After setting up Alpine Linux to run docker containers and fixing a whole bunch of issues I encountered, I now came to the point where I tried to run a node.js app inside a Docker Container that runs on an Alpine Linux Host. But node immediately exited with a Segmentation Fault. After some experimenting, I went and just started the official node docker container in the latest version and started node inside. It still didn’t work.
~# docker run -it node:latest /bin/bash [email protected]:/# node Segmentation fault
The kernel logs provide only very limited insights:
kern.info kernel: [ 35.465909] device vethe7ba7a4 entered promiscuous mode kern.info kernel: [ 35.466145] IPv6: ADDRCONF(NETDEV_UP): vethe7ba7a4: link is not ready kern.info kernel: [ 35.466151] docker0: port 1(vethe7ba7a4) entered forwarding state kern.info kernel: [ 35.466160] docker0: port 1(vethe7ba7a4) entered forwarding state kern.info kernel: [ 35.467156] docker0: port 1(vethe7ba7a4) entered disabled state kern.warn kernel: [ 35.492075] cgroup: docker (1684) created nested cgroup for controller "memory" which has incomplete hierarchy support. Nested cgroups may change behavior in the future. kern.warn kernel: [ 35.492078] cgroup: "memory" requires setting use_hierarchy to 1 on the root kern.info kernel: [ 35.527037] eth0: renamed from veth1db87ca kern.info kernel: [ 35.538820] IPv6: ADDRCONF(NETDEV_CHANGE): vethe7ba7a4: link becomes ready kern.info kernel: [ 35.538838] docker0: port 1(vethe7ba7a4) entered forwarding state kern.info kernel: [ 35.538843] docker0: port 1(vethe7ba7a4) entered forwarding state kern.info kernel: [ 35.538861] IPv6: ADDRCONF(NETDEV_CHANGE): docker0: link becomes ready kern.info kernel: [ 36.539627] node: segfault at 10 ip 0000000000a6444d sp 0000750c38bd8550 error 4 in node[400000+13c7000] kern.alert kernel: [ 36.539643] grsec: Segmentation fault occurred at 0000000000000010 in /usr/local/bin/node[node:1930] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1919] uid/euid:0/0 gid/egid:0/0 kern.alert kernel: [ 36.539781] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/local/bin/node[node:1930] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1919] uid/euid:0/0 gid/egid:0/0
First, some network config changes done by docker, then docker complains about missing support for nested cgroups, then some more network config changes before node crashes with a segmentation fault. And eventually some error messages because GRSEC prevents node from writing a core dump.
After a lot of searching, there seems to be a whole list of problems in Alpine Linux that prevent it from reliably running Docker Containers, among them GRSEC, problems with LXC networking and missing cgroups hierarchy support. So basically all of the things that show up in the Kernel logs around the Segmentation fault.
By the way, according to the Alpine Bug Tracker, support for nested cgroups was added to Alpine 3.2 – but although I am running 3.3.1, it still isn’t working.
Interestingly enough, in the few days my post about installing Docker Daemon on Alpine Linux has been online, it has already helped somebody else fix the same problem but also lead him to the conclusion that Alpine Linux is not so great as a host for Docker containers.
As with all Linux distributions, if I can’t get them to run properly after a few hours of trying, I throw them away and won’t touch them again for a few years. Now I have added Alpine Linux to that list. Fortunately, there are enough alternatives out there.
But since I’m not really interested of trying out many different Linux distributions, I’ll just go back to Ubuntu. Yes, it is still a ~600 MB download instead of an 80 MB one but at least it works most of the time.
Another valid option for hosting Docker Containers of course would be CoreOS, but since they refuse to include support for CIFS, I cannot use it for my development environment.