Docker pull fails - failed to register layer: operation not supported

anon42915852 · December 16, 2022, 7:34am

No, thank you. I didn't know this guide.I will have a look..

virtualguy · January 11, 2023, 11:03am

Is it an issue with nested overlayfs? I can pull docker images that are only one layer but fails on anything more than that.

Mounting /opt/docker directly to another fs solved it for me

Perhaps increasing the number of layers allowed in the kernel might solve it

Tecnolobo · March 3, 2023, 8:53pm

If you use the overlayfs, just configure docker to use the dir

"/overlay/upper/opt/docker/"

Resolve to me.

BigGress · March 5, 2023, 1:48pm

I run "docker swarm init" in shell
it work for me

fuad00 · April 30, 2023, 12:33pm

try installing fuse-overlayfs package and then restart dockerd using: service dockerd restart

Naftali · March 29, 2024, 5:39am

did not work.
same error

(..)
Downloading https://downloads.openwrt.org/releases/23.05.3/packages/aarch64_generic/packages/libfuse3-3_3.10.5-2_aarch64_generic.ipk
Configuring kmod-fuse.
Configuring libfuse3-3.
Configuring fuse-overlayfs.

# service dockerd restart

# docker run -d -p 8080:80 ghcr.io/jellyfin/jellyfin-vue:unstable
Unable to find image 'ghcr.io/jellyfin/jellyfin-vue:unstable' locally
unstable: Pulling from jellyfin/jellyfin-vue
5385a9a590c3: Pull complete
af2cabb588b4: Pull complete
fb38e42d8990: Pull complete
572477dc8cc3: Pull complete
e1af48caa863: Pull complete
f8e396540ae0: Pull complete
f6c74d1875f4: Pull complete
3011b79dc96c: Pull complete
ecedda15d0f9: Pull complete
5b0492b11632: Pull complete
1870075c580a: Extracting [==================================================>]  981.4kB/981.4kB
docker: failed to register layer: lsetxattr security.capability /usr/sbin/nginx: operation not supported.
See 'docker run --help'.

error

docker: failed to register layer: lsetxattr security.capability /usr/sbin/nginx: operation not supported.

youngt2 · April 3, 2024, 3:51pm

I also get this error now.
Its a different error than the original issue I think.

[+] Pulling 9/10
 ⠙ pihole [⣿⣿⣿⣿⣿⣿⣿⣿⣿] 105.6MB / 106.1MB Pulling                                                                                                           45.1s
   ✔ 5b16029f28c4 Pull complete                                                                                                                            6.2s
   ✔ bfee919580cf Download complete                                                                                                                       24.5s
   ✔ 4f4fb700ef54 Download complete                                                                                                                        0.7s
   ✔ e96c806aa072 Download complete                                                                                                                        1.3s
   ✔ 44bcc07472f9 Download complete                                                                                                                        1.8s
   ✔ fde0fc002115 Download complete                                                                                                                        2.5s
   ✔ 2653524f373e Download complete                                                                                                                       17.9s
   ✔ c16fe7ea4f77 Download complete                                                                                                                        7.3s
   ✔ 5e7ffeb418c7 Download complete                                                                                                                        8.1s
failed to register layer: lsetxattr security.capability /bin/ping: operation not supported

@Naftali did you try mouting another partition? I haven't tried that method as the opk install fuse-overlayfs seemed to be working.

I'll try adding a USB drive and using some of the other methods above.

Not sure if these are related:

