14

Can anyone help me make sense of the below error and others like it? I've Googled around, but nothing makes sense for my context. I download my Docker Image, but the container refuses to start. The namespace referenced is not always 26, but could be anything from 20-29. I am launching my Docker container onto an EC2 instance and pulling the image from AWS ECR. The error is persistent no matter if I re-launch the instance completely or restart docker. 

docker: Error response from daemon: oci runtime error: 
container_linux.go:247: starting container process caused 
"process_linux.go:334: running prestart hook 0 caused \"error running 
hook: exit status 1, stdout: , stderr: time=\\\"2017-05-
11T21:00:18Z\\\" level=fatal msg=\\\"failed to create a netlink handle: 
failed to set into network namespace 26 while creating netlink socket: 
invalid argument\\\" \\n\"".
Improve this question
3
  • Someone has reported that as a bug recently: github.com/moby/moby/issues/33656 Commented Jun 14, 2017 at 13:01
  • That someone is me! :) Commented Jun 14, 2017 at 13:09
  • 1
    You confused me because the different user names! Ha ha nice Commented Jun 14, 2017 at 13:17

2 Answers 2

Reset to default
2

Update from my Github issue: https://github.com/moby/moby/issues/33656

It seems like the DeepSecurity agent (ds_agent) running on a container with Docker can cause this issue invariably. A number of other users reported this problem, causing me to investigate. I previously installed ds_agent on these boxes, before replacing it with other software as a business decision, which is when the problem went away. If you are having this problem, might be worthwhile to check if you are running the ds_agent process, or other similar services that could be causing a conflict using 'htop' as the user in the issue above did.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Did you try running it with the --privileged option?

If it still doesn't run, try adding --security-opts seccomp=unconfined and either --security-opts apparmor=unconfined or --security-opts selinux=unconfined depending whether you're running Ubuntu or a distribution with SELinux enabled, respectively.

If it works, try substituting the --privileged option with --cap-add=NET_ADMIN` instead, as running containers in privileged mode is discouraged for security reasons.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.