Dagger Engine permission issue on startup | Dagger | Page 1

primal patio Feb 14, 2024, 11:52 PM

#

I'm getting a crashback loop when Dagger tries to start

#

$ ./dagger-0.9.10 run 'echo hello'
┻ 

⧗ 1m27.1s ✔ 1
run canceled

#

📎 docker-engine-logs.txt

#

$ docker version
Client: Docker Engine - Community
 Version:           24.0.7
 API version:       1.43
 Go version:        go1.20.10
 Git commit:        afdd53b
 Built:             Thu Oct 26 09:09:18 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.7
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.10
  Git commit:       311b9ff
  Built:            Thu Oct 26 09:08:20 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.26
  GitCommit:        3dd1e886e55dd695541fdcd67420c2888645a495
 runc:
  Version:          1.1.10
  GitCommit:        v1.1.10-0-g18a0cb0
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

#

$ uname -a
Linux dev-tony-r8stg 4.18.0-513.9.1.el8_9.x86_64 #1 SMP Wed Nov 29 18:55:19 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

primal patio Feb 15, 2024, 1:01 AM

#

ok, the root user can run the Dagger hello world on this system.

#

So this seems more like a permission issue with Docker / Dagger Engine

Seems like I should be able to start the dagger-engine container manually, with custom flags like --priviledged

#

The user is setup to use sudoless docker

#

huh, if I start the engine as root, then all is good.

#

by that I mean, I switch back from root and then the same pipeline that failed as the user now passes

#

Dagger Engine permission issue on startup

vivid talon Feb 15, 2024, 2:09 AM

#

This is a system with docker, correct?

#

What distro are you using @primal patio ?

#

what happens if you try to run the engine manually with both the "regular" and "root" user?

docker run -v /var/lib/dagger --rm --privileged --name test-engine registry.dagger.io/engine:v0.9.10

does the engine start "normally" in both cases?

primal patio Feb 15, 2024, 2:27 AM

#

FAIL: rocky-8 from gcloud with docker 24.0.7
PASS: centos-7 from gcloud with docker 18.0.6

vivid talon Feb 15, 2024, 2:28 AM

#

does it work with the root user in rocky-8?

primal patio Feb 15, 2024, 2:28 AM

#

yes, and after that, no problem for user to run pipelines

#

I was even just able to restart the engine as the user no problem, so something happened in my debugging / root adventures

#

I'll start from a fresh point where I can reliably fail again tomorrow

vivid talon Feb 15, 2024, 2:30 AM

#

👍 let us know how it goes

#

I'll try spawnin a rocky-8 vm myself and giving it a try 🙏

primal patio Feb 15, 2024, 2:31 AM

#

thanks!

vivid talon Feb 15, 2024, 2:53 AM

#

@primal patio found the issue, you need to add iptable_nat as a kernel module for it to work

#

basically sudo modprobe iptable_nat

#

the reason why it works with sudo is because dagger will try to load the module automatically for you and because rocky linux is using selinux, the non-root user won't be able to do it even when using privileged containers

#

also highlighted here: https://docs.dagger.io/541047/alternative-runtimes/#configuration

Use Dagger with Alternative OCI Runtimes | Dagger

Introduction

primal patio Feb 15, 2024, 2:56 AM

#

cool, we also have containerd installed and are trying to migrate to that runtime

#Dagger Engine permission issue on startup