Configuring Docker Daemon for using containerd image store instead of docker

prsnca · July 9, 2024, 3:34pm

Hi,

We are trying to leverage a relative new feature released by docker - which is using the containerd image store instead of the default docker - which does not support storing attestations.
On the official Docker docs (titled “containerd image store with Docker Engine”)
it suggests to change the Docker Daemon settings by manually adding the daemon.json to the /etc/docker/ folder - which of course is not supported as part of a CircleCI pipeline.
We tried using SSH and manually setting this up (and later move the commands to the pipeline), but could not restart the Docker Daemon successfully.

Any suggestions here?

Thanks!

akrash-nadeem · July 9, 2024, 3:37pm

can you share some more information or commands or errors you are getting when restarting the daemon.

prsnca · July 9, 2024, 3:57pm

Sure, I tried these set of commands:

circleci@c4310c9b0b97:/etc/docker$ sudo systemctl restart docker
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
circleci@c4310c9b0b97:/etc/docker$ sudo service docker restart
/etc/init.d/docker: 61: ulimit: error setting limit (Operation not permitted)
circleci@c4310c9b0b97:/etc/docker$ sudo service  docker --full-restart
 * Docker already stopped - file /var/run/docker-ssd.pid not found.
/etc/init.d/docker: 61: ulimit: error setting limit (Operation not permitted)

And then this:

circleci@b8b9907352b6:/etc/docker$ sudo pkill dockerd
circleci@b8b9907352b6:/etc/docker$ sleep 5
circleci@b8b9907352b6:/etc/docker$ sudo dockerd &
[1] 118
circleci@b8b9907352b6:/etc/docker$ INFO[2024-07-09T08:46:13.187165223Z] Starting up                                  
failed to load listeners: can't create unix socket /var/run/docker.sock: device or resource busy
^C
[1]+  Exit 1                  sudo dockerd

Also tried to delete the docker.sock but without success:

circleci@b8b9907352b6:/etc/docker$ sudo rm -f /var/run/docker.sock
rm: cannot remove '/var/run/docker.sock': Device or resource busy

akrash-nadeem · July 9, 2024, 4:02pm

i thinks it’s related to user permission.

although sudo should have worked but i think there is some misconfigurations in systemd

akrash-nadeem · July 9, 2024, 4:03pm

Have you passed the docker sock to any container as some container require to pass docker sock of the host machine.

prsnca · July 9, 2024, 4:22pm

I have not touched anything other than the default config… we don’t even have setup_remote_docker as one of the steps
Any other commands I should try using?

akrash-nadeem · July 9, 2024, 4:35pm

Have you tried reinstalling docker

prsnca · July 9, 2024, 4:51pm

inside the CircleCI machine? no…
doesn’t sound like the right approach… too hacky for a pipeline

akrash-nadeem · July 9, 2024, 4:53pm

hmm if you are running it in Circleci machine then i think it is expected that you can’t restart the docker even if you run sudo apt-get update you will see some warnings.
I think they have some kind of security setup on there machines

akrash-nadeem · July 9, 2024, 4:53pm

what image you are using in the machine

prsnca · July 9, 2024, 5:00pm

this is what i get when running docker version:

circleci@b8b9907352b6:/etc/docker$ docker version
Client: Docker Engine - Community
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:31:44 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.0.2
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.9
  Git commit:       7cef0d9
  Built:            Thu Apr 18 16:27:07 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.31
  GitCommit:        e377cd56a71523140ca6ae87e30244719194a521
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

prsnca · July 9, 2024, 5:00pm

this is the docker image config:

    docker:
        - image: cimg/node:20.11

akrash-nadeem · July 9, 2024, 5:08pm

I hope you are not running docker inside docker because circleci does not support running docker inside docker you can check the answer here . try using this
image for your machine i hope it will fix the problem.

machine:
      image: ubuntu-2404:current

prsnca · July 10, 2024, 12:59pm

Amazing, this worked!!

I changed the image as you suggested and added this step:

    modify_docker_daemon_config:
        steps:
            - run:
                  name: Modify Docker Daemon Configuration
                  command: |
                    echo '{"features": {"containerd-snapshotter": true}}' | sudo tee /etc/docker/daemon.json
                    sudo systemctl restart docker

and now our build creates the attestation as we wanted!

Thanks

akrash-nadeem · July 10, 2024, 1:00pm

always happy to help

Topic		Replies	Views
Why can't I start docker daemon in CircleCI Convinence Images? Build Environment docker , cimg	2	1206	January 5, 2023
Build Docker image Build Environment docker , circle-yml	5	3628	July 17, 2019
CircleCi: Couldn't connect to Docker daemon at http+docker://localhost Build Environment	2	4019	October 1, 2018
Configuring Mysql Server Settings on Secondary Convenience Images Build Environment docker , mysql	4	2189	January 22, 2021
Couldn't connect to Docker daemon at https Build Environment docker , circle-yml	4	4189	October 5, 2020

Configuring Docker Daemon for using containerd image store instead of docker

Related topics