Ubuntu 21.10 and Fedora 35 in Docker

Here I am, back again with another post which I think the internet needs. It took me days to figure it out and I can’t imagine there aren’t more people who are running into the same issue. Hello fellow Googlers (or Bingers, DuckDuckGoers and what have you)!

Several Linux distributions (among Ubuntu 21.10 and Fedora 35) started to use Glibc 2.34 or higher. Running these distributions in the current version of Docker (<= 20.10.8) can lead to problems. You can get errors like:

E: Problem executing scripts DPkg::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
curl: (6) getaddrinfo() thread failed to start

None of these errors have anything to do with the actual problem, but they are what guided me to this problem. Feel free to comment with more common errors to help more users find the source of this problem.

The problem is that Glibc 2.34 started to use a new system call called clone3. If this system call is not available on the system, it will fallback to the clone system call. Normally all system calls are captured by Docker which then decides what to do with them. If there is no policy specified in Docker for a specific system call, the default policy is to tell the container: ‘Permission Denied’. However if Glibc receives this error, it doesn’t fallback. It only does this when it receives the response ‘This system call is not available’.

When running a container you can bypass the Docker system call restriction by adding this to your command:

--security-opt seccomp=unconfined

However besides the fact that it makes your containers less secure, this argument is not available when building images.

There is a fix available, but it isn’t available in any published Docker versions. If you are running Ubuntu 20.04 or Ubuntu 21.04, I do have a solution for you. I backported this fix to the current Docker version in the repository and published a Ubuntu PPA so you can use it as well. If you’re running another distro, I don’t have a solution for you, but maybe you can convince someone to backport this fix to your distro as well.

Installing Docker with the clone3 fix on Ubuntu

Add the PPA to your system:

sudo add-apt-repository ppa:pascallj/docker.io-clone3
sudo apt-get update

If you already installed the docker.io package, then running apt upgrade will upgrade the package to the version from my PPA if it’s newer. Otherwise running apt install docker.io will automatically choose the version of the package which is newer. So be careful with future upgrades of this package as it can overwrite my version if I haven’t updated mine yet. You can find your current installed version with docker --version. My package has the suffix ppa. For example: 20.10.7-0ubuntu1~21.04.1ppa1

More information

If you want to know more, you can read through the Github PR and everything linked there.

1 thought on “Ubuntu 21.10 and Fedora 35 in Docker”

Leave a Reply

Your email address will not be published. Required fields are marked *