[ARM Stable Update] 2023-02-16 - Firefox 110, PlaMo Gear 23.01, Mesa, LibreOffice 7.5 and Kernels

Looks like I voted “everything went smooth” too soon. Two of my docker containers (mediawiki and teamspeak3-server) are no longer starting up. Looks like the issue described here. There’s also a post with some kernel parameters that are supposed to fix it, but I’ve never really had to touch u-boot so far so I’m not sure how to try these out.

Edit: Forgot to mention, my home-assistant container is still running. I’m not sure why it is not affected by the issue…

The linkes issue seems to be about AppArmor. We have not changed anything regarding AppArmor in a while. Did it work fine before this update?

It did. I don’t even use AppArmor. Still, here’s the error I get when launching the Teamspeak container:

docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory: unknown.

This is how I start the container:

docker run -d --name TeamSpeak3_Server -e TS_UPDATE=1 -e TIME_ZONE=Europe/Berlin -p 9987:9987/udp -p 10011:10011/tcp -p 30033:30033/tcp --restart=unless-stopped -v /terra/teamspeak3-server/:/teamspeak/save/ ertagh/teamspeak3-server:latest-box

The mediawiki container throws the same error as teamspeak. My installation is running on a Rock Pi 4B+.

Edit: Doing some investigating, it seems the problem is happening inside the containers, which makes sense because as mentioned, I never had AppArmor installed. Seeing how two images have this problem, one of which has not received any kind of update in three months, I assumed the problem is with docker itself, or rather there’s been some kind of change that necessitates changing the images in some way. Downgrading docker to 20.10.22-1 -aarch64 confirmed this suspicion.

1 Like

Package manager doesn’t work correctly.
Please see last refresh date and time.

Since I installed this update the issue on PinePhone where the lock screen no longer responds to touch input happens way more often.

Strange. I have the impression that this is much more stable on my PinePhone than the previous (January) stable update.

Maybe it’s related to: FS#77481 : [docker] 1:23.0.1-1 broken, either won't start or sends SIGTERM to the app inside container ?

It seems that Docker and ContainerD changed the way they handle LimitNOFILE, which is set to infinity in the config/service files.

There are reports that limiting the NOFILE limit fixes this for some people.

So I would like you to try installing this package to see if it fixes it with docker 23 for you (extract the zip first, then install with pacman -U):
https://gitlab.manjaro.org/manjaro-arm/packages/core/manjaro-system/-/jobs/11771/artifacts/download?file_type=archive
If it does, please let me know, so I can upload the fix to all branches.

Thank you, but sadly I still get the same error, even after rebooting. It’s strange how I get this exact error-message on three different containers (I found an apache-instance on another Rock Pi affected as well), but searching online I can’t find anyone with this exact error. Anything I’m missing I could investigate on my end?

I really don’t know anymore then. Maybe there was upstream changes in some thing, making it now require AppArmor to run some things.

As far as I can see in the updates on the packages, no dependencies have been changed.

Alright, I’ll see what the maintainers of the affected containers make of this, thank you!

It is quite random. It might happen multiple times a day or just every few days. But so far I had to reboot the phone at least once a day.

FYI, the January update had a known broken (for the Allwinner A64) Mesa, which is fixed in this update. But you may be running into some other regression.

The upstream issue @rootgordon linked to makes it pretty clear that this is an upstream regression (apparently in runc) that makes Docker no longer work if AppArmor is not installed.

Hm, according to some of the PR’s listed there, they add apparmor to the CONFIG_LSM option in the kernel config, which we already have.

But yes, sounds like an upstream regression or oversight.

It’s a very long standing issue (over a year now I think).

It is also mentioned in the known issues section of the ARM PlaMo beta releases: Manjaro ARM Beta 14 with Plasma Mobile (PinePhone / PinePhone Pro)

I upgrade my pinebook and nows wifi dissapear.

I was trying to find info to upgrade kernel via pamac without success.

How I can upgrade kernel version without compile from source?

Try power cycle, instead of reboot.

Kernel is a package in the repo, like all other software. So it is updated with the rest of the system, if you are using a supported kernel at least.

1 Like

Fixed with cold reboot :stuck_out_tongue:

thanks @Strit

Tomorrow I’ll change to testing branch… more funny :smiley: