Docker isn't working after apt upgrade

After the first boot of Jetpack4.6 I am running on terminal:

sudo apt update

sudo apt upgrade

At which point I am asked if I want to restart the Docker daemon after the update, and I do.

If I then pull this container:

sudo docker pull nvcr.io/nvidia/l4t-pytorch:r32.6.1-pth1.9-py3

and try to run it with:

sudo docker run -it --rm --runtime nvidia --network host nvcr.io/nvidia/l4t-pytorch:r32.6.1-pth1.9-py3

I get:

docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown.

Is there a way to restore the docker installation?

I have reinstalled Jetpack and repeated the docker pull and run command and it works without error, as soon as I apt update and upgrade docker stops working. I have a dozen of these devices and would prefer not having to restore each.

Hi,

Just want to confirm the environment first:

Default JetPack 4.6: working.
JetPack4.6 + apt update: OCI runtime create failed

Is this correct? Both working and non-working case are using JetPack 4.6 BSP?

Thanks.

That is correct, the issue is with:
jetson-nano-2gb-jp46-sd-card-image
jetson-nx-jp46-sd-card-image

The apt upgrade is what seems to get the OCI runtime failure.

Hi @harrison-matt, can you try starting the container with --security-opt seccomp=unconfined flag? If that doesn’t work, please see these topics to downgrade your docker packages:

• Docker containers won't run after recent apt-get upgrade
• Docker fails to create container after upgrading docker on Jetpack 4.9 · Issue #108 · dusty-nv/jetson-containers · GitHub

I just tried it:
$ sudo docker run -it --rm --runtime nvidia --network host nvcr.io/nvidia/l4t-pytorch:r32.6.1-pth1.9-py3 --security-opt seccomp=unconfined

Returns:
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown.

I followed the instructions from:
https://github.com/dusty-nv/jetson-containers/issues/108
https://forums.developer.nvidia.com/t/docker-containers-wont-run-after-recent-apt-get-upgrade/194369/11

I combined the instructions, with a revision to the /etc/apt/preferences section and here they are:

wget https://launchpad.net/ubuntu/+source/docker.io/20.10.2-0ubuntu1~18.04.2/+build/21335731/+files/docker.io_20.10.2-0ubuntu1~18.04.2_arm64.deb
sudo dpkg -i docker.io_20.10.2-0ubuntu1~18.04.2_arm64.deb
rm docker.io_20.10.2-0ubuntu1~18.04.2_arm64.deb
sudo apt install containerd=1.5.2-0ubuntu1~18.04.3

To keep the apps from updating:

sudo nano /etc/apt/preferences

Package: docker.io
Pin: version 20.10.2*
Pin-Priority: 1001

Package: containerd
Pin: version 1.5.2*
Pin-Priority: 1001

After all of that you can sudo apt update and sudo apt upgrade and run the containers. Works on both the Xavier NX and the Nano.

Thanks @harrison-matt for confirming and posting the steps that worked for you here.

It works on Nano! Thank you @harrison-matt.
BTW, there seems to be typo in contained, which should be containerd I think.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.