After Update Docker starts only with privileged: true

[Powerbolt1989]

After rebuild today my Server starts only with privileged: true.

Without i get the error message

sleep: cannot read realtime clock: Operation not permitted

curl: (28) Resolving timed out after 1225600658137 milliseconds

sleep: cannot read realtime clock: Operation not permitted

[init] Running as uid=1000 gid=1000 with /data as 'drwxrwsr-x+ 8 1000 1000 4096 Jan 29 2021 /data'

curl: (28) Timeout was reached

[init] Resolved version given LATEST into

[init] Autopause functionality enabled

[init] Resolving type given SPIGOT

sleep: cannot read realtime clock: Operation not permitted

System is the Rasperry Pi 4 with 8 GB

What could i do to fix this Problem?

thx
Powerbolt

[Powerbolt1989]

`version: "3"

services:
minecraft:
image: itzg/minecraft-server:multiarch-latest
/ image: itzg/minecraft-server:2021.1.0-multiarch-latest
ports:
- "25565:25565"
volumes:
- "/srv/dev-disk-by-label-WD10a/minecraft/mcgame:/data"
environment:
TZ: Europe/Berlin
EULA: "TRUE"
ENABLE_RCON: "false"
TYPE: SPIGOT
MEMORY: 2700m
ENABLE_AUTOPAUSE: "TRUE"
AUTOPAUSE_TIMEOUT_EST: "200"
AUTOPAUSE_TIMEOUT_INIT: "200"
restart: unless-stopped
container_name: MinecraftServer
tty: true
stdin_open: true
/ privileged: true
My Compose File`

[itzg]

That fix seems fairly logical. I think I only have a RPI 3B+ and will need to revive it. Can you try some of the slightly older tags to see if you can narrow where it might have changed. It's probably a change in the base image.

[Powerbolt1989]

Mhm,
tried the now 4 older builds. Same error. I updatet Docker itself too. Maybe here are some changes?

[itzg]

Oh, if you updated Docker recently then that's more likely the cause.

[Powerbolt1989]

6 Docker Compose are now running on the pi. The only one who makes this Problem ist the Minecraft Image. It runs perfect with the privilige Mode but i dont want it to run in this mode.

[itzg]

I agree that I wouldn't want to enable privileged mode; however, I'm running out of ideas :( Since sleep is a very basic command and only used by the autopause code, you can stop using autopause feature. Are any of your other containers calling sleep successfully?

[Powerbolt1989]

I dont have any other containers with sleep. But without Autopause i get errors.

[init] Running as uid=1000 gid=1000 with /data as 'drwxrwsr-x+ 8 1000 1000 4096 Jan 29 2021 /data'

curl: (28) Timeout was reached

[init] Resolved version given LATEST into

[init] Resolving type given SPIGOT

[init] Downloading Spigot from https://cdn.getbukkit.org/spigot/spigot-1.16.5.jar ...

curl: (28) Timeout was reached

[init] Running as uid=1000 gid=1000 with /data as 'drwxrwsr-x+ 8 1000 1000 4096 Jan 29 2021 /data'

[itzg]

It's strange that disabling auto-pause caused a difference in behavior early in startup. In any case, I'm afraid you're now hitting this other issue

#756

...and I'm stuck wondering what the upstream image has done to break curl.

[BC6B]

Just did a fresh install of Docker on a Raspberry Pi 4 and ran into this exact same issue. Any idea which version broke this? I might try to downgrade.

[Powerbolt1989]

I install itzg Minecraft Server on January 18th. I think i updated Docker 2-3 Days before @BC6B. So The Versions before 18th January must work.
But I dont want downgrade my docker so I wait about a fix about this.

[BC6B]

I ended up downgrading Docker to 19.03.15 last night but ran into the same timeout. I will try to go back further tonight.

[itzg]

Maybe there was a kernel update that influenced this. What distro is everyone here running on rpi? Raspbian?

[Powerbolt1989]

Yes for me it is Raspian 32 Bit

[Powerbolt1989]

Yeah @itzg I found the Solution. We need to Upgrade the libseccomp on RP4.

http://ftp.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_2.5.1-1_armhf.deb
sudo dpkg -i libseccomp2_2.5.1-1_armhf.deb

Link this to the other Tickets. It fixed also the Autopause.

Have a great Day Powerbolt

[itzg]

Good to close the issue then?

[RobieOne]

Upgrading libseccomp worked for me... Thanks Powerbolt1989!

[xcellardoor]

Hi Everyone,

A friend recently helped me out with this, and I thought it may be helpful to post the (very simple) workaround here for anyone to find in the future.

It turns out Docker has a special flag for shared-volumes, the 'Z' flag. There is also the lower-case 'z' flag though they do different things. See: https://stackoverflow.com/a/35222815 and https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

I'm not 100% sure of the technical ins and outs as my RasPi4 doesn't run SELinux though it does appear to have an AppArmor module running. Either way, setting my persistent data volume to use this 'Z' flag solved all problems immediately, e.g:

minecraft:
container_name: minecraft-server
image: itzg/minecraft-server:multiarch-latest
volumes:
- "/srv/volumes/minecraft_server:/data:Z"

Sorry for necro-bumping, but hope this helps someone out who may still be struggling when the solutions above didn't work, as was my case.

[itzg]

Great info @xcellardoor ! I could add a note about that in the README.

[itzg]

Just found official description of the seccomp solution is mentioned here https://docs.docker.com/engine/security/seccomp/