Problems: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running createRuntime hook #0: exec: no command

[xgzlucario]

Hello everyone! I'm trying to use the nerdctl SDK in the gateway app to run containers on the host's containerd. I've attempted two approaches but encountered issues with both:

1. Running directly on the host

I used the following code to create a container via an API interface:

package main

import (
	"net/http"

	"github.com/containerd/nerdctl/v2/pkg/clientutil"
	"github.com/gin-gonic/gin"

	"github.com/containerd/nerdctl/v2/pkg/api/types"
	nerdctl "github.com/containerd/nerdctl/v2/pkg/cmd/container"
	"github.com/containerd/nerdctl/v2/pkg/containerutil"
)

type FunctionCreateRequest struct {
	ImageRef string               `json:"image_ref"`
	Labels   FunctionCreateLabels `json:"labels"`
	InRun    bool                 `json:"in_run"`
}

type FunctionCreateLabels struct {
	AppName    string `json:"app.name"`
	AppPort    string `json:"app.port"`
	AppVersion string `json:"app.version"`
}

type FunctionCreateResponse struct {
	ContainerID string `json:"container_id"`
}

func FunctionCreate(c *gin.Context) {
	var req FunctionCreateRequest
	if err := c.ShouldBindJSON(&req); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

	globalOpt := GetGlobalOptions()

	// create container options
	createOpt := types.ContainerCreateOptions{
		GOptions: globalOpt,
		Name:     req.Labels.AppName,
		Label: []string{
			"app.name=" + req.Labels.AppName,
			"app.port=" + req.Labels.AppPort,
			"app.version=" + req.Labels.AppVersion,
		},
		Cgroupns:   "host",
		InRun:      req.InRun,
		Rm:         true,
		Pull:       "missing", // always, missing, never
		LogDriver:  "json-file",
		StopSignal: "SIGTERM",
		Restart:    "unless-stopped", // no, always, on-failure, unless-stopped
		// GPUs: []string{"all"},
	}

	// create client
	client, ctx, cancel, err := clientutil.NewClient(c.Request.Context(), globalOpt.Namespace, globalOpt.Address)
	if err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
		return
	}
	defer cancel()

	// create network manager
	networkManager, err := containerutil.NewNetworkingOptionsManager(createOpt.GOptions, types.NetworkOptions{}, client)
	if err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
		return
	}

	// create container
	container, _, err := nerdctl.Create(ctx, client, []string{req.ImageRef}, networkManager, createOpt)
	if err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
		return
	}

	c.JSON(http.StatusOK, FunctionCreateResponse{
		ContainerID: container.ID(),
	})
}

Run script:

curl http://127.0.0.1:9000/function/create \
	-d '{"image_ref": "ghcr.io/willnorris/imageproxy", "labels": {"app.name": "imageproxy-6", "app.port": "8080", "app.version": "1.0.0"}}' \
	-H "Content-Type: application/json"

And receive error:

{"error":"failed to mount /tmp/containerd-mount4075853439: mount source: "overlay", target: "/tmp/containerd-mount4075853439", fstype: overlay, flags: 0, data: "lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/68/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/27/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/26/fs,userxattr,index=off", err: no such file or directory"}

2. Running in a container

my docker-compose.yaml file:

  gateway:
    build:
      context: ./gateway
      dockerfile: Dockerfile
    ports:
      - "9000:9000"
    volumes:
      - gateway-nerdctl-data:/var/lib/nerdctl
      - /var/lib/containerd:/var/lib/containerd
      - /run/user/1000/containerd/containerd.sock:/run/user/1000/containerd/containerd.sock
      - /opt/cni/bin:/opt/cni/bin
    restart: unless-stopped
    privileged: true

Using curl to create the container works, but starting the container results in an error:

curl http://127.0.0.1:9000/function/start
-d '{"container_id": "imageproxy-7"}'
-H "Content-Type: application/json"
{"error":"1 errors:\nfailed to create shim task: failed to create init process I/O: failed to start binary process: fork/exec /usr/bin/gateway: no such file or directory"}

I'd like to understand the reasons behind these issues. Thanks!

