windows icon indicating copy to clipboard operation
windows copied to clipboard
verified publisher icon dockur

failed to deploy when trying to pull an IP address from router DHCP server issue

Open alpha754293 opened this issue 1 year ago • 3 comments

I'm trying to either set a static IP address or have it pull an IP address from my router's DHCP server.

I am trying to deploy this with Portainer.

I've created the macvlan rule and deployed the macvlan configuration as the network named "vlan".

This is my docker compose file:

version: "3"
services:
  windows:
    image: dockurr/windows
    container_name: win11
    environment:
      VERSION: "win11"
      RAM_SIZE: "8G"
      CPU_CORES: "4"
      DHCP: "Y"
    volumes:
      - /var/win:/storage
    devices:
      - /dev/kvm
    cap_add:
      - NET_ADMIN
    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined
    ports:
      - 8006:8006
      - 3389:3389/tcp
      - 3389:3389/udp
    stop_grace_period: 2m
    restart: on-failure
    networks:
      vlan:
    device_cgroup_rules:
      - 'c *:* rwm'

networks:
  vlan:
    external: true

This is the error message that I get:

failed to deploy a stack: Container win11 Creating Container win11 Created Container win11 Starting Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting cgroup config for procHooks process: failed to write "c *:* rw": write /sys/fs/cgroup/devices/docker/cd5d0024a1ec45697da89ff71b1a24fc6a15d0f864c4359a7cbb9e9cfdd0d3df/devices.allow: operation not permitted: unknown

Your help is greatly appreciated.

Thank you.

alpha754293 avatar Mar 10 '24 02:03 alpha754293

The error says you have no permission to write to device_cgroup_rules but Im not sure why.

You can try adding privileged: true to the compose file, to run the container with more permissions. But normally that shouldnt be necessary!

kroese avatar Mar 10 '24 10:03 kroese

@kroese Thank you.

I can try that.

Three things that I've done or changed since I posted this issue.

  1. I am no longer trying to deploy the container with Portainer anymore. It would download the Win11 ISO and would go through the process of extracting the installer, but then when it needs to reboot to actually launch the installer, it will fail to stay connected.

  2. So, now I am just using the normal "docker run" command.

  3. Even outside of the Portainer environment, I tried deploying said Docker container via docker-compose up -d, and that resulted in the same thing as when I was trying to deploy this from within Portainer.

Not really sure why that is.

I also had to add in two additional options to the docker run command:

--security-opt apparmor:unconfined and also --sysctl net.ipv4.ip_forward=1 for it to work properly.

I haven't tried to get this to pick up an IPv4 address from my router's DHCP server, as I am having limited success with getting this to run the way I think that it is supposed to.

Once I solve those pieces, then I can work on getting it to pick up an IPv4 address from my router's DHCP server, but I need the "recipe" to be working in a stable and consistent manner first.

Thank you.

alpha754293 avatar Mar 10 '24 15:03 alpha754293

Just to add here: I am running it in an unprivilege LXC container.

My docker-compose.yml file now looks like this:

version: "3"
services:
  win11:
    image: dockurr/windows
    container_name: win11
    devices:
      - /dev/kvm
    environment:
      VERSION: "win11"
      RAM_SIZE: "8G"
      CPU_CORES: "4"
    cap_add:
      - NET_ADMIN
    volumes:
      - ./win11:/storage
    security_opt:
      - apparmor:unconfined
    sysctls:
      net.ipv4.ip_forward: 1
    networks:
      vlan:
        ipv4_address: 10.172.194.142
    ports:
      - 8006:8006
      - 3389:3389/tcp
      - 3389:3389/udp
    stop_grace_period: 2m
    restart: on-failure

networks:
  vlan:
    external: true

alpha754293 avatar Mar 12 '24 01:03 alpha754293

So the issue is solved now?

In any case you wont be able to use DHCP mode in a unprivileged LXC container, as the macvlan interface can only be created using mknod which wont work within unprivileged LXC.

See https://github.com/vdsm/virtual-dsm/issues/382 for more background on that.

kroese avatar Mar 12 '24 01:03 kroese

Ahh...okay. Gotcha.

Thank you.

I was able to "create" the macvlan (both when I ran it with "standalone Docker/docker compose") and in Portainer, I would create the macvlan configuration, and then deploy the config by calling it vlan.

The driver shows up as null, but I am able to connect to it at the IP that I have assigned in the docker-compose.yml file, so it works enough for me. (DHCP is not 100% necessary/critical. At least not yet.)

alpha754293 avatar Mar 12 '24 02:03 alpha754293