Fixing Ubuntu containers failing to start with systemd

     

If you’re using either Docker or Podman, the situation is as follows:

Error: OCI runtime error: chmod `run/shm`: Operation not supported

Or if it’s a 18.04 or even older container:

Error: OCI runtime error: chmod `run/initctl`: Operation not supported

Apparently it only affects Ubuntu, the eternal problem child, but not Fedora or AlmaLinux. Those containers still work fine with systemd. Apparently it’s not even a Docker or Podman issue either, but a crun one, which is apparently the new default container runtime of Podman (but you can also use it Docker, if you want). They already fixed the issue in crun, so all you need to do is update. Right?

This is where things get tricky, because crun is installed as a package. So what if you try to uninstall the old version, can you guess?

The following packages will be REMOVED:
  crun podman

Oopsie. So yeah, Podman clearly depends on crun. The version we need is 1.9.1 or higher, that’s where they added the fix for this. Ubuntu 22.04 has version 0.17 (oof), 23.10 has 1.8.5, and 24.04 is something like pre-alpha at this point, so we cannot expect a working package anytime soon.

The alternative is to obtain a local copy from GitHub. I’m using 1.11.2 in this example, that’s the latest at the time of writing, but please update it accordingly:

CRUN_VER='1.11.2'

Now obtain the binary:

mkdir -p "${HOME}/.local/bin"
curl -L "https://github.com/containers/crun/releases/download/${CRUN_VER}/crun-${CRUN_VER}-linux-amd64" -o "${HOME}/.local/bin/crun"
chmod +x "${HOME}/.local/bin/crun"

Verify that you’re indeed on the latest release now (you might need to restart your shell):

$ crun --version
crun version 1.11.2
commit: ab0edeef1c331840b025e8f1d38090cfb8a0509d
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL

Now we still need to tell Podman to use the new binary:

mkdir -p "${HOME}/.config/containers"
cat << EOF > "${HOME}/.config/containers/containers.conf"
[engine.runtimes]
crun = [
  "${HOME}/.local/bin/crun",
  "/usr/bin/crun"
]
EOF

Or if you’re having this issue with Docker:

mkdir -p "${HOME}/.config/docker"
cat << EOF > "${HOME}/.config/docker/daemon.json"
{
  "default-runtime": "crun",
  "runtimes": {
    "crun": {
      "path": "${HOME}/.local/bin/crun"
    }
  }
}
EOF

Aaand ta-da, it’s working again. Don’t forget to update crun manually every once in a while. This manual workaround should no longer be needed once 24.04 is out. Until then, happy containering!