[xgzlucario]

I want to use containerd + nerdctl to implement a serverless framework that can automatically run some functions and dynamically scale. So I'm researching the differences between running gateway on the host and running in a container. If anyone is familiar with this area, I'd really appreciate it if you could share your insights!

[apostasie]

@xgzlucario if you want to debug this, you should really consider simplifying, and building / isolating small pieces that work...
It is hard to help you with what you shared in its current state - several pieces are missing (what is in GetGlobalOptions? you are building a Dockerfile, but you did not share it? what are you doing in "start" (which you did not provide)? etc)

So: are you able to write a simple cli that just starts a hard-coded container? (without any of the gingonic wrapping)

Anyhow, your first problem is probably that you are missing in your main: rootlessutil.ParentMain(globalOpt.HostGatewayIP) (I am assuming you want to run rootless, right?)

Here is a working example:

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"github.com/containerd/nerdctl/v2/pkg/api/types"
	"github.com/containerd/nerdctl/v2/pkg/clientutil"
	nerdctl "github.com/containerd/nerdctl/v2/pkg/cmd/container"
	"github.com/containerd/nerdctl/v2/pkg/config"
	"github.com/containerd/nerdctl/v2/pkg/containerutil"
	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
	"os"
)

func main() {
	globalOpt := types.GlobalCommandOptions(*config.New())

	rootlessutil.ParentMain(globalOpt.HostGatewayIP)

	f, _ := json.MarshalIndent(globalOpt, "", "  ")
	fmt.Printf("%s\n", f)

	// create container options
	createOpt := types.ContainerCreateOptions{
		GOptions:   globalOpt,
		Name:       "foo",
		Label:      []string{},
		Cgroupns:   "host",
		InRun:      true,
		Rm:         false,
		Pull:       "missing",
		LogDriver:  "json-file",
		StopSignal: "SIGTERM",
		Restart:    "unless-stopped",
	}

	// create client
	client, ctx, cancel, err := clientutil.NewClient(context.Background(), globalOpt.Namespace, globalOpt.Address)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	defer cancel()

	// create network manager
	networkManager, err := containerutil.NewNetworkingOptionsManager(createOpt.GOptions, types.NetworkOptions{}, client)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	// create container
	container, _, err := nerdctl.Create(ctx, client, []string{"debian"}, networkManager, createOpt)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	cc, _ := json.MarshalIndent(container, "", "  ")
	fmt.Println(cc)

	return
}

For your second problem, the answer is very likely inside your Dockerfile - and the logs tell you what's wrong: -> "/usr/bin/gateway: no such file or directory" <-
I assume you are just missing that "gateway" binary (whatever it is) in your Dockerfile then.

[xgzlucario]

Yes! I just ran the test case you provided and found that it's the same as the second problem:

I hope to run redis:alpine in the background, but it ends up in the Created status. When I try to start it, an error occurs.

lucario@Lucario ~/f/g/example (master)> go run .
{
  "Debug": false,
  "DebugFull": false,
  "Address": "/run/containerd/containerd.sock",
  "Namespace": "default",
  "Snapshotter": "overlayfs",
  "CNIPath": "/opt/cni/bin",
  "CNINetConfPath": "/home/lucario/.config/cni/net.d",
  "DataRoot": "/home/lucario/.local/share/nerdctl",
  "CgroupManager": "systemd",
  "InsecureRegistry": false,
  "HostsDir": [
    "/home/lucario/.config/containerd/certs.d",
    "/home/lucario/.config/docker/certs.d"
  ],
  "Experimental": true,
  "HostGatewayIP": "10.0.2.100",
  "BridgeIP": "",
  "KubeHideDupe": false,
  "CDISpecDirs": [
    "/home/lucario/.config/cdi",
    "/run/user/1000/cdi"
  ],
  "UsernsRemap": ""
}
{}

lucario@Lucario ~/f/g/example (master)> nerdctl ps -a
CONTAINER ID    IMAGE                             COMMAND                   CREATED          STATUS     PORTS    NAMES
5549d6cfbf17    docker.io/library/redis:alpine    "docker-entrypoint.s…"    3 seconds ago    Created             foo

lucario@Lucario ~/f/g/example (master)> nerdctl start foo
FATA[0000] 1 errors:
failed to create shim task: failed to create init process I/O: failed to start binary process: fork/exec /tmp/go-build3755183307/b001/exe/example: no such file or directory