github.com/calamares/calamares

lsetxattr() failed: Operation Not Permitted

opened 06:16AM - 02 Sep 19 UTC

closed 10:34AM - 16 Nov 21 UTC

Batcastle

help: needs-feedback

When attempting to install, Calamares throws an rsync error like such: ``` ryn…c: rsync_xal_set: lsetxattr(...,"security.selinux") failed: Operation Not Permitted ``` It does this several times then all of Calamares freezes. I can exit Calamares, and I can tell both in Calamares and GParted the disk has been wiped and partitioned. Also, it looks like most of the OS was copied over. However, `/boot` is notably absent. It is unknown just how much else is missing. This is being done in a VirtualBox VM with a development version of Drauger OS (currently based on Ubuntu 19.04. Will be rebased to 19.10 shortly after it's release). This is on a 64-bit system and the issues are being displayed both in EFI and BIOS. Disk is 50 GB and error is displayed no matter what the partition layout is set to. **To Reproduce** I am honestly unsure how to reproduce this. I could send the ISO to someone to have them test it or provide a download link. **Expected behavior** I expect all files to be copied correctly **Screenshots and Logs** Terminal Output: https://pasteboard.co/IvvePTs.png **Additional context** I have made sure rsync is installed, that the kernel supports selinux, and that I have the correct packages installed. I'm using Calamares 3.2.4-0ubuntu3. The OS is packaged in a squashfs as well if that is important.

https://lists.openwrt.org/pipermail/openwrt-devel/2024-January/041978.html

johndg · April 3, 2024, 6:34pm

just finished upgrading my x86 to 23.05.3, and used a different partition for my docker containers and data (edited /etc/config/dockerd property data_root to point to the data partition I set up).
running docker-compose -f /mnt/data/docker/data/compose.yaml up -d with 3 defined containers failed with one of the - esphome.

the error is failed to register layer: lsetxattr security.capability /usr/bin/ping: operation not supported
some links point to a missing permission:

github.com/mviereck/dockerfile-x11docker-deepin

Failed to run ping command from within docker container: "bash: /usr/bin/ping: Operation not permitted".

opened 09:20AM - 10 Nov 20 UTC

closed 05:44PM - 11 Nov 20 UTC

hongyi-zhao

question

The container is created with [this Dockerfile](https://github.com/hongyi-zhao/d…ockerfile/blob/master/deepin/Dockerfiles/deepin-wine) and started with the following command: `$ x11docker --sudouser -c --hostnet --desktop --init=systemd -- --cap-add=IPC_LOCK --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine startdde` But I failed to execute the ping command in the container as shown below. ``` werner@X10DAi:~/Desktop$ curl -I www.baidu.com HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: keep-alive Content-Length: 277 Content-Type: text/html Date: Tue, 10 Nov 2020 09:15:39 GMT Etag: "575e1f60-115" Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT Pragma: no-cache Server: bfe/1.0.8.18 werner@X10DAi:~/Desktop$ ping www.baidu.com bash: /usr/bin/ping: Operation not permitted werner@X10DAi:~/Desktop$ which ping /usr/bin/ping ``` Any hints for this problem? Regards, HY

nothing seems to work.
I tried:

adding:

     cap_add:
      - NET_RAW

setting privileged: true

and it doesn't work.

any ideas?

stangri · April 3, 2024, 7:12pm

What's the filesystem on that partition?

johndg · April 3, 2024, 7:17pm

the filesystem is ext4

youngt2 · April 5, 2024, 1:34am

It might also be worth trying a similar setup with the previous major release. Perhaps it has something to do with kernel upgrade in 22.05?

I won't have time to experiment for a little while though.

Makak · April 5, 2024, 7:43am

Hi,
Similar thread for AdGuard docker.
Would be nice to know how the "no CONFIG_KERNEL_EXT4_FS_SECURITY" build differs from regular.

github.com/AdguardTeam/AdGuardHome

docker pull failed to register layer: lsetxattr security.capability

opened 05:22AM - 11 Mar 24 UTC

closed 04:54AM - 16 Mar 24 UTC

dc-me

### Prerequisites - [X] I have checked the [Wiki](https://github.com/AdguardTea…m/AdGuardHome/wiki) and [Discussions](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) and found no answer - [X] I have searched other issues and found no duplicates - [X] I want to report a bug and not [ask a question or ask for help](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) - [X] I have set up AdGuard Home correctly and [configured clients to use it](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients). (Use the [Discussions](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) for help with installing and configuring clients.) ### Platform (OS and CPU architecture) Linux, ARM64 ### Installation Docker ### Setup On one machine ### AdGuard Home version latest ### Action docker pull adguard/adguardhome:latest ### Expected result pull the image ### Actual result failed to register layer: lsetxattr security.capability /opt/adguardhome/AdGuardHome: operation not supported ### Additional information and/or screenshots ![image](https://github.com/AdguardTeam/AdGuardHome/assets/8910772/002d1eea-c560-4dd3-94f0-8604d9cd8ea0) ![image](https://github.com/AdguardTeam/AdGuardHome/assets/8910772/67161572-5484-4fdc-a30e-d72281fd3d9a)

johndg · April 5, 2024, 5:30pm

youngt2 I upgraded from 22.03 and it worked fine (at least for the esphome container).

