Ubuntu 22.04 fails to boot with read-only filesystem (Docker Desktop for macOS)

[quinncomendant]

Hi Jeff,

I'm getting started with ansible and molecule, and am happy to find your pre-built images (thanks!). I'm having some trouble with the new Ubuntu 22.04 image. I'm using Docker Desktop 4.7.1 with default settings (no experimental features) on macOS 12.3.1 on a 2021 MBP w/M1 Pro.

When running docker as per the steps in README.md (except with -it instead of --detach so I can see the output), it fails to boot:

❯ docker run -it --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro geerlingguy/docker-ubuntu2204-ansible
Failed to look up module alias 'autofs4': Function not implemented
systemd 249.11-0ubuntu3 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS -OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP -LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization docker.
Detected architecture arm64.

Welcome to Ubuntu 22.04 LTS!

Failed to create /init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...

If I change the volume to read-write mode (by changing --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro to --volume=/sys/fs/cgroup:/sys/fs/cgroup:rw) it boots successfully:

❯ docker run -it --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:rw geerlingguy/docker-ubuntu2204-ansible
Failed to look up module alias 'autofs4': Function not implemented
systemd 249.11-0ubuntu3 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS -OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP -LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization docker.
Detected architecture arm64.

Welcome to Ubuntu 22.04 LTS!

Couldn't move remaining userspace processes, ignoring: Input/output error
Queued start job for default target Graphical Interface.
Unnecessary job was removed for /dev/vda1.
[  OK  ] Created slice Slice /system/modprobe.
[  OK  ] Created slice User and Session Slice.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
etc…

Is there a reason this image should be run in read-only mode, or is it safe to use in read-write mode?

---

Just for comparison, I also tried to boot your Ubuntu 18.04 and 20.04 images. They boot successfully in read-only mode – except for the Failed to allocate manager object, freezing error, do you know what is causing that?

Here's geerlingguy/docker-ubuntu1804-ansible:

❯ docker run -it --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro geerlingguy/docker-ubuntu1804-ansible

Welcome to Ubuntu 18.04.6 LTS!

[!!!!!!] Failed to allocate manager object, freezing.

Here's geerlingguy/docker-ubuntu2004-ansible:

❯ docker run -it --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro geerlingguy/docker-ubuntu2004-ansible

Welcome to Ubuntu 20.04.4 LTS!

[!!!!!!] Failed to allocate manager object.

[quinncomendant]

This seems like it's related, but I don't really understand it: https://serverfault.com/questions/1053187/systemd-fails-to-run-in-a-docker-container-when-using-cgroupv2-cgroupns-priva

[quinncomendant]

The release notes for Docker Desktop 4.3.0 include this note about using cgroup v2 (emphasis mine):

Docker Desktop now uses cgroupv2. If you need to run systemd in a container then:

• Ensure your version of systemd supports cgroupv2. It must be at least systemd 247. Consider upgrading any centos:7 images to centos:8.
• Containers running systemd need the following options: --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw.

This github issue for docker desktop confirms this requirement by many users, and has lots of backlinks from other projects that use systemd that broke when Docker Desktop 4.3.0 was released. There's this comment that specifically mentions Ubuntu 22.04 requiring these options, and how the --cgroupns=host option may not be required, which my tests confirm.

So, with regards to your docker-ubuntu2204-ansible image, I think the fix is to update README.md to include these options that are required to run it on Docker Desktop.

[quinncomendant]

This github issue for the Moby Project also confirms that it appears necessary to expose /sys/fs/cgroup as read-write as of systemd version 248.

Its author offers workarounds:

• boot host with systemd.unified_cgroup_hierarchy=0
• remove ro flag from docker run arg -v /sys/fs/cgroup:/sys/fs/cgroup:ro but this contaminates the host cgroup, causing e.g. docker top to get confused:

Another user suggests it can also be solved using namespace isolation (--userns-remap) or by just using podman instead of docker.

[tofi86]

• Containers running systemd need the following options: --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw.

I had the same issue and I can confirm that it works with these changes...

[mikch06]

Did by kernel parameter:
Not nice, but it works:

kargs --append='systemd.unified_cgroup_hierarchy=0'

https://docs.fedoraproject.org/en-US/fedora-coreos/kernel-args/