And this is my start comtainer example:

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/containerd/nerdctl/v2/pkg/api/types"
	"github.com/containerd/nerdctl/v2/pkg/clientutil"
	nerdctl "github.com/containerd/nerdctl/v2/pkg/cmd/container"
	"github.com/containerd/nerdctl/v2/pkg/config"
	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
)

func main() {
	globalOpt := types.GlobalCommandOptions(*config.New())

	rootlessutil.ParentMain(globalOpt.HostGatewayIP)

	f, _ := json.MarshalIndent(globalOpt, "", "  ")
	fmt.Printf("%s\n", f)

	// create container options
	startOpt := types.ContainerStartOptions{
		GOptions: globalOpt,
	}

	// create client
	client, ctx, cancel, err := clientutil.NewClient(context.Background(), globalOpt.Namespace, globalOpt.Address)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	defer cancel()

	// create container
	err = nerdctl.Start(ctx, client, []string{"foo"}, startOpt)

	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	fmt.Println("Start container success")
}

[xgzlucario]

I think here is the real problem, but i don't know how to fix it:

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/containerd/console"
	"github.com/containerd/log"
	"github.com/containerd/nerdctl/v2/pkg/api/types"
	"github.com/containerd/nerdctl/v2/pkg/clientutil"
	nerdctl "github.com/containerd/nerdctl/v2/pkg/cmd/container"
	"github.com/containerd/nerdctl/v2/pkg/config"
	"github.com/containerd/nerdctl/v2/pkg/containerutil"
	"github.com/containerd/nerdctl/v2/pkg/labels"
	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
	"github.com/containerd/nerdctl/v2/pkg/taskutil"
)

func main() {
	globalOpt := types.GlobalCommandOptions(*config.New())

	rootlessutil.ParentMain(globalOpt.HostGatewayIP)

	f, _ := json.MarshalIndent(globalOpt, "", "  ")
	fmt.Printf("%s\n", f)

	// create container options
	createOpt := types.ContainerCreateOptions{
		GOptions:   globalOpt,
		Name:       "foo",
		Label:      []string{},
		Cgroupns:   "host",
		InRun:      true,
		Detach:     true,
		Rm:         false,
		Pull:       "missing",
		LogDriver:  "json-file",
		StopSignal: "SIGTERM",
		Restart:    "no",
	}

	// create client
	client, ctx, cancel, err := clientutil.NewClient(context.Background(), globalOpt.Namespace, globalOpt.Address)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	defer cancel()

	// create network manager
	networkManager, err := containerutil.NewNetworkingOptionsManager(createOpt.GOptions, types.NetworkOptions{}, client)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	// create container
	c, _, err := nerdctl.Create(ctx, client, []string{"redis:alpine"}, networkManager, createOpt)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	// copy from https://github.com/containerd/nerdctl/blob/87a6ab93ae4f3b3fe66e90eef61ed773b1881be7/cmd/nerdctl/container/container_run.go#L357
	var con console.Console

	lab, err := c.Labels(ctx)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	logURI := lab[labels.LogURI]
	detachC := make(chan struct{})
	task, err := taskutil.NewTask(ctx, client, c, createOpt.Attach, createOpt.Interactive, createOpt.TTY, createOpt.Detach,
		con, logURI, createOpt.DetachKeys, createOpt.GOptions.Namespace, detachC)
	if err != nil {
		fmt.Println("ERROR 0")
		fmt.Println(err)
		os.Exit(1)
	}
	if err := task.Start(ctx); err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	if createOpt.Detach {
		fmt.Fprintln(os.Stdout, c.ID())
		return
	}

	statusC, err := task.Wait(ctx)
	if err != nil {
		fmt.Println("Container exit with error", err)
		os.Exit(1)
	}
	select {
	// io.Wait() would return when either 1) the user detaches from the container OR 2) the container is about to exit.
	//
	// If we replace the `select` block with io.Wait() and
	// directly use task.Status() to check the status of the container after io.Wait() returns,
	// it can still be running even though the container is about to exit (somehow especially for Windows).
	//
	// As a result, we need a separate detachC to distinguish from the 2 cases mentioned above.
	case <-detachC:
		io := task.IO()
		if io == nil {
			fmt.Println("got a nil IO from the task")
			os.Exit(1)
		}
		io.Wait()

	case status := <-statusC:
		if createOpt.Rm {
			if _, taskDeleteErr := task.Delete(ctx); taskDeleteErr != nil {
				log.L.Error(taskDeleteErr)
			}
		}
		code, _, err := status.Result()
		if err != nil {
			fmt.Println("Container exit with error", err)
			os.Exit(1)
		}
		if code != 0 {
			fmt.Println("Container exit with code", code)
		}
	}
}

Output:

lucario@Lucario ~/f/g/run-example (master)> go run .
{
  "Debug": false,
  "DebugFull": false,
  "Address": "/run/containerd/containerd.sock",
  "Namespace": "default",
  "Snapshotter": "overlayfs",
  "CNIPath": "/opt/cni/bin",
  "CNINetConfPath": "/home/lucario/.config/cni/net.d",
  "DataRoot": "/home/lucario/.local/share/nerdctl",
  "CgroupManager": "systemd",
  "InsecureRegistry": false,
  "HostsDir": [
    "/home/lucario/.config/containerd/certs.d",
    "/home/lucario/.config/docker/certs.d"
  ],
  "Experimental": true,
  "HostGatewayIP": "10.0.2.100",
  "BridgeIP": "",
  "KubeHideDupe": false,
  "CDISpecDirs": [
    "/home/lucario/.config/cdi",
    "/run/user/1000/cdi"
  ],
  "UsernsRemap": ""
}
ERROR 0
failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running createRuntime hook #0: exec: no command
exit status 1

[apostasie]

Here is a full example for you that also start the container.

Note that:

• you cannot go run this as the logging driver will point to the temporary binary built by go that would not last, so, you should go build then run your binary
• this depends on the nerdctl binary for oci-hooks (if you want to get rid of it, you have to implement that as well) (see NerdctlCmd)

func main() {
	// Implement logging
	if len(os.Args) == 3 && os.Args[1] == logging.MagicArgv1 {
		err := logging.Main(os.Args[2])
		if err != nil {
			fmt.Println(err)
			os.Exit(1)
		}
	}

	// Get options
	globalOpt := types.GlobalCommandOptions(*config.New())

	// Rootless
	_ = rootlessutil.ParentMain(globalOpt.HostGatewayIP)

	// Printout options for debug
	f, _ := json.MarshalIndent(globalOpt, "", "  ")
	fmt.Printf("%s\n", f)

	// Create container options
	createOpt := types.ContainerCreateOptions{
		GOptions: globalOpt,
		// To be used by oci-hook
		NerdctlCmd: "/usr/local/bin/nerdctl",
		Name:        "my-container",
		Label:       []string{},
		Cgroupns:    "private",
		InRun:       true,
		Rm:          false,
		Pull:        "missing",
		LogDriver:   "json-file",
		StopSignal:  "SIGTERM",
		Restart:     "unless-stopped",
		Interactive: true,
	}

	// create client
	client, ctx, cancel, err := clientutil.NewClient(context.Background(), globalOpt.Namespace, globalOpt.Address)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	defer cancel()

	// create network manager
	networkManager, err := containerutil.NewNetworkingOptionsManager(createOpt.GOptions, types.NetworkOptions{
		NetworkSlice: []string{"bridge"},
	}, client)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	// create container
	container, _, err := nerdctl.Create(ctx, client, []string{"debian"}, networkManager, createOpt)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	err = nerdctl.Start(ctx, client, []string{"my-container"}, types.ContainerStartOptions{
		Attach: true,
		Stdout: os.Stdout,
	})

	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	cc, _ := json.MarshalIndent(container, "", "  ")
	fmt.Println(cc)

	return
}

[xgzlucario]

I understand, thank you!