Docker pull fails - failed to register layer: operation not supported

No, thank you. I didn't know this guide.I will have a look..

Is it an issue with nested overlayfs? I can pull docker images that are only one layer but fails on anything more than that.

Mounting /opt/docker directly to another fs solved it for me

Perhaps increasing the number of layers allowed in the kernel might solve it

If you use the overlayfs, just configure docker to use the dir

"/overlay/upper/opt/docker/"

Resolve to me.

2 Likes

I run "docker swarm init" in shell
it work for me

try installing fuse-overlayfs package and then restart dockerd using: service dockerd restart

4 Likes

did not work.
same error

(..)
Downloading https://downloads.openwrt.org/releases/23.05.3/packages/aarch64_generic/packages/libfuse3-3_3.10.5-2_aarch64_generic.ipk
Configuring kmod-fuse.
Configuring libfuse3-3.
Configuring fuse-overlayfs.

# service dockerd restart

# docker run -d -p 8080:80 ghcr.io/jellyfin/jellyfin-vue:unstable
Unable to find image 'ghcr.io/jellyfin/jellyfin-vue:unstable' locally
unstable: Pulling from jellyfin/jellyfin-vue
5385a9a590c3: Pull complete
af2cabb588b4: Pull complete
fb38e42d8990: Pull complete
572477dc8cc3: Pull complete
e1af48caa863: Pull complete
f8e396540ae0: Pull complete
f6c74d1875f4: Pull complete
3011b79dc96c: Pull complete
ecedda15d0f9: Pull complete
5b0492b11632: Pull complete
1870075c580a: Extracting [==================================================>]  981.4kB/981.4kB
docker: failed to register layer: lsetxattr security.capability /usr/sbin/nginx: operation not supported.
See 'docker run --help'.

error

docker: failed to register layer: lsetxattr security.capability /usr/sbin/nginx: operation not supported.

I also get this error now.
Its a different error than the original issue I think.

[+] Pulling 9/10
 ⠙ pihole [⣿⣿⣿⣿⣿⣿⣿⣿⣿] 105.6MB / 106.1MB Pulling                                                                                                           45.1s
   ✔ 5b16029f28c4 Pull complete                                                                                                                            6.2s
   ✔ bfee919580cf Download complete                                                                                                                       24.5s
   ✔ 4f4fb700ef54 Download complete                                                                                                                        0.7s
   ✔ e96c806aa072 Download complete                                                                                                                        1.3s
   ✔ 44bcc07472f9 Download complete                                                                                                                        1.8s
   ✔ fde0fc002115 Download complete                                                                                                                        2.5s
   ✔ 2653524f373e Download complete                                                                                                                       17.9s
   ✔ c16fe7ea4f77 Download complete                                                                                                                        7.3s
   ✔ 5e7ffeb418c7 Download complete                                                                                                                        8.1s
failed to register layer: lsetxattr security.capability /bin/ping: operation not supported

@Naftali did you try mouting another partition? I haven't tried that method as the opk install fuse-overlayfs seemed to be working.

I'll try adding a USB drive and using some of the other methods above.

Not sure if these are related:

https://lists.openwrt.org/pipermail/openwrt-devel/2024-January/041978.html

1 Like

just finished upgrading my x86 to 23.05.3, and used a different partition for my docker containers and data (edited /etc/config/dockerd property data_root to point to the data partition I set up).
running docker-compose -f /mnt/data/docker/data/compose.yaml up -d with 3 defined containers failed with one of the - esphome.

the error is failed to register layer: lsetxattr security.capability /usr/bin/ping: operation not supported
some links point to a missing permission:

nothing seems to work.
I tried:

  1. adding:
     cap_add:
      - NET_RAW
  1. setting privileged: true

and it doesn't work.

any ideas?

What's the filesystem on that partition?

the filesystem is ext4

It might also be worth trying a similar setup with the previous major release. Perhaps it has something to do with kernel upgrade in 22.05?

I won't have time to experiment for a little while though.

Hi,
Similar thread for AdGuard docker.
Would be nice to know how the "no CONFIG_KERNEL_EXT4_FS_SECURITY" build differs from regular.

1 Like

youngt2 I upgraded from 22.03 and it worked fine (at least for the esphome container).

also related: X86: Any reason why `CONFIG_NUMA` is disabled for x86 but enabled for some arm devices like layerscape?
and Setcap (libcap) - Failed to set capabilities on file: Not supported

I would've tried building 23.05.3 with these kernel flags turned on (CONFIG_KERNEL_EXT4_FS_SECURITY=y and CONFIG_KERNEL_EXT4_FS_POSIX_ACL=y) but then the official package repo will not work, which is a deal breaker.
it seems that 23.05 breaks docker for openwrt x86 which is a very big issue

I can try building the x86_64 kernel for 23.05.3 with the flags from @johndg set to yes, is anyone else interested in the binary?

I'd be happy to give it a try.

Maybe it is only images that require certain capabilities? I think I ran traefik/whoami without issue.

I've built (and installed and rebooted) the kernel with the flags set to yes, but I'm still seeing the same error from docker. Does anyone know which flags should show up in the sysctl -a output to indicate that ext4_fs_security is on?

This is what I've changed, but when force-installing the built kernel IPK and rebooting I'm still getting the same docker error.

localhost:~/openwrt$ ./scripts/diffconfig.sh
CONFIG_TARGET_x86=y
CONFIG_TARGET_x86_64=y
CONFIG_TARGET_x86_64_DEVICE_generic=y
CONFIG_KERNEL_BTRFS_FS_POSIX_ACL=y
CONFIG_KERNEL_CIFS_ACL=y
CONFIG_KERNEL_EXT4_FS_POSIX_ACL=y
CONFIG_KERNEL_EXT4_FS_SECURITY=y
CONFIG_KERNEL_F2FS_FS_POSIX_ACL=y
CONFIG_KERNEL_F2FS_FS_SECURITY=y
CONFIG_KERNEL_FS_POSIX_ACL=y
CONFIG_KERNEL_HFSPLUS_FS_POSIX_ACL=y
CONFIG_KERNEL_HFS_FS_POSIX_ACL=y
CONFIG_KERNEL_JFFS2_FS_POSIX_ACL=y
CONFIG_KERNEL_JFFS2_FS_SECURITY=y
CONFIG_KERNEL_JFS_POSIX_ACL=y
CONFIG_KERNEL_NFS_ACL_SUPPORT=y
CONFIG_KERNEL_REISER_FS_POSIX_ACL=y
CONFIG_KERNEL_SQUASHFS_XATTR=y
CONFIG_KERNEL_TMPFS_POSIX_ACL=y
CONFIG_KERNEL_UBIFS_FS_SECURITY=y
CONFIG_KERNEL_XFS_POSIX_ACL=y
CONFIG_USE_FS_ACL_ATTR=y

I have no idea how kernel flags work but do you need the depends listed here?

What shows up in your sysctl with those flags enabled?

1 Like

That's a very old article, there are not kernel CONFIG flags like those listed at all. There are busybox flags, so I've enabled those and enabled docker DOCKER_STO_EXT4 flag as well, I'll see if it makes any difference.

Ideally someone knowledgable should chirp in so I could try making kernel/docker with the necessary flags than taking shots in the dark. :wink: I'm using a very low-powered VM for those builds and each one takes a while.

Hi all. any image which I try to install I'm getting the error :
docker: failed to register layer: lsetxattr security.capability /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper: operation not supported.
See 'docker run --help'.

Any suggestion ?

Thank you