also related: X86: Any reason why `CONFIG_NUMA` is disabled for x86 but enabled for some arm devices like layerscape?
and Setcap (libcap) - Failed to set capabilities on file: Not supported

I would've tried building 23.05.3 with these kernel flags turned on (CONFIG_KERNEL_EXT4_FS_SECURITY=y and CONFIG_KERNEL_EXT4_FS_POSIX_ACL=y) but then the official package repo will not work, which is a deal breaker.
it seems that 23.05 breaks docker for openwrt x86 which is a very big issue

stangri · April 5, 2024, 9:43pm

I can try building the x86_64 kernel for 23.05.3 with the flags from @johndg set to yes, is anyone else interested in the binary?

youngt2 · April 6, 2024, 12:44am

I'd be happy to give it a try.

Maybe it is only images that require certain capabilities? I think I ran traefik/whoami without issue.

stangri · April 6, 2024, 7:27pm

I've built (and installed and rebooted) the kernel with the flags set to yes, but I'm still seeing the same error from docker. Does anyone know which flags should show up in the sysctl -a output to indicate that ext4_fs_security is on?

stangri · April 7, 2024, 10:37pm

This is what I've changed, but when force-installing the built kernel IPK and rebooting I'm still getting the same docker error.

localhost:~/openwrt$ ./scripts/diffconfig.sh
CONFIG_TARGET_x86=y
CONFIG_TARGET_x86_64=y
CONFIG_TARGET_x86_64_DEVICE_generic=y
CONFIG_KERNEL_BTRFS_FS_POSIX_ACL=y
CONFIG_KERNEL_CIFS_ACL=y
CONFIG_KERNEL_EXT4_FS_POSIX_ACL=y
CONFIG_KERNEL_EXT4_FS_SECURITY=y
CONFIG_KERNEL_F2FS_FS_POSIX_ACL=y
CONFIG_KERNEL_F2FS_FS_SECURITY=y
CONFIG_KERNEL_FS_POSIX_ACL=y
CONFIG_KERNEL_HFSPLUS_FS_POSIX_ACL=y
CONFIG_KERNEL_HFS_FS_POSIX_ACL=y
CONFIG_KERNEL_JFFS2_FS_POSIX_ACL=y
CONFIG_KERNEL_JFFS2_FS_SECURITY=y
CONFIG_KERNEL_JFS_POSIX_ACL=y
CONFIG_KERNEL_NFS_ACL_SUPPORT=y
CONFIG_KERNEL_REISER_FS_POSIX_ACL=y
CONFIG_KERNEL_SQUASHFS_XATTR=y
CONFIG_KERNEL_TMPFS_POSIX_ACL=y
CONFIG_KERNEL_UBIFS_FS_SECURITY=y
CONFIG_KERNEL_XFS_POSIX_ACL=y
CONFIG_USE_FS_ACL_ATTR=y

youngt2 · April 8, 2024, 12:21am

I have no idea how kernel flags work but do you need the depends listed here?

What shows up in your sysctl with those flags enabled?

stangri · April 8, 2024, 1:11am

That's a very old article, there are not kernel CONFIG flags like those listed at all. There are busybox flags, so I've enabled those and enabled docker DOCKER_STO_EXT4 flag as well, I'll see if it makes any difference.

Ideally someone knowledgable should chirp in so I could try making kernel/docker with the necessary flags than taking shots in the dark. I'm using a very low-powered VM for those builds and each one takes a while.

germano77 · April 21, 2024, 1:09pm

Hi all. any image which I try to install I'm getting the error :
docker: failed to register layer: lsetxattr security.capability /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper: operation not supported.
See 'docker run --help'.

Any suggestion ?

Thank you