github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/debian/README.Debian (about) 1 Docker on Debian 2 ================ 3 4 Please refer to upstream's documentation for information about what Docker is, 5 how it works, and how to use it: https://docs.docker.com/ 6 7 The following notes are things that may have impact specifically to use of the 8 Docker package in Debian. 9 10 --- 11 12 To enable docker memory limitation, the kernel needs to be loaded with 13 boot parameters: cgroup_enable=memory swapaccount=1. 14 15 This is because enabling memory cgroup support has some run-time overhead, 16 and kernel maintainers don't want to slow down systems unnecessarily. 17 18 http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg764104.html 19 https://github.com/docker/docker/issues/396 20 21 To instruct the kernel to enable memory cgroup support, edit 22 /etc/default/grub and extend GRUB_CMDLINE_LINUX_DEFAULT like: 23 24 GRUB_CMDLINE_LINUX_DEFAULT="cgroup_enable=memory swapaccount=1" 25 26 Then run update-grub, and reboot. 27 28 --- 29 30 It's worth pointing out that upstream maintains a "check-config.sh" script for 31 verifying not only proper kernel configuration (which isn't terribly relevant in 32 the Debian context), but also the host system configuration, especially and 33 including whether a properly mounted cgroup hierarchy can be found. If you're 34 using cgroupfs-mount or systemd, chances are very high that you have one, but if 35 not, you're likely to see strange behavior. 36 37 In the docker.io package, one can find the "check-config.sh" script under 38 "/usr/share/docker.io/contrib/check-config.sh", which when run (does NOT require 39 root/sudo) will report on problems with your installation/configuration. 40 41 --- 42 43 As noted in the upstream documentation (https://docs.docker.io), Docker will 44 allow non-root users in the "docker" group to access "docker.sock" and thus 45 communicate with the daemon. To add yourself to the "docker" group, use 46 something like: 47 48 adduser YOURUSER docker 49 50 As also noted in the upstream documentation, the "docker" group (and any other 51 means of accessing the Docker API) is root-equivalent. If you don't trust a 52 user with root on your box, you shouldn't trust them with Docker either. 53 If you are interested in further information about the security aspects of 54 Docker, please be sure to read the "Docker Security" article in the 55 upstream documentation: 56 57 https://docs.docker.com/engine/security/security/ 58 59 --- 60 61 rpc error: code = 2 desc = "oci runtime error: could not synchronise with 62 container process: no subsystem for mount" 63 64 This message is very likely related to https://bugs.debian.org/843530, and thus 65 https://github.com/opencontainers/runc/issues/1175. 66 67 Adding "systemd.legacy_systemd_cgroup_controller=yes" to your system boot 68 parameters (in Grub, etc) is probably necessary to resolve it. 69 70 --- 71 72 ## Restart dilemma 73 74 Restarting Docker daemon terminates all running containers. Therefore 75 automatic restart is not an option as containers may be killed during 76 unattended upgrade, etc. 77 78 This is Docker's design flaw and upstream gave up on idea of restoring 79 state of running containers on upgrade, bluntly stating "You must stop all 80 containers and plugins BEFORE upgrading" in release notes. 81 82 ** "rkt" container runtime is free from that flaw. ** 83 84 Not restarting Docker daemon on upgrade can make CLI unusable until daemon 85 restart due to mismatch between CLI and running Daemon versions. 86 87 Fortunately recommended "needrestart" package show interactive prompt to 88 restart Docker daemon after upgrade.