage-firewall.git'

# build mirage for qubes
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
   'cd /home/user/qubes-mirage-firewall && \
   sudo ./build-with-docker.sh'

# Copy the new kernel to dom0
cd /var/lib/qubes/vm-kernels
qvm-run --pass-io $MirageFWBuildVM 'cat
qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf -

# create a new mirage fw appvm
qvm-create \
  --property kernel=mirage-firewall \
  --property kernelopts=None \
  --property memory=32 \
  --property maxmem=32 \
  --property netvm=sys-net \
  --property provides_network=True \
  --property vcpus=1 \
  --property virt_mode=pv \
  --label=green \
  --class StandaloneVM \
  $MirageFWAppVM

# Change default NetVM to Mirage FW
qvm-start $MirageFWAppVM
qubes-prefs --set default_netvm $MirageFWAppVM

regards.

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sGQ1LxUTmRRjgC1ZBfzqh3BVrtC%2B4xQrvkpniKDTAWzw%40mail.gmail.com.

[qubes-users] Re: Unable to installes mirage-firewall: this version of runc doesn't work on cgroups v2

[54th Parallel]

On Sunday, 23 August 2020 at 07:51:11 UTC+8 one7...@gmail.com wrote:

> Hello,
>
> I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into 
> the following error:
>
> OCI runtime create failed: this version of runc doesn't work on cgroups 
> v2: unknown
>
[...]
>
Any ideas how to workarround this problem or if I need to use another AppVM 
> fedora-30 to build mirage
>
> 799
>

Long story short: Docker doesn't install properly on Fedora versions >30 
because they have cgroups v2. While it's possible to downgrade cgroups in 
Fedora >30, I think it's simpler to just use fedora-30 or its minimal 
version. I wasn't able to get past the Docker installation step in Fedora 
32 without knowing about the cgroup v2 issue, so I don't know how the first 
you read of it was during the building process.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/77d3b3c1-a73e-4b26-830e-5e1766ae4f91n%40googlegroups.com.