Docker containers won't run after recent apt-get upgrade

Hi,

I’ve just done a clean install of JetPack 4.6 on an Jetson Nano B01, pulled and ran the corresponding Docker image ‘l4t-ml’. After performing an apt update and upgrade (i.e. sudo apt-get update && sudo apt-get upgrade), the Docker image fails to run, giving the following:

docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown.
ERRO[0006] error waiting for container: context canceled
davidb@JetsnNno4GB:~$ sudo systemctl restart docker
davidb@JetsnNno4GB:~$ ./docker_ml.sh
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown.

The same is also true for my Jetson Nano 2GB, which used to run any Docker image. Any ideas for a fix? Thanks in advance.

David

Hi @davidb1

The engineers are working to release a package soon as possible. Meanwhile, you can downgrade docker to the previous version with these commands:

sudo apt install docker.io=20.10.7-0ubuntu1~18.04.2
sudo apt install containerd=1.5.2-0ubuntu1~18.04.3

Raffaello

3 Likes

Hi @Raffaello ,

That works perfectly on the Nano 2GB and saves me from having to start from scratch. However, for the Nano 4GB, I get this:

davidb@JetsnNno4GB:~$ sudo apt install docker.io=20.10.7-0ubuntu1~18.04.2
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Version ‘20.10.7-0ubuntu1~18.04.2’ for ‘docker.io’ was not found

And because of that the Docker image won’t run on the Nano 4GB.

davidb@JetsnNno4GB:~$ sudo docker run -it --rm --runtime nvidia --network host nvcr.io/nvidia/l4t-ml:r32.6.1-py3
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown.

So still stuck for the Nano 4GB.

David

I don’t know for sure, but it sounds like the one Nano simply included an apt repository that the other did not have set up. You might compare this content on both Nanos and see if one has a repo the other does not:

/etc/apt/sources.list
/etc/apt/sources.list.d/*.list

(note that files in “sources.list.d” are usually from individual packages setting repositories…sources.list could be hand edited, but if a file is missing in sources.list.d/*.list, then you might investigate which package provides that file…but you could hand create it as well)

@davidb1 if you can’t get that working, there is a similar suggestion to try from GitHub here:

1 Like

If you are lucky, the ld archive is still on your disk. So try dpkg -i /var/cache/apt/archives/docker.io_20.10.7-0ubuntu1~18.04.2_amd64.deb or whatever version you have had installed previously.

Have fun,
jel.

Or you can download old version from https://launchpad.net/ubuntu/+source/docker.io/20.10.2-0ubuntu1~18.04.2/+build/21335731/+files/docker.io_20.10.2-0ubuntu1~18.04.2_arm64.deb
and do "sudo dpkg -i

3 Likes

Hi @linuxdev,

The only difference between the two is the presence of nodesource.list in /etc/apt/sources.list.d.

Hi @gizze59 ,

That worked for my Jetson Nano 4GB. However trying to pin the versions of docker.io and containerd in the file /etc/apt/preferences based on Docker fails to create container after upgrading docker on Jetpack 4.9 · Issue #108 · dusty-nv/jetson-containers · GitHub does not seem to work as apt-get upgrade wants to upgrade to docker.io_20.10.7-0ubuntu5~18.04.3.

That being said, I now know how to restore the files. Thanks.

The command to downgrade docker.io fails on my xavier. Error is Version ‘20.10.7-0ubuntu1~18.04.2’ for ‘docker.io’ was not found.

Hi @danpollock

I manually download following this comment from @dusty_nv

1 Like

That fixed it thanks :) Now I can play with the gems.

Hi @davidb1 @gizze59
Thank you very much for your help, I have done the steps that you have suggested and it worked perfectly on my Jetson Nano 4GB.

Hi @davidb1 and @gizze59
thank you very much for your help. it worked perfect for me on my jetson nano 4GB.

Has this issue cropped up again? I performed a sudo apt-get update/upgrade after installing some tools from Stereolabs for my new ZED2i camera.

I’m trying to run Stereolab’s ROS2 wrapper in a docker container. When I try to run the ROS2 foxy docker container with the following command on a Jetson Nano 4GB:

$sudo docker run --runtime nvidia -it --rm --network host ros:foxy-ros-base-l4t-r32.6.1

I’m getting the following error response:

docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown.

Hi @ksymons, the issue is still in the process of being resolved, so yes if you did an apt upgrade then it probably updated your docker/containerd packages. Please see here for how to downgrade them:

Thanks, I’m now able to run the ROS2 Foxy container after following your instructions